OWASP Top 10 Assignment - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

OWASP Top 10:2021

Every OWASP 2017 Top Ten web application security risk either shifted in ranking or was consolidated into another category in the 2021 rankings. Broken Access Control had one of the largest shifts, moving from fifth to first in the ranking since the incident rate was 3.8% and can be a huge risk in exposing sensitive information to unauthorized actors. Other rankings that shifted but did not change title are Injection (first to third, Cross-Site Scripting is now a part of the category since it is a type of injection) and Security Misconfiguration (sixth to fifth, XML External Entities is now a part of the category since allowing XML input is a poor configuration). Cryptographic Failures, previously known as sensitive data exposure, was raised to second place. Identification and Authentication Failures, renamed from broken authentication, went from second to seventh thanks to new security frameworks and Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring. The three new top 10 categories are Insecure Design, Software and Data Integrity Failures (now includes insecure deserialization since the unknown data used in the attack can damage integrity), and Server-Side Request Forgery.

Insecure Design:

Insecure design is a broad category that encompasses flaws in how an application is built, which is important to differentiate from how it is implemented. The flaws in how a web application is designed can leave it vulnerable to exploitation by attackers. It is no longer good enough for security to be considered after a web application is built: security must be considered during the entire lifetime of a web application. An example of this is how WordPress, a popular web application, does not “set limits for unsuccessful login attempts on the admin panel”(QAWerk). Some web applications are not built to handle large amounts of traffic, which on a website that supports purchasing of items, can open the webserver to a bot-purchasing attack. In order to avoid such vulnerabilities, worst-case “what-ifs?” should be considered throughout the development process and addressed before the potential issue arises.

Software and Data Integrity Failures:

Software and Data Integrity Failures occur when the web application does not properly check or protect the integrity of its data, and thus is vulnerable to the data being changed with minimal to no alerts. “Software and data integrity failures frequently occur when the code implementation and the underlying infrastructure lack the ability to protect the code against all integrity violations. This happens when the code is obtained from some untrusted source or repositories”(Educative). This can be especially dangerous in automated processes like the CI/CD system, which automates stages of application development by delivering said applications to its customers. If malicious code was included in the automated deployment of such applications without an integrity test, that leaves people unknowingly vulnerable.

Server-Side Request Forgery:

Server-Side Request Forgery is when an attacker tricks the server into making requests on their behalf, thus leaving data vulnerable to being accessed by unauthorized persons. OWASP acknowledges that this does not occur frequently and may be included in a broader category in future ranking additions. This forgery occurs when a web application accesses a resource without validating the user’s URL, thus ticking the server into thining an outbound request is being made instead of an inbound one and ultimately trusting that the destination it is sending the resource to is trustworthy.

Works Cited