
OWASP TOP 10
Celia CatalánShare
Web application security is a priority in today's world, where cyber threats are constantly evolving. To help developers and security professionals, the Open Web Application Security Project (OWASP) publishes a list known as the OWASP Top 10, which highlights the most critical vulnerabilities in web applications. This list is essential to understand the risks and the measures necessary to mitigate these threats.
What is OWASP Top 10?
The OWASP Top 10 is a ranking of the most serious vulnerabilities affecting web applications. Its goal is to provide awareness and knowledge to the technology community about the most common and dangerous security flaws. Updated periodically, this list offers a practical guide to prevent, detect and correct the most critical vulnerabilities.
Vulnerabilities in the OWASP Top 10 have the potential to severely compromise the security of an application, exposing sensitive data, allowing unauthorized access, and causing large losses for organizations.
There are different editions of the OWASP Top 10, classified according to the year of its creation or update. This is due to the change in the general landscape of web security, since, according to data collected by the OWASP Foundation, the frequency of certain types of vulnerabilities increases and decreases over time. In turn, new types of vulnerabilities emerge, while others disappear, receive a different name or are grouped together:
OWASP Top 10 2021
A01:2021 - Loss of access control
- Privilege Escalation: Normal users can obtain or perform actions that require administrator privileges.
- Lateral movement: Users can access data from other users of the platform.
- Lack of access control in APIs: APIs do not properly protect resources.
A02:2021 - Cryptographic failures
- Weak or nonexistent encryption: Use of outdated cryptographic algorithms or lack of encryption on sensitive data.
- Improper key management: Insecure storage or transmission of cryptographic keys.
- Exposure of sensitive data: Passwords, card numbers or unencrypted personal data.
A03:2021 - Injection
- SQL Injection: Manipulation of SQL queries to access or modify data in a database.
- Command injection: Execution of operating system commands through insecure input.
- Code injection: Insertion of malicious code into the application, for example, JavaScript code.
A04:2021 - Unsafe design
- Lack of input validation: The data entered by the user is not properly checked. This type of vulnerability can lead to other vulnerabilities such as command injection or SQL injection.
- Absence of security controls: Lack of authentication or encryption at critical points.
- Poor architecture: Lack of role separation or use of insecure design patterns.
A05:2021 - Security Misconfiguration
- Default credentials: Use of passwords or default settings on servers or applications.
- Sensitive file exposure: Publicly accessible configuration files or databases.
- Unnecessary services enabled: Unused services that could be exploited.
A06:2021 - Vulnerable and outdated components
- Dependencies with known vulnerabilities: Use of libraries or frameworks with known security flaws.
- Outdated software: Lack of security updates or patches available.
- Insecure plugins and modules: Use of third-party extensions or modules that have not been properly audited. (Outdated WordPress plugins, outdated JavaScript libraries…)
A07:2021 - Identification and authentication failures
- Insecure authentication: Lack of mechanisms such as multi-factor authentication (MFA).
- Unprotected sessions: Exposed session tokens or missing session expiration.
A08:2021 - Failures in software and information integrity
- Unverified updates: Software update without verifying its authenticity.
- Source code alteration: Injection of malicious code into CI/CD repositories or pipelines.
- Critical file manipulation: Alteration of configuration files or databases without detection.
A09:2021 - Failure in recording security and monitoring events
- Lack of event logs: Lack of access logs, errors or changes in the system.
- Insufficient logs: The logs do not contain enough information to diagnose problems.
- No attacks are detected in real time: There are no active alert or monitoring systems for incidents.
A10:2021 - Server Side Request Forcing (SSRF)
- Access to internal resources: The attacker uses the application to access internal servers or databases.
- Firewall bypass: The attacker exploits the vulnerability to bypass network security restrictions.
- Local services query: The attacker accesses services on the internal network, such as HTTP, FTP or SSH.