DATASHEET

OWASP Enforcement (2021)

OWASP Top Ten 2021   
https://owasp.org/Top10/

ENFORCEMENT FOR KW 2023.4

Web Application Security Risk

Description

C/C++

C#

Java

Java Script

Python

1. Broken Access Control

Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user’s limits. Common access control vulnerabilities include: 

  • Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone. 
  • Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests. 
  • Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references). 
  • Accessing API with missing access controls for POST, PUT and DELETE. 
  • Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user. 
  • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. 
  • CORS misconfiguration allows API access from unauthorized/untrusted origins. 
  • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

Yes

Yes

Yes

No

No

2. Cryptographic Failures

The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information, and business secrets require extra protection, mainly if that data falls under privacy laws, e.g., EU’s General Data Protection Regulation (GDPR), or regulations, e.g., financial data protection such as PCI Data Security Standard (PCI DSS).

Yes

Yes

Yes

No

Yes

3. Injection

An application is vulnerable to attack when user-supplied data is not validated, filtered, or sanitized by the application. 

  • Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. 
  • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. 
  • Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures. 

Some of the more common injections are SQL, NoSQL, OS command, Object Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph Navigation Library (OGNL) injection.

Yes

Yes

Yes

Yes

No

4. Insecure Design

Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.” Insecure design is not the source for all other Top 10 risk categories. There is a difference between insecure design and insecure implementation. We differentiate between design flaws and implementation defects for a reason, they have different root causes and remediation. A secure design can still have implementation defects leading to vulnerabilities that may be exploited. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine what level of security design is required.

Yes

Yes

Yes

No

No

5. Security Misconfiguration

The application might be vulnerable if the application is: 

  • Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services. 
  • Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges). 
  • Default accounts and their passwords are still enabled and unchanged. 
  • Error handling reveals stack traces or other overly informative error messages to users. 
  • For upgraded systems, the latest security features are disabled or not configured securely. 
  • The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values. 
  • The server does not send security headers or directives, or they are not set to secure values. 
  • The software is out of date or vulnerable. 

Without a concerted, repeatable application security configuration process, systems are at a higher risk.

Yes

Yes

Yes

No

No

6. Vulnerable and Outdated Components

You are likely vulnerable: 

  • If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies. 
  • If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. 
  • If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. 
  • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities. 
  • If software developers do not test the compatibility of updated, upgraded, or patched libraries. 
  • If you do not secure the components’ configurations.

No

No

Yes

No

No

7. Identification & Authentication Failures

Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application: 

  • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. 
  • Permits brute force or other automated attacks. 
  • Permits default, weak, or well-known passwords, such as “Password1” or “admin/admin”. 
  • Uses weak or ineffective credential recovery and forgot-password processes, such as “knowledge-based answers,” which cannot be made safe. 
  • Uses plain text, encrypted, or weakly hashed passwords data stores. 
  • Has missing or ineffective multi-factor authentication. 
  • Exposes session identifier in the URL. 
  • Reuse session identifier after successful login. 
  • Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity.

Yes

Yes

Yes

No

No

8. Software and Data Integrity Failures

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.

Yes

Yes

Yes

No

No

9. Security Logging and Monitoring Failures

This category is to help detect, escalate, and respond to active breaches. Without logging and monitoring, breaches cannot be detected. Insufficient logging, detection, monitoring, and active response occurs any time: 

  • Auditable events, such as logins, failed logins, and high-value transactions, are not logged. 
  • Warnings and errors generate no, inadequate, or unclear log messages. 
  • Logs of applications and APIs are not monitored for suspicious activity. 
  • Logs are only stored locally. 
  • Appropriate alerting thresholds and response escalation processes are not in place or effective. 
  • Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts. 
  • The application cannot detect, escalate, or alert for active attacks in real-time or near real-time. 

You are vulnerable to information leakage by making logging and alerting events visible to a user or an attacker.

No

No

Yes

No

No

10. Server-Side Request Forgery

SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL). 

As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.

No

No

Yes

No

No