OWASP 2021: Broken Access Control is the worst!
The Open Web Application Security Project (OWASP) has published its draft Top 10 2021 report on September 8. All security world is excited about this draft. Let’s discover what has changed and what has been added together!
- At first sight, Broken Access Control, which was in 5th place in 2017, is in 1st place in 2021.
- The Injection is 2 steps down and in 3rd place. XSS attacks are also added to the Injection category.
- Sensitive Data Exposure which is known as Cryptographic Failures from now moved up from third to second place. The new focus here is on failures related to cryptography operations.
- XML External Entities and Security misconfigurations are together from now on 5th place.
Also, there are three new titles: ‘Insecure Design’, ‘Software and Data Integrity Failures’, and ‘Server-Side Request Forgery (SSRF)’ attacks.
1-) Insecure Design
Insecure design is a broad category representing many different weaknesses, expressed as “missing or ineffective control design.” Missing insecure design is where a control is absent.
“Secure design is a culture and methodology that constantly evaluates threats and ensures that code is robustly designed and tested to prevent known attack methods. Secure design requires a secure development lifecycle, some form of secure design pattern or paved road component library or tooling, and threat modeling.”
2-) Software and Data Integrity Failures
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations.
An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.
3-) Server-Side Request Forgery (SSRF)
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network ACL.
You can read all the draft report here. Thank you for reading!