A vulnerability is a weakness that makes a threat possible. This may be because of poor design, configuration mistakes, or inappropriate and insecure coding techniques. threat. Examples of attacks include sending malicious input to an application or flooding a network in an attempt to deny service.
A Threat is a possible security risk that might exploit the vulnerability of a system or asset. An attack, on the other hand, is the actual act of exploiting the information security system’s weaknesses.
A03:2021-injections become more expansive
The first modification involves injections. Injection attacks happen when a hacker tries to send data to a web application, such that the web application performs an unintended action. These may include SQL, operating system, and lightweight directory access protocol (LDAP) injection flaws. Since this flaw is also an injectable, the current update to the OWASP Top 10 adds A07:2017 cross-site scripting (XSS).
A05:2021-security misconfiguration rising in priority
Given the rising number of configuration options, this category has risen in the OWASP Top 10. In addition, it includes A04: 2017-XML External Entities beginning in 2021 (XXE). The XXE attack targets a client-side program that processes XML input. An XML-External-Entities-Attack happens when unsafe XML input references to external entities are interpreted and processed. However, this attack is only successful with a flawed or improperly configured XML parser. Therefore, A04:2017-XML External Entities (XXE) has been integrated into A05:2021-Security Misconfiguration as a particular sort of misconfiguration.
OWASP Top 10 Vulnerabilities in 2022
1. Broken access control Vulnerabilities
Access control implements strategies to prevent users from operating beyond the scope of their specified permissions. Due to access vulnerabilities, unauthenticated or unwanted users may access classified data and processes and user privilege settings.
Broken access control vulnerabilities exist when a user can in fact access some resource or perform some action that they are not supposed to be able to access.
Common access control vulnerabilities include: * Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. * Allowing the primary key to be changed to another’s users record, permitting viewing or editing someone else’s account.
2. Cryptographic failures
Cryptographic failures, formerly known as sensitive data exposure, rose one spot to position two. This is more of a symptom than a primary cause; the emphasis here lies on cryptographic errors or lack thereof, which frequently expose sensitive data. The following are typical examples of sensitive information exposure:
- Session tokens
- Login IDs and passwords
- Online transactions
- Personal information (switched service network or SSN, health records, etc.)
Injection (or SQL injections) is a database attack against a website that uses structured query language (SQL) to obtain information or perform activities that would ordinarily need an authenticated user account. These codes are difficult for the program to interpret from its own code, allowing attackers to conduct injection attacks to gain access to protected areas and sensitive data masquerading as trusted users. Injections include SQL injections, command injections, CRLF injections, and LDAP injections, etc.
Injection occurs when a hacker feeds malicious, input into the web application that is then acted on (processed) in an unsafe manner. This is one of the oldest attacks against web applications, but it’s still the king of the vulnerabilities because it is still widespread and very damaging.
Injections are amongst the oldest and most dangerous attacks aimed at web applications. They can lead to data theft, data loss, loss of data integrity, denial of service, as well as full system compromise. The primary reason for injection vulnerabilities is usually insufficient user input validation. SQL injection attacks, also called SQLi attacks, are a type of vulnerability in the code of websites and web apps that allows attackers to hijack back-end processes and access, extract, and delete confidential information from your databases.
4. Insecure design
This is a brand-new category for 2021 that focuses on the design and architectural flaws, with a need for greater use of threat modeling, design safety recommendations, and reference architectures. Insecure design is a wide category that contains a variety of problems, such as .”missing or inadequate control design.” That does not imply that insecure design is the root of all other top 10 risk categories.
Insecure design vulnerabilities arise when developers, QA, and/or security teams fail to anticipate and evaluate threats during the code design phase. These vulnerabilities are also a consequence of the non-adherence of security best practices while designing an application.
As the name indicates “insecure design”, are those vulnerabilities that exist due to lack of security implementation in an application at the time of development. It denotes that the best practices for the designing an application has not been taken into consideration.
5. Security misconfigurations Vulnerabilities
General security setup issues, quite like misconfigured access controls, pose significant hazards by providing attackers with quick and easy access to critical data and site regions.
Security misconfiguration occurs when security settings are not adequately defined in the configuration process or maintained and deployed with default settings. This might impact any layer of the application stack, cloud or network.
Example:- If Directory listing is not disabled on the server and if attacker discovers the same then the attacker can simply list directories to find any file and execute it. It is also possible to get the actual code base which contains all your custom code and then to find a serious flaws in the application.
6. Vulnerable and outdated components Vulnerabilities
The majority of online apps are created with the help of third-party frameworks. Unknown application codes may result in undesirable outcomes and unwanted situations such as accent control violations, SQL injections, etc.
Vulnerable and outdated components. A software component is part of a system or application that extends the functionality of the application, such as a module, software package, or API. Component-based vulnerabilities occur when a software component is unsupported, out of date, or vulnerable to a known exploit.
If your outdated software includes the use, storage or application of data, that data becomes at risk. Your systems will be more vulnerable to ransomware attacks, malware and data breaches. Out of date software, then, can give attackers a back door into the rest of your systems.
7. Identification and authentication failures
This category, formerly known as broken authentication, dropped from second place and now contains CWEs linked to identification problems. When an attacker obtains user information, password recovery, ID sessions, and other login credentials, it poses security issues. As the name implies, an identity and authentication failure includes hackers exploiting such vulnerabilities to take advantage of inadequate authentication.
Identification and authentication failures can occur when functions related to a user’s identity, authentication, or session management are not implemented correctly or not adequately protected by an application.
Authentication failed means there is a temporary block due to too many failed attempts. After 30 minutes after the last login attempt, the block is removed automatically by the system.
8. Software and data integrity failures
As more sensitive information is stored in databases, Vulnerabilities to security breaches, data integrity concerns become essential for software.
This is a new category, and it focuses on assuming the integrity of software updates, vital data, and CI/CD procedures without verifying them. One example is when applications use extensions, modules, or repositories from content delivery networks (CDNs) or unauthorized sources. A continuous integration/continuous delivery (CI/CD) process that is not protected might raise the risk of malicious code, system compromise or unauthorized access.
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).
Examples of data integrity issues include, but are not limited to: Intentional data falsification or manipulation. Poor documentation practices that impact the reliability of the data. Lack of control related to software, computerized systems or instruments.
9. Security logging and monitoring failures
A lack of tracking in the presence of suspicious actions and occurrences can expand gaps in time that go unmonitored, allowing security breaches to go unnoticed for longer than they would with better logging. This OWASP Top 10 2021 section is meant to aid in the identification, escalation, and resolution of recent breaches. Detection of a security breach is unlikely without recording and monitoring.
Security logging and monitoring failures are frequently a factor in major security incidents. The BIG-IP system includes advanced logging and monitoring functionality and provides security features to protect against attacks that can result from insufficient system and application logging and monitoring. Security event logging and monitoring is a process that organizations perform by examining electronic audit logs for indications that unauthorized security-related activities have been attempted or performed on a system or application that processes, transmits or stores confidential information.
Logging and monitoring will help you to identify patterns of activity on your networks, which in turn provide indicators of compromise. In the event of incidents, logging data can help to more effectively identify the source and the extent of compromise.
10. Server-side request forgery (SSRF)
The results for this category reveal an above-average testing coverage, reasonably low incidence rate, and above-average Impact and Exploit ratings. SSRF develops when server-side queries are conducted without verifying the URL given by the user. This allows an attacker to induce an application to transmit a forged request to an undesired location, even if it is protected by virtual private networks (VPN), firewalls, or network access control list (ACL).
A Server-Side Request Forgery (SSRF) attack involves an attacker abusing server functionality to access or modify resources. The attacker targets an application that supports data imports from URLs or allows them to read data from URLs.
Server-side request forgery (also known as SSRF) is a web security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location.
SSRF is a dangerous web vulnerability caused by bad programming. SSRF lets attackers send requests from the server to other resources, both internal and external, and receive responses. For an example of an SSRF attack, read more about the Capital One breach.