What is OWASP?
Open Web Application Security Project is a nonprofit foundation that works to improve the
security of software. OWASP regularly update its list every 4 to 5 years.
10 most common
web applications vulnerabilities which are listed in
owasp top 10.
It was first updated in
2013 and then in
2017 and the latest release is
2021 which we are using now.
The OWASP Foundation is the source for developers and technologists to secure the web. OWASP
1. Broken Access Control
Broken access control is a flaw in the web application which occurs due to poor implementation of access control mechanisms that can be easily exploited.
This flaw allows attacker/unauthorised users to access the contents that they are not allowed to view, can perform
unauthorised functions, and even an attacker can
delete the content, or take over site administration.
- Proper implementations of access control to the users.
- Delete any
- Shut down unnecessary
multi-factor authentication at all access points.
- Disable the web server directory listing.
2. Cryptographic Failures
This flaw previously was known as sensitive data exposures and it arises when web applications send any data in
plain text, use
insecure cryptographic algorithms, or
weak crypto keys etc are called
This security threat occurs when web applications do not adequately protect sensitive information like
credit card numbers,
social security number, or any similar crucial data whose leak can be critical for the user.
This flaw in web applications can cause financial loss, access to victim’s accounts, blackmailing and ultimately decrease the trust in to brands.
- Encrypt data while it is in transit and at rest.
- Use the most
up-to-date encryption techniques.
Turn off autocomplete on forms.
- Reduce/minimize the size of the
data surface area.
- Use Strong adaptive and salted hashing functions when saving passwords.
An injection attack refers to untrusted data by an application that forces it to execute commands. Such data or malicious code is inserted by an attacker and can compromise data or the whole application.
The most common injection attacks are
cross-site scripting (XSS),
CCS injection, etc.
- Separate the commands from the data.
- Data supplied by users must be validated, filtered, or sanitized.
- Use of a safe API that avoids the use of the interpreter altogether or uses parameterized queries
4. Insecure Design
This category of vulnerabilities is focused on the risks associated with flaws in design and architecture.
- Development lifecycle with
- Limit user and
service resource consumption.
threat modelling for crucial
secure design patterns and key flows.
5. Security Misconfiguration
Security misconfiguration is a flaw in web applications and generally arises due to
incorrect HTTP headers etc.
- Improving security level of
potentials flaw application.
Default accounts/passwords be disabled or unchanged.
Error messages should not display to users which contain
latest security features should be enabled.
databases, security settings must be set to
- Remove the
unnecessary features, such as
privileges that are allowed or installed.
6. Vulnerable and Outdated Components
This category was previously known as
Using Components with Known Vulnerabilities. Component vulnerabilities can arise when software is
out of date, or not upgraded
dependencies when patches come out.
- Be aware of versions of
server-side components used.
vulnerability Assessments to reduce attacks.
framework, and other
7. Identification and Authentication Failures
This is the vulnerability that exists in the web application when the web application does
not properly function related to
identifications and authentications, like
password recovery, and other
Because of this attackers are able to compromise passwords, security keys, or session tokens or assume to identities and permissions of other users.
multi-factor authentication (2FA)
- Do not deploy with
default credentials, especially for users with admin privileges.
monitor failed login attempts.
- Use a secure session manager that generates
time-limited session IDs.
- Never include
session IDs in
8. Software and Data Integrity Failures
This is a new category in the
OWASP list that relates to vulnerabilities in
critical data, and
CI/CD pipelines whose
integrity is not verified.
Code and infrastructure that do not guard against integrity violations are referred to as software and data integrity failures
For example, an application that relies on plugins, libraries, or modules from unverified and untrusted sources, repositories, or content delivery networks (CDNs) may be exposed to such a type of failure.
digital signatures, or other similar measures.
- To protect the integrity of the code going through the
deploy processes, make sure your
CI/CD pipeline includes adequate.
- Verify that
unencrypted serialised data is not delivered to
untrustworthy clients without an
integrity check or
digital signature to detect alteration or replay.
9. Security Logging and Monitoring Failures
It is one of the important vulnerabilities among
OWASP Top 10 and was previously known as
Insufficient Logging and Monitoring.
This flaw arises when organizations do not have proper logging and monitoring tools to insure
detect suspicious activities and
unauthorized access attempts. And all the alerts should be properly managed by security professionals.
- Log all login,
access control, and
server-side input validations failures.
- Logs must be in easily
10. Server-Side Request Forgery (SSRF)
Server-side request forgery issues arise when a web application does not validate the
user-supplied URL when fetching a
SSRF is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses.
- Implement input validation.
- Use Regular Expressions (
intended IP address format (IPv4 or IPv6).
Validate incoming Domain Names.
I have collected the above information from
multiple articles and
written based on my understanding.
For more study on
OWASP TOP 10, Please refer to the
Support me: If you like to support me, buy me a cup of coffee ☕
Follow me: @0xKayala | Satya Prakash