![SANS TOP 25](https://unicalacademy.com/wp-content/uploads/2023/12/The-Value-of-Cybersecurity-Investments_-Compelling-Reasons-to-Prioritize-Security-Measures.png)
OWASP TOP 10 2021
- Posted by Security Expert at Unical Systems
- Categories Blog, Cyber Security
- Date December 15, 2023
Introduction
The OWASP Top 10 stands as a foundational compendium within the realm of web application security, meticulously curated to provide a nuanced understanding of the most critical threats faced by developers and security practitioners. This list serves as a distillation of collective cybersecurity expertise, presenting a codified lexicon of vulnerabilities that pose substantial risks to the interconnected digital landscape.
Positioning the OWASP Top 10 as a linchpin in cybersecurity underscores its instrumental role in fortifying web applications against malicious exploits. This compendium operates as a strategic guide, offering concrete directives for implementing security protocols that resonate throughout the intricate fabric of digital systems.
Advocating for the assimilation of the OWASP Top 10 necessitates a paradigm shift within software development. It entails a metamorphic process wherein the intrinsic coding practices undergo refinement, transcending mere functional requirements to establish an impregnable defense against the multifaceted tactics employed by cyber adversaries.
In embracing the precepts embedded within the OWASP Top 10, organizations embark on a cybersecurity pilgrimage toward excellence. This compendium serves as a beacon, guiding digital assets through the tumultuous seas of cyberspace. It delineates precise contours for vulnerability mitigation, compelling organizations to infuse their code with a level of security that transcends mere operational functionality.
Employing the OWASP Top 10 as a talismanic artifact in the crucible of development becomes a catalyst for technical and cultural metamorphosis. It forges a resilient bastion of cybersecurity consciousness within the organizational DNA, extending beyond a checklist mentality to become an integral part of the development ethos. It serves as a practical and technical guide, whispering the incantations of resilience against the relentless tempest of sophisticated cyber threats.
There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021.
Top 10 Web Application Security Risks
Overview:
Within the dynamic landscape of web security as delineated by the 2021 OWASP Top 10, A01:2021, or Broken Access Control, rises assertively from the fifth position. A staggering 94% of applications undergo rigorous evaluation for this vulnerability, featuring 34 Common Weakness Enumerations (CWEs) more prevalent than any other category. This ascendancy marks Broken Access Control not merely as a category but as a pivotal guardian against unauthorized ingress, orchestrating a cybersecurity symphony of paramount significance.
Description:
Broken access control is a security vulnerability where a system fails to properly enforce restrictions on user actions, allowing unauthorized access to data or functionalities. This can result from inadequate session management, missing access controls, overly permissive permissions, or insecure direct object references. Mitigation involves implementing strong access controls, enforcing the principle of least privilege, and conducting regular security audits
- Continuous Inspection and Testing Access Control
- Deny Access by Default
- Limiting Cross Origin Resource Usage (CORS).
- Enable Role-based Access Control
- Enable Permission-Based Access Control
- Enable Mandatory access control.
- CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-23 Relative Path Traversal
- CWE-35 Path Traversal: ‘…/…//’
- CWE-59 Improper Link Resolution Before File Access (‘Link Following’)
- CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
- CWE-201 Exposure of Sensitive Information Through Sent Data
- CWE-219 Storage of File with Sensitive Data Under Web Root
- CWE-264 Permissions, Privileges, and Access Controls (should no longer be used)
- CWE-275 Permission Issues
- CWE-276 Incorrect Default Permissions
- CWE-284 Improper Access Control
- CWE-285 Improper Authorization
- CWE-352 Cross-Site Request Forgery (CSRF)
- CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
- CWE-377 Insecure Temporary File CWE-402 Transmission of Private Resources into a New Sphere (‘Resource Leak’)
- CWE-425 Direct Request (‘Forced Browsing’)
- CWE-441 Unintended Proxy or Intermediary (‘Confused Deputy’)
- CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
- CWE-538 Insertion of Sensitive Information into Externally Accessible File or Directory
- CWE-540 Inclusion of Sensitive Information in Source Code
- CWE-548 Exposure of Information Through Directory Listing
- CWE-552 Files or Directories Accessible to External Parties
- CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
- CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
- CWE-639 Authorization Bypass Through User-Controlled Key
- CWE-651 Exposure of WSDL File Containing Sensitive Information
- CWE-668 Exposure of Resource to Wrong Sphere
- CWE-706 Use of Incorrectly Resolved Name or Reference
- CWE-862 Missing Authorization
- CWE-863 Incorrect Authorization
- CWE-913 Improper Control of Dynamically Managed Code Resources
- CWE-922 Insecure Storage of Sensitive Information
- CWE-1275 Sensitive Cookie with Improper SameSite Attribute
- CWE-1275 Sensitive Cookie with Improper SameSite Attribute
Overview:
A02:2021, now Cryptographic Failures, moved up to the second spot in the OWASP Top 10. Formerly called Sensitive Data Exposure, it’s now focused on issues within cryptography itself, aiming to prevent data exposure and system breaches. The change reflects a practical approach to pinpoint vulnerabilities in encryption, making sure sensitive data stays safe and systems remain secure.
Description:
Cryptographic failures happen when the ways we keep information secret (like using codes or keys) are not done well. This could be using weak codes, not keeping the keys safe, or making mistakes in how we set up secure connections. To fix this, we need to use strong codes, keep our keys safe, and pay attention to how we set up secure connections.
- Encrypt all sensitive data at rest.
- Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
- Disable caching for responses that contain sensitive data.
- Apply required security controls as per the data classification.
- Avoid deprecated cryptographic functions and padding schemes, such as MD5, SHA1, PKCS number 1 v1.5.
- Verify independently the effectiveness of configuration and settings.
- CWE-261 Weak Encoding for Password
- CWE-296 Improper Following of a Certificate’s Chain of Trust
- CWE-310 Cryptographic Issues
- CWE-319 Cleartext Transmission of Sensitive Information
- CWE-321 Use of Hard-coded Cryptographic Key
- CWE-322 Key Exchange without Entity Authentication
- CWE-323 Reusing a Nonce, Key Pair in Encryption
- CWE-324 Use of a Key Past its Expiration Date
- CWE-325 Missing Required Cryptographic Step
- CWE-326 Inadequate Encryption Strength
- CWE-327 Use of a Broken or Risky Cryptographic Algorithm
- CWE-328 Reversible One-Way Hash
- CWE-329 Not Using a Random IV with CBC Mode
- CWE-330 Use of Insufficiently Random Values
- CWE-331 Insufficient Entropy
- CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
- CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
- CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-347 Improper Verification of Cryptographic Signature
- CWE-523 Unprotected Transport of Credentials
- CWE-720 OWASP Top Ten 2007 Category A9 – Insecure Communications
- CWE-757 Selection of Less-Secure Algorithm During Negotiation (‘Algorithm Downgrade’)
- CWE-759 Use of a One-Way Hash without a Salt
- CWE-760 Use of a One-Way Hash with a Predictable Salt
- CWE-780 Use of RSA Algorithm without OAEP
- CWE-818 Insufficient Transport Layer Protection
- CWE-916 Use of Password Hash with Insufficient Computational Effort
Overview:
A03:2021, centered on Injection vulnerabilities, now ranks third in the OWASP Top 10. With 94% of applications tested for injection issues, it highlights 33 specific vulnerabilities, the second most common in applications. This edition combines Cross-site Scripting (XSS) into the Injection category, emphasizing the ongoing importance of securing against code injection threats.
Description:
Injection vulnerabilities occur when an application allows untrusted data to be included in a command or query. Attackers can “inject” malicious code, often in the form of SQL, NoSQL, or shell commands, which can lead to unauthorized access, data manipulation, or system compromise. Prevention involves input validation and using parameterized queries to ensure that user input does not execute as code.
- The preferred option is to use a safe API, which avoids using the interpreter entirely, provides a parameterized interface, or migrates to Object Relational Mapping Tools (ORMs).
- Use positive server-side input validation. This is not a complete defense as many applications require special characters, such as text areas or APIs for mobile applications.
- For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.
- Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
- CWE-20 Improper Input Validation
- CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
- CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
- CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
- CWE-83 Improper Neutralization of Script in Attributes in a Web Page
- CWE-87 Improper Neutralization of Alternate XSS Syntax
- CWE-88 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’)
- CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
- CWE-91 XML Injection (aka Blind XPath Injection)
- CWE-93 Improper Neutralization of CRLF Sequences (‘CRLF Injection’)
- CWE-94 Improper Control of Generation of Code (‘Code Injection’)
- CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’)
- CWE-96 Improper Neutralization of Directives in Statically Saved Code (‘Static Code Injection’)
- CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
- CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’)
- CWE-99 Improper Control of Resource Identifiers (‘Resource Injection’)
- CWE-100 Deprecated: Was catch-all for input validation issues
- CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Response Splitting’)
- CWE-116 Improper Encoding or Escaping of Output
- CWE-138 Improper Neutralization of Special Elements
- CWE-184 Incomplete List of Disallowed Inputs
- CWE-470 Use of Externally Controlled Input to Select Classes or Code (‘Unsafe Reflection’)
- CWE-471 Modification of Assumed-Immutable Data (MAID)
- CWE-564 SQL Injection: Hibernate
- CWE-610 Externally Controlled Reference to a Resource in Another Sphere
- CWE-643 Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
- CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax
- CWE-652 Improper Neutralization of Data within XQuery Expressions (‘XQuery Injection’)
- CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’)
Overview:
A04:2021, Insecure Design, is a fresh addition to the 2021 OWASP Top 10, targeting vulnerabilities stemming from design flaws. To bolster a proactive security stance, industry practitioners are urged to “move left” in the development lifecycle. This entails embracing robust practices like threat modeling, integrating secure design patterns and principles, and leveraging reference architectures. In essence, Insecure Design underscores the need for a preemptive, design-centric approach to mitigate security risks in software development.
Description:
Insecure design refers to security vulnerabilities stemming from flaws in the overall structure or architecture of a system or application. When software is poorly designed, it can lead to weaknesses that attackers exploit, compromising data integrity, confidentiality, or system functionality. Mitigation involves creating robust and secure designs, considering security from the outset, and adhering to best practices in software architecture.
How to prevent
- Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls
- Limit resource consumption by user or service
- Segregate tenants robustly by design throughout all tiers.
- Use threat modeling for critical authentication, access control, business logic, and key flows.
- Integrate security language and controls into user stories
- Integrate plausibility checks at each tier of your application (from frontend to backend)
- CWE-73 External Control of File Name or Path
- CWE-183 Permissive List of Allowed Inputs
- CWE-209 Generation of Error Message Containing Sensitive Information
- CWE-213 Exposure of Sensitive Information Due to Incompatible Policies
- CWE-235 Improper Handling of Extra Parameters
- CWE-256 Unprotected Storage of Credentials
- CWE-257 Storing Passwords in a Recoverable Format
- CWE-266 Incorrect Privilege Assignment
- CWE-269 Improper Privilege Management
- CWE-280 Improper Handling of Insufficient Permissions or Privileges
- CWE-311 Missing Encryption of Sensitive Data
- CWE-312 Cleartext Storage of Sensitive Information
- CWE-313 Cleartext Storage in a File or on Disk
- CWE-316 Cleartext Storage of Sensitive Information in Memory
- CWE-419 Unprotected Primary Channel
- CWE-430 Deployment of Wrong Handler
- CWE-434 Unrestricted Upload of File with Dangerous Type
- CWE-444 Inconsistent Interpretation of HTTP Requests (‘HTTP Request Smuggling’)
- CWE-451 User Interface (UI) Misrepresentation of Critical Information
- CWE-472 External Control of Assumed-Immutable Web Parameter
- CWE-501 Trust Boundary Violation
- CWE-522 Insufficiently Protected Credentials
- CWE-525 Use of Web Browser Cache Containing Sensitive Information
- CWE-539 Use of Persistent Cookies Containing Sensitive Information
- CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session
- CWE-598 Use of GET Request Method With Sensitive Query Strings
- CWE-602 Client-Side Enforcement of Server-Side Security
- CWE-642 External Control of Critical State Data
- CWE-646 Reliance on File Name or Extension of Externally-Supplied File
- CWE-650 Trusting HTTP Permission Methods on the Server Side
- CWE-653 Insufficient Compartmentalization
- CWE-656 Reliance on Security Through Obscurity
- CWE-657 Violation of Secure Design Principles
- CWE-799 Improper Control of Interaction Frequency
- CWE-807 Reliance on Untrusted Inputs in a Security Decision
- CWE-840 Business Logic Errors
- CWE-841 Improper Enforcement of Behavioral Workflow
- CWE-927 Use of Implicit Intent for Sensitive Communication
- CWE-1021 Improper Restriction of Rendered UI Layers or Frames
- CWE-1173 Improper Use of Validation Framework
Overview:
A05:2021—Security Misconfiguration climbs from sixth place due to increased scrutiny, with 90% of applications tested for misconfigurations. The rise is driven by the surge in highly configurable software. Notably, the former XML External Entities (XXE) category is now part of Security Misconfiguration, streamlining the emphasis on this critical aspect of security in contemporary software landscapes.
Description :
Security misconfiguration is a vulnerability that occurs when a system, application, or network is not set up securely. It happens when default settings, unnecessary features, or weak access controls are left in place, providing opportunities for attackers to exploit these weaknesses. Proper configuration, regular security audits, and following best practices are essential to prevent security misconfigurations and enhance overall system security.
- An automated process to verify the effectiveness of the configurations and settings in all environments.
- Sending security directives to clients, e.g., Security Headers.
- A segmented application architecture provides effective and secure separation between components or tenants, with segmentation, containerization, or cloud security groups (ACLs).
- A repeatable hardening process makes it fast and easy to deploy another environment that is appropriately locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to set up a new secure environment.
- CWE-2 7PK – Environment
- CWE-11 ASP.NET Misconfiguration: Creating Debug Binary
- CWE-13 ASP.NET Misconfiguration: Password in Configuration File
- CWE-15 External Control of System or Configuration Setting
- CWE-16 Configuration
- CWE-260 Password in Configuration File
- CWE-315 Cleartext Storage of Sensitive Information in a Cookie
- CWE-520 .NET Misconfiguration: Use of Impersonation
- CWE-526 Exposure of Sensitive Information Through Environmental Variables
- CWE-537 Java Runtime Error Message Containing Sensitive Information
- CWE-541 Inclusion of Sensitive Information in an Include File
- CWE-547 Use of Hard-coded, Security-relevant Constants
- CWE-611 Improper Restriction of XML External Entity Reference
- CWE-614 Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
- CWE-756 Missing Custom Error Page
- CWE-776 Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’)
- CWE-942 Permissive Cross-domain Policy with Untrusted Domains
- CWE-1004 Sensitive Cookie Without ‘HttpOnly’ Flag
- CWE-1032 OWASP Top Ten 2017 Category A6 – Security Misconfiguration
- CWE-1174 ASP.NET Misconfiguration: Improper Model Validation
Overview:
A06:2021, formerly “Using Components with Known Vulnerabilities,” now ranks second in the OWASP Top 10. Its elevation reflects persistent challenges in testing and assessing risks posed by outdated software components. Notably, it lacks CVEs mapped to CWEs, leading to default exploit and impact weights of 5.0 in scores, emphasizing the complexity of addressing this specific cybersecurity issue.
Description:
Vulnerable and outdated components refer to security weaknesses in a system arising from the use of outdated or insecure software or third-party libraries. When applications rely on components with known vulnerabilities, attackers can exploit these weaknesses to compromise the overall system. Regularly updating and patching software, monitoring for security advisories, and maintaining an inventory of components are crucial to minimize the risk associated with vulnerable and outdated components
- Remove unused dependencies, unnecessary features, components, files, and documentation.
- Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.
- CWE-937 OWASP Top 10 2013: Using Components with Known Vulnerabilities
- CWE-1035 2017 Top 10 A9: Using Components with Known Vulnerabilities
- CWE-1104 Use of Unmaintained Third Party Components
Overview:
A07:2021, formerly Broken Authentication, has descended to the second position in the OWASP Top 10. It has evolved to encompass more CWEs associated with identification failures. Despite its diminished ranking, it remains pivotal. The proliferation of standardized frameworks appears to be aiding in mitigating issues within this category.
Description:
Identification and authentication failures happen when a system doesn’t properly check who’s trying to access it. This can be due to weak passwords or not using effective methods to confirm someone’s identity. Bad actors can take advantage of these issues to get into the system without permission. To fix this, it’s important to use strong passwords, add extra verification steps, and regularly improve how the system checks who’s trying to access it.
- Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
- Do not ship or deploy with any default credentials, particularly for admin users.
- Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
- Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.
- Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session identifier should not be in the URL, be securely stored, and invalidated after logout, idle, and absolute timeouts.
- Limit or increasingly delay failed login attempts but be careful not to create a denial-of-service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
- CWE-255 Credentials Management Errors
- CWE-259 Use of Hard-coded Password
- CWE-287 Improper Authentication
- CWE-288 Authentication Bypass Using an Alternate Path or Channel
- CWE-290 Authentication Bypass by Spoofing
- CWE-294 Authentication Bypass by Capture-replay
- CWE-295 Improper Certificate Validation
- CWE-297 Improper Validation of Certificate with Host Mismatch
- CWE-300 Channel Accessible by Non-Endpoint
- CWE-302 Authentication Bypass by Assumed-Immutable Data
- CWE-304 Missing Critical Step in Authentication
- CWE-306 Missing Authentication for Critical Function
- CWE-307 Improper Restriction of Excessive Authentication Attempts
- CWE-346 Origin Validation Error
- CWE-384 Session Fixation
- CWE-521 Weak Password Requirements
- CWE-613 Insufficient Session Expiration
- CWE-620 Unverified Password Change
- CWE-640 Weak Password Recovery Mechanism for Forgotten Password
- CWE-798 Use of Hard-coded Credentials
- CWE-940 Improper Verification of Source of a Communication Channel
- CWE-1216 Lockout Mechanism Errors
Overview:
A08:2021, Software and Data Integrity Failures, is a new addition to the 2021 OWASP Top 10. It focuses on issues stemming from unchecked assumptions in software updates, critical data, and CI/CD pipelines, particularly related to integrity lapses. Notably, it includes Insecure Deserialization, previously a standalone concern since 2017. This category is crucial, given its high impact, as demonstrated by the strong mapping of CVE/CVSS data to the ten identified CWEs. It highlights the importance of ensuring the integrity of software and data to effectively mitigate vulnerabilities and their potential impacts.
Description:
Software and data integrity failures involve vulnerabilities in which the accuracy, consistency, or reliability of software or stored data is compromised. This can occur due to software bugs, malicious tampering, or data corruption. When the integrity of software or data is compromised, it can lead to incorrect functioning of applications or the manipulation of data, impacting the reliability and trustworthiness of the system.
- Use digital signatures or similar mechanisms to verify the software or data is from the expected source and has not been altered.
- Ensure libraries and dependencies, such as npm or Maven, are consuming trusted repositories. If you have a higher risk profile, consider hosting an internal known-good repository that’s vetted.
- Ensure that your CI/CD pipeline has proper segregation, configuration, and access control to ensure the integrity of the code flowing through the build and deploy processes.
- Ensure that unsigned or unencrypted serialized data is not sent to untrusted clients without some form of integrity check or digital signature to detect tampering or replay of the serialized data.
- Limit or increasingly delay failed login attempts but be careful not to create a denial-of-service scenario. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected.
- CWE-345 Insufficient Verification of Data Authenticity
- CWE-353 Missing Support for Integrity Check
- CWE-426 Untrusted Search Path
- CWE-494 Download of Code Without Integrity Check
- CWE-502 Deserialization of Untrusted Data
- CWE-565 Reliance on Cookies without Validation and Integrity Checking
- CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
- CWE-829 Inclusion of Functionality from Untrusted Control Sphere
- CWE-830 Inclusion of Web Functionality from an Untrusted Source
- CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
Overview:
A09:2021, Security Logging and Monitoring Failures, formerly Insufficient Logging & Monitoring, has climbed from #10 to #3 based on industry feedback. This category now encompasses a broader spectrum of failures, presenting challenges in testing and lacks robust representation in CVE/CVSS data. Despite these difficulties, failures in this domain can significantly hamper visibility, incident alerting, and forensics capabilities within a system.
Description:
Issues like inadequate logging, poor log management, limited monitoring, and ignored alerts can compromise cybersecurity. These failures lead to delayed incident response, difficulties in forensics, and increased vulnerability. Mitigate by implementing comprehensive logging, effective log management, real-time monitoring, and a well-tested incident response plan.
- Ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for enough time to allow delayed forensic analysis.
- Ensure that logs are generated in a format that log management solutions can easily consume.
- Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
- Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
- CWE-117 Improper Output Neutralization for Logs
- CWE-223 Omission of Security-relevant Information
- CWE-532 Insertion of Sensitive Information into Log File
- CWE-778 Insufficient Logging
Overview:
A10:2021-Server-Side Request Forgery (SSRF) has been introduced based on community feedback, ranking first in the Top 10 community survey. Despite a relatively low incidence rate, it boasts above-average testing coverage and elevated ratings for both exploit and impact potential. This addition underscores the significance attributed to SSRF by the security community, highlighting its importance even though the empirical data may not fully reflect its prevalence at present.
Description:
Server-Side Request Forgery is a security vulnerability where an attacker manipulates a server into making unauthorized requests on behalf of the server itself. By exploiting this weakness, an attacker might access internal resources, perform actions on other servers, or disclose sensitive information. SSRF often occurs when a server blindly trusts user input to fetch external resources, and attackers can use this to make requests to internal services or external servers.
From Network layer:
- Segment remote resource access functionality in separate networks to reduce the impact of SSRF
- Enforce “deny by default” firewall policies or network access control rules to block all but essential intranet traffic.
- Establish an ownership and a lifecycle for firewall rules based on applications.
- Log all accepted and blocked network flows on firewalls
From Application layer:
- Disable HTTP redirections
- Do not send raw responses to clients.
- Enforce the URL schema, port, and destination with a positive allow list.
- Be aware of the URL consistency to avoid attacks such as DNS rebinding and “time of check, time of use” (TOCTOU) race conditions.
- CWE-918 Server-Side Request Forgery (SSRF)
Conclusion :
The OWASP Top 10 is a crucial reference in web application security, distilling collective cybersecurity knowledge into a codified list of critical vulnerabilities. Positioned as a linchpin, it serves as a strategic guide for fortifying applications against exploits, prompting a necessary paradigm shift in software development practices. Embracing the Top 10 entails a metamorphic process, elevating coding practices beyond functionality to establish a robust defense against cyber threats.
This compendium, acting as a cybersecurity beacon, guides organizations through the complexities of cyberspace. It provides clear directives for vulnerability mitigation, urging the infusion of security into code beyond operational needs. Implementing the OWASP Top 10 triggers technical and cultural metamorphosis, embedding cybersecurity consciousness in organizational DNA. It goes beyond a checklist, becoming an integral part of development ethos—a practical guide in the relentless face of sophisticated cyber threats.
Next post