Day 15: OWASP Top 10 for 2021 – A Summary List of All Vulnerabilities

OWASP Top 10 for 2021
A01:2021-Broken Access Control

Broken access control is a vulnerability wherein attackers go around access control measures to access susceptible data.

A02:2021-Cryptographic Failures
Merged with: A03:2017-Sensitive Data Exposure

Formally A03:2017-Sensitive Data Exposure. Cryptographic system failures happen when they are unable to safeguard insecure data. The user level, the cryptographic keys, or the actual cryptographic mechanism itself can all fail.

A03:2021-Injection 
Merged with: A07:2017-Cross-Site Scripting (XSS)

An injection attack, sometimes known as an “injection,” is a sort of cyberattack in which attackers “inject” malicious code into a web application. Until the web application accesses the database and runs the malicious code, the injected code remains on the database.

A04:2021-Insecure Design

The insecure design exposes a variety of weaknesses. Poor design procedures lead to each of these vulnerabilities, which therefore compromise the security of the web application.

A05:2021-Security Misconfiguration 
Merged with: A04:2017-XML External Entities (XXE)

There are security guidelines for web apps. A security misconfiguration vulnerability results from improperly setting your web application to adhere to certain policies.

A06:2021-Vulnerable and Outdated Components

Formally A09:2017-Using Components With Known Vulnerabilities

Database Management Systems, unsupported or old libraries, and APIs are examples of vulnerable and out-of-date software components (DBMS). Vulnerable components can frequently result from a subpar software update and patching cycle.

A07:2021-Identification and Authentication Failures

Formally A02:2017-Broken Authentication

Attackers may employ common techniques like brute-forcing, credential stuffing, and identity spoofing to obtain unauthorized access to user accounts.

A08:2021-Software and Data Integrity Failures 
Merged with: A08:2017-Insecure Deserialization

Failures in software and data integrity happen when the infrastructure, API, and code of a web application don’t detect and fix integrity violations.

A09:2021-Security Logging and Monitoring Failures

Formally A10:2017-Insufficient Logging & Monitoring

Failures in security logging and monitoring are frequently the results of bad log handling or log architecture. For instance, not monitoring logs frequently, having logs produce useless information, or storing logs locally.

A10:2021-Server Side Request Forgery (SSRF)

Web applications that seek access to and fetch remote resources without first checking the user-supplied URL are vulnerable to SSRF issues. Firewalls, VPNs, and even network Access Control Lists can frequently be disregarded by SSRF attacks (ACLs).

This will be all for the Day 15 post and the end of OWASP Top 10 2021. Hope you enjoyed every bit of it. Kindly let me know in the comments section if you did.