Published by the Open Web Application Security Project (OWASP), this list updates periodically to reflect the evolving threat landscape. It helps organizations prioritize their defensive measures.
As a guideline and reference point, the OWASP Top 10 offers a starting place for ensuring web application security. It provides a technical manual and is useful for raising awareness. By identifying and explaining the most prevalent vulnerabilities, it assists developers, security professionals, and organizations in recognizing and mitigating potential threats.
The latest version of the OWASP application security top 10 was published in 2021. You can see the official 2021 OWASP top 10 list here.
This is part of a series of articles about OWASP Top 10
The Complete OWASP Top 10 Cheat Sheet
Broken Access Control (BAC)
Broken Access Control (BAC) occurs when a web application does not properly enforce restrictions on what authenticated users are allowed to do. This can lead to unauthorized access to sensitive data or functionalities, allowing attackers to perform actions like viewing others' data, modifying or deleting data, and gaining unauthorized access to functionalities.
Mitigation measures:
- Implement role-based access control (RBAC) and ensure that permissions are strictly enforced on the server side.
- Use a deny-by-default approach to limit access only to resources and functionalities that the user is explicitly allowed to access.
- Regularly review and update access control policies to reflect changes in the application and its use cases.
- Employ access control checks at every point of interaction within the application to prevent elevation of privilege.
Cryptographic Failure
Cryptographic failure, previously known in OWASP as "Sensitive Data Exposure," involves the inadequate protection of sensitive data, such as passwords, credit card numbers, or personal information. This can happen due to weak algorithms, poor key management, or improper implementation, leading to data breaches.
Mitigation measures:
- Use strong, up-to-date encryption algorithms and protocols (such as AES for data encryption and TLS for data in transit).
- Securely manage keys and secrets using a secure vault and regular rotation practices.
- Encrypt all sensitive data at rest and in transit, and ensure that only authorized users have access to the decryption keys.
- Apply proper data anonymization and deletion practices to ensure that sensitive data is not unnecessarily exposed.
Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. Attackers can exploit these flaws to access or modify data, execute unintended commands, or access unauthorized systems.
Mitigation measures:
- Use prepared statements and parameterized queries to handle data inputs in SQL and NoSQL databases.
- Employ proper input validation and sanitization to ensure that only properly formatted data is processed.
- Implement least privilege access controls in the database to minimize potential damage from an injection attack.
- Regularly scan and test for injection vulnerabilities using automated tools and manual code review.
Insecure Design
Insecure design refers to a lack of security controls or considerations during the design phase of application development. This can lead to vulnerabilities that are difficult to patch without significant changes to the application architecture.
Mitigation measures:
- Adopt a secure by design philosophy, incorporating security considerations from the earliest stages of development.
- Use threat modeling to identify potential security issues and design the application to mitigate these risks.
- Implement security controls and frameworks that promote secure coding practices and protect against common vulnerabilities.
- Regularly review and update the application design in response to emerging threats and vulnerabilities.
Security Misconfigurations
Security misconfigurations occur when security settings are defined, implemented, and maintained improperly. This can lead to vulnerabilities such as unprotected files and directories, default accounts with unchanged passwords, and unnecessary services running.
Mitigation measures:
- Conduct regular audits of application and server configurations to ensure they align with secure baseline configurations.
- Automate the process of deploying configurations to reduce the risk of human error.
- Disable unnecessary features, services, and accounts, and change default passwords and settings.
- Keep software up to date and apply security patches promptly to mitigate known vulnerabilities.
Learn more in our detailed guide to security misconfiguration
Vulnerable and Outdated Components
Using components with known vulnerabilities, including libraries, frameworks, and other software modules, can expose web applications to various attacks. Outdated components may lack patches for known vulnerabilities, leaving applications defenseless.
Mitigation measures:
- Regularly inventory and monitor third-party components for vulnerabilities using tools like dependency checkers.
- Update components to the latest secure versions promptly and test functionality to ensure compatibility.
- Consider using software composition analysis (SCA) tools to automate the detection of vulnerable components.
- Remove unused dependencies and components to minimize the attack surface.
Identification and Authentication Failures
Identification and Authentication Failures involve weaknesses in user authentication mechanisms that allow attackers to compromise passwords, tokens, or keys, leading to identity theft and unauthorized access.
Mitigation measures:
- Implement multi-factor authentication (MFA) to add an additional layer of security beyond just passwords.
- Store passwords securely using strong, salted hashing algorithms like bcrypt.
- Use account lockout mechanisms after a set number of failed login attempts to prevent brute force attacks.
- Regularly audit and test authentication mechanisms for vulnerabilities such as weak password recovery processes.
Learn more in our detailed guide to broken authentication
Software and Data Integrity Failures
Software and Data Integrity Failures refer to the improper validation and integrity checking of software and data, leading to unauthorized software modifications, malicious code execution, or data tampering.
Mitigation measures:
- Implement digital signatures or checksums to verify the integrity of software and data.
- Use secure, tamper-evident technologies to detect unauthorized modifications.
- Employ a secure software development life cycle (SDLC) with integrity checks at each stage.
- Regularly audit and review code and third-party components to ensure they have not been tampered with.
Security Logging and Monitoring Failures
Security logging and monitoring failures occur when insufficient logging of security events and inadequate monitoring leave organizations unaware of suspicious activities, hindering timely incident response and analysis.
Mitigation measures:
- Implement comprehensive logging of security-relevant events, including successful and failed authentication attempts, access control failures, and system errors.
- Use centralized log management solutions to aggregate and monitor logs in real time.
- Define and regularly update incident response plans to ensure prompt action on detected security events.
- Regularly review and audit logs for suspicious activities and conduct periodic security assessments.
Server-Side Request Forgery
Server-Side Request Forgery (SSRF) occurs when an attacker can induce the server to make requests to internal resources or external third parties, bypassing security controls and potentially accessing sensitive data or services.
Mitigation measures:
- Validate and sanitize user inputs to ensure that they do not contain malicious URLs or schemes.
- Implement network segmentation and firewall rules to limit the URLs and resources that the server can request or access.
- Employ the principle of least privilege for the server's access to internal networks and systems.
- Regularly test for SSRF vulnerabilities using automated scanning tools and manual penetration testing.