The OWASP Top 10 Framework

The OWASP Top 10 is a cybersecurity framework that can be used to discover the top 10 most critical vulnerabilities to patch in web applications.

Application security is a crucial part of every organization, as it paves the way for a secure system protected against any cyber threat. The OWASP Top 10 features a list of the top 10 risks to manage and is collated from the most frequent application breaches reported by the open-source community.

The category ranking in the OWASP Top 10 list is based on three critical factors:

• Frequency of the security breach
• The impact caused by the vulnerability
• How severe is the unprotected vulnerability?

These three factors were used to analyze the top application security risks now listed in the OWASP Top 10. It serves as the framework for security and compliance audits and checkpoints, and it is used by offensive security practitioners, such as ethical hackers, pentesters, and red teamers, to test applications.

Integrating the OWASP Top 10 as a DevOps checklist into the software development life cycle (SDLC) ensures two key benefits for those managing DevSecOps workflows and vulnerability management:

• Security testing to manage top ten risks during the SDLC
• Remediation of vulnerabilities to manage top ten risks in production

What is OWASP?

OWASP is the acronym for The Open Web Application Security Project, a non-profit organization focused on enhancing the security of web applications to enhance a smoother ecosystem for digital transformation. Founded by Mark Curphey in 2001, OWASP taps into the growing need for a niche cybersecurity community that caters to those working in application security. It functions as an open community model and welcomes participation and contribution by its membership through various means. DevOps engineers, security practitioners, and web app developers can access technical resources on web application security, including articles, code reviews, and tutorials focused upon the organization’s publicly available framework dubbed “The OWASP Top 10.”

What is The OWASP Top 10?

The OWASP Top 10 is a free resource that lists the top ten most common risks to web application security that IT and security practitioners need to manage to prevent security and data breaches. The list creates a security framework and industry standard for cybersecurity risk management and penetration testing of web applications. The framework is also ideal for on-going web application vulnerability management, as The OWASP Top 10 covers the top risk categories threat actors are exploiting based on intelligence submitted by the security community. Due to its methodology’s acceptance by experts around the world, The OWASP Top 10 has become an industry standard for web application security.

What changed in the 2021 update?

The OWASP Top 10 was updated in 2021 from the 2017 version using data collected from the community to update the framework. Based upon the analysis of data collected from the open-source community, ethical hackers, and web application security experts, the 2021 update reflects the ten new risk categories to focus upon for web application vulnerability management.

In summary, the main differences include the following:

Top three risk categories changed:

• The top three categories in the 2021 update are 1) Broken Access Control, 2) Cryptographic failures, and 3) Injection.
• In 2017, the top 3 categories were 1) Injection, 2) Broken Authentication, and 3) Sensitive Data Exposure.

New risk categories added:

• Insecure Design
• Software and Data Integrity failures
• Server-Side Request Forgery

Old risk categories renamed or merged:

• Sensitive Data Exposure was renamed to “Cryptographic Failures.”
• XML External Entities was merged with “Security Misconfiguration.”

One notable risk category removed:

• Cross-Site Scripting (XSS) was dropped from the Top 10 list due an increase in secure coding practices involving input validation and output encoding, and Web Application Firewalls (WAFs) blocking malicious code. Meanwhile, it continues to pose a critical security risk and requires discovery, remediation, and mitigation.

The OWASP Top 10 Security Risks: 2021 vs. 2017 (source: OWASP)

The OWASP Top 10

The OWASP Top 10 covers a set of risk categories commonly associated with vulnerabilities discovered in web applications. The list is often used as a framework to assist organizations with managing those common risks in their web applications via pentesting, vulnerability scanning, and vulnerability management. Read on to learn about each risk category, including description, use case, and steps to mitigate.

A01:2021 Broken Access Control

Broken Access Control is when an unauthorized user has access to a user account and can control key operations, access notable user data, and/or exploit key functionalities of a user account. The vulnerabilities in the authentication, access control, or authorization mechanisms are exploited to put the user’s safety under threat. With a user’s account is exposed to such a threat, the exposed sensitive data can be viewed or modified, which can lead to data leakage and privacy loss.

In 2017, WordPress’ Yoast SEO plugin became the victim of a broken access control attack, where the attacker bypassed the authentication mechanism to gain access to the admin account. Upon gaining access, the attacker could modify the content of the account or take over the entire website. Sensitive data was exposed, which prompted the developers of the plug-in to address the issue immediately.

Web application pen testing is a way to identify vulnerabilities via a simulated attack on a web application to check its response. Your organization and DevSecOps team can include key web application penetration testing techniques, like fuzzing and XSS, to identify risks and mitigate them against future breaches.

A02:2021 Cryptographic Failures

Cryptographic Failures mainly deal with sensitive data, which is stored or transmitted, and when it gets compromised due to a vulnerability in the system. Encryption of sensitive data is highly crucial, and often required in compliance requirements, such as HIPAA and PCI DSS. Failure can lead to unauthorized access to sensitive data, such as passwords, or personal health information, which can lead to mammoth losses for your organization.

Some of the key reasons for cryptographic failures include:

• Using a weak cryptographic algorithm
• Having a weak encryption key
• Using plain text for storing encryption keys

In 2017, digital supplier and password manager LastPass experienced web app breach due to cryptographic failure, as the attacker was able to gain access to the encryption keys. Once the keys were accessed, they could decrypt all the passwords within the LastPass database. A similar case was discovered in 2015, where the attacker was able to modify the encryption and decryption keys in the OpenSSL cryptographic library and decrypt previously encrypted data.

Performing regular application penetration testing is an effective way to protect and defend web-facing applications. With application testing, you can identify and patch vulnerabilities that can led to cryptographic failures and protect sensitive data from getting breached.

A03:2021 Injection

Injection is the third vulnerability on the list – moving down from the first position it held on the 2017 list. XSS* is now considered to be a part of this vulnerability, too. Code injection occurs when an attacker can send invalid data into the web application with a motive to make the web application respond how they want, instead of the usual response.

Yoast SEO has been a victim of this vulnerability, as the attackers could inject a code into the plug-in – only to steal critical user data like the passwords or credit card numbers of the user. It was later fixed by the developers of the plug-in by running a validation check of the user input, which prevented attackers from further inputting malicious codes into the plug-in.

*See the “Runner Up” section below for more on XSS, which is no longer a dedicated risk category on the 2021 list.

A04:2021 Insecure Design

Insecure Design is a newly added category in the 2021 OWASP Top 10 list. As organizations are slowly moving towards complex designs, they need to understand their threat models first, and then apply security principles to their applications or website. Vulnerabilities like lack of input validation or missing authorization or authentication are the noteworthy issues that come under insecure design.

An incident that highlights the importance of Insecure Design is the vulnerability attack on the popular video game, Fortnite. Due to insecure design, the attacker was able to take control of the accounts of the user, and then use this account to perform malicious activities within the game.

Considering the U.S. mobile app market is now valued at $41 billion, secure design can be a valuable differentiator to grow the business and protect users at the same time. With controls like mobile application pentesting,you can test revenue-generating mobile apps for vulnerabilities, and patch them before an expensive, brand-damaging breach occurs.

A05:2021 Security Misconfiguration

Security Misconfiguration occurs when a configuration error or shortcoming causes the system to be vulnerable to attack. Due to the critical risk, prompt discovery and remediation is critical. Though there are many causes for security misconfiguration, SecOps and DevOps engineers can manage this risk by investigating systems for outdated software or improperly configured third-party libraries.

One of the most notable breaches in U.S. history was due to a security misconfiguration. Due to a misconfigured WAF, Equifax, a global financial credit bureau, reported a data breach impacting the personally identifiable information (PII) of 145 million Americans in 2017. As the personal information of account holders also got leaked, Equifax experienced multiple lawsuits and fines. Equifax resolved this issue by ensuring that new security technologies become a part of the organization’s security strategy, along with conducting regular security audits within the organization. They also offered impacted customers free credit monitoring services.

A06:2021 Vulnerable and Outdated Components

Vulnerable and Outdated Components moves up from the 9th position in the 2017 OWASP Top 10. It deals with the key components which pose a threat and have a potential security risk which can threaten the entire system. Security testing and patching are the best ways to manage the risk.

When components have outdated security protocols, they are easier to attack. Cyber criminals can gain access to components to compromise systems, move laterally, and steal PII, such as customer information, passwords, credit card numbers, and more.

Not only does it bring about financial losses to your organization, but the reputational damage can often be irreparable. One such example is the Kaseya VSA software supply chain attack in 2019 that exposed the networks of the company’s customers to the attackers. Eventually, ransomware was installed over the network of the clients that encrypted critical files on the network of the clients. This attack impacted over 1500 businesses spreading across 15+ countries, many of which were grocery stores that temporarily stopped selling food to local communities. This global event exemplifies the importance of why it’s critical to update vulnerable and outdated components.

A07:2021 Identification and Authentication Failures

Identification and Authentication Failures pose a risk that deals with session management and ensuring that imposters are not logging in with stolen data. Identity and access management are crucial components of any online system. While identification acts as a gateway for accessing any website, access management deals with ensuring that users have role-specific access. If implemented improperly, compromised passwords, session details, and keywords may be exposed to attackers.

The Colonial Pipeline Company breach of 2021 is one primary example of identification and authentication failures resulting from the use of outdated VPN software. Attackers gained access to the company’s data – amounting to 100GB, by accessing the network – which included financial and customer information.

Mitigating such risks becomes crucial at an early stage – as later, it might be quite difficult to identify the risk. Integrating OWASP ZAP in DevSecOps Pipeline enables the identification of the vulnerabilities before the final release is made. By integrating it with a continuous integration pipeline, the process of vulnerability identification and mitigation is automated.

A08:2021 Software and Data Integrity Failures

Software and Data Integrity Failures is a recent risk category added to the list. The focus here is updating the software to the latest version, handling critical data, and utilization of CI/CD pipelines without checking integrity. Data deserialization also forms a part of the software and data integrity failures, wherein insecure data deserialization leads to remote execution of the code into the system by the attacker.

A use case for such a failure will be the deserialization of the malicious request sent by the attacker to the server. As the deserialization takes place at the server end, and the malicious code is executed, the attackers gain complete access to the server data, and can also take over the server completely.

A09:2021 Security Logging and Monitoring Failures

Security Logging and Monitoring Failures pose a risk to critical components of any online system. Logging and monitoring activities should be performed frequently on the website – as the importance of this vulnerability has increased with time – placing it at 9th in 2021, from the 10th position in 2017. The secure log-in feature prevents attackers from exploiting vulnerabilities in software that can compromise logging and monitoring technology.

Logging of the key events, such as logins, or failed attempts, are critical data points that should be collected from every website. A penetration test can identify the application vulnerabilities associated with this risk, remediation actions to take, and enable DevSecOps teams. By identifying the patterns of these events, teams can understand the key shortcomings and vulnerabilities within the system for on-going monitoring.

A10:2021 Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) attacks are booming at an accelerated pace due to the growing utilization of cloud technology. In a recent study, the risk of SSRF accounted for 12% of global security breaches, making it the fourth most common attack. SSRF attacks have 50% chance or more of being successful, making it a critical risk to manage.

A SSRF attack takes place when an application requests an unintended destination that can be utilized to steal data or even take the complete authorization of the application. There are two popular use cases for carrying out such attacks – sharing an URL to be fetched, which is that of an internal system, or attacking the vulnerability in the code of the web application. While the first one requires proper validation to handle the risk, the second use case requires a proper code review followed by validation of inputs.

API penetration testing can shore up API security to help teams to mitigate the risk of SSRF in web applications. In an API pen test, an ethical hacker uses three conditions to test for SSRF:

• Validation of the input
• Insecure functions within the code
• Unprotected default values

The OWASP Top 10 Runner-Up: XSS

XSS – aka Cross-Site Scripting – vulnerabilities are still common today, allowing an attacker to transform an application or web page into a smorgasbord of cyberattacks. Therefore, even though the risk category is now longer on the OWASP Top 10, the XSS risk must continue to be managed. One of the most malicious attacks, these vulnerabilities allow a threat actor to inject malicious code into a website to ensure that every time a user loads the website, the malicious script gets executed.

When successful, the attacker can achieve multiple objectives:

• Access session IDs, passwords, and cookies of the affected user.
• Access the information that is getting displayed.
• Serve alterations in the content being shared with the victim.

While there are multiple ways to mitigate the risk of XSS attack, these are three priorities:

• Content Security Policy: a content security policy is the required first organizational step to take to mitigate this attack.
• Secure Coding Framework: on a code level, a secure coding framework that requires best practices, such as encoding the user input, is a critical step.
• Application Penetration Testing: application testing should be performed continuously in the CI/CD pipeline to manage the risk of XSS vulnerabilities.

Application Testing with the OWASP Top 10

If your organization is handling sensitive information, application testing with the OWASP Top 10 is a solid investment to manage the most common web application risks. Because the list is based on data collected from the OWASP community, trained penetration testers can use it as a security framework to focus on the most highly potent cybersecurity risks to remediate and minimize potential impacts. Moreover, the OWASP Top 10 can help organizations comply with key compliance mandates and combat growing cyber security attacks.

Application testing for security and compliance is easy with BreachLock. From mobile apps, web apps, internal apps, and APIs, our certified penetration testers are ready to conduct full stack application testing for your organization in half the time at half the cost of traditional providers.

Secure Your Applications with Penetration Testing as a Service

A secure ecosystem enhances brand reputation and offers solutions to your customers in a secure, well-packaged form. Using the OWASP Top 10 List, you can establish a starting point for penetration testing. It can be used for strategizing a cyber security plan for your business and reporting the findings of penetration testing in a structured, concise, and professional manner – empowering organizations for risk identification and further mitigation.

When proactively conducting security testing, BreachLock’s Pen Testing as a Service offers a secure ecosystem to conduct your end-to-end requirements in a flexible, scalable, agile cloud platform. Our in-house, certified ethical hackers use industry standards, including the OWASP Top 10, to test your applications thoroughly to meet your security and compliance goals. Schedule a discovery call today with one of our application security experts and see how PTaaS can work to improve the security of your web applications and overall business.