OWASP Top 10 for 2021
Broken access control is a vulnerability wherein attackers go around access control measures to access susceptible data.
Merged with: A03:2017-Sensitive Data Exposure
Formally A03:2017-Sensitive Data Exposure. Cryptographic system failures happen when they are unable to safeguard insecure data. The user level, the cryptographic keys, or the actual cryptographic mechanism itself can all fail.
Merged with: A07:2017-Cross-Site Scripting (XSS)
An injection attack, sometimes known as an “injection,” is a sort of cyberattack in which attackers “inject” malicious code into a web application. Until the web application accesses the database and runs the malicious code, the injected code remains on the database.
The insecure design exposes a variety of weaknesses. Poor design procedures lead to each of these vulnerabilities, which therefore compromise the security of the web application.
Merged with: A04:2017-XML External Entities (XXE)
There are security guidelines for web apps. A security misconfiguration vulnerability results from improperly setting your web application to adhere to certain policies.
Formally A09:2017-Using Components With Known Vulnerabilities
Database Management Systems, unsupported or old libraries, and APIs are examples of vulnerable and out-of-date software components (DBMS). Vulnerable components can frequently result from a subpar software update and patching cycle.
Formally A02:2017-Broken Authentication
Attackers may employ common techniques like brute-forcing, credential stuffing, and identity spoofing to obtain unauthorized access to user accounts.
Merged with: A08:2017-Insecure Deserialization
Failures in software and data integrity happen when the infrastructure, API, and code of a web application don’t detect and fix integrity violations.
Formally A10:2017-Insufficient Logging & Monitoring
Failures in security logging and monitoring are frequently the results of bad log handling or log architecture. For instance, not monitoring logs frequently, having logs produce useless information, or storing logs locally.
Web applications that seek access to and fetch remote resources without first checking the user-supplied URL are vulnerable to SSRF issues. Firewalls, VPNs, and even network Access Control Lists can frequently be disregarded by SSRF attacks (ACLs).
This will be all for the Day 15 post and the end of OWASP Top 10 2021. Hope you enjoyed every bit of it. Kindly let me know in the comments section if you did.