Latest Posts

OWASP Top 10 Vulnerabilities

Posted on by Rishan Solutions

Loading

The OWASP (Open Web Application Security Project) Top 10 is a globally recognized list of the most critical security risks affecting web applications. It is updated periodically to reflect emerging threats and provides security professionals with guidance on mitigating vulnerabilities.

1. Broken Access Control (A01:2021)

🔹 This occurs when users can access unauthorized data or functions.
🔹 Attackers bypass access restrictions to modify or delete sensitive information.

Example Attack Scenario:

  • A normal user modifies a URL parameter (user_id=123) and accesses another user’s account by changing it to user_id=456.

Mitigation:

  • Enforce role-based access control (RBAC).
  • Use server-side access checks for each request.
  • Implement least privilege access policies.

2. Cryptographic Failures (A02:2021)

Weak or improper encryption allows data exposure.
Affects sensitive data such as passwords, credit card details, and personal information.

Example Attack Scenario:

  • An application stores passwords in plaintext instead of hashing them.
  • Using weak encryption algorithms like MD5 or SHA1.

Mitigation:

  • Use AES-256 for encryption and bcrypt, Argon2, or PBKDF2 for password hashing.
  • Enable TLS 1.2 or TLS 1.3 for secure data transmission.

3. Injection Attacks (A03:2021)

Untrusted input is sent to a web application, leading to SQL, NoSQL, OS command, or LDAP injection attacks.

Example Attack Scenario:

  • SQL Injection: SELECT * FROM users WHERE username = 'admin' --' AND password = ''
  • The attacker bypasses authentication by commenting out the password check.

Mitigation:

  • Use prepared statements and parameterized queries.
  • Implement input validation and sanitization.
  • Use ORMs (Object Relational Mappers) to prevent direct SQL execution.

4. Insecure Design (A04:2021)

Poorly designed security controls lead to vulnerabilities in the software architecture.

Example Attack Scenario:

  • A web app lacks rate-limiting on login attempts, allowing brute-force attacks.

Mitigation:

  • Implement threat modeling during design.
  • Follow secure coding best practices.
  • Use multi-factor authentication (MFA).

5. Security Misconfiguration (A05:2021)

Improper configurations expose applications to attacks.
Common issues include default credentials, open cloud storage, exposed debug modes, and unnecessary services.

Example Attack Scenario:

  • A database is left exposed on the internet without authentication.
  • Default admin credentials (admin/admin) are used.

Mitigation:

  • Disable unnecessary features and debug modes.
  • Regularly update and patch software.
  • Use automated security configuration tools.

6. Vulnerable and Outdated Components (A06:2021)

Using outdated libraries, plugins, or frameworks leads to security risks.

Example Attack Scenario:

  • A web app uses Apache Struts 2, which has a known RCE vulnerability (CVE-2017-5638).
  • Attackers exploit this to execute arbitrary commands on the server.

Mitigation:

  • Regularly update third-party components.
  • Use software composition analysis (SCA) tools.
  • Subscribe to security advisories for timely patches.

7. Identification and Authentication Failures (A07:2021)

Weak authentication mechanisms allow attackers to impersonate users.

Example Attack Scenario:

  • A web app allows brute-force login attempts without account lockout.
  • Using weak password policies (e.g., allowing “123456”).

Mitigation:

  • Enforce strong password policies and MFA.
  • Implement account lockout and CAPTCHA.
  • Use secure session management (rotate session IDs after login).

8. Software and Data Integrity Failures (A08:2021)

Untrusted code, insecure updates, and malicious modifications can compromise applications.

Example Attack Scenario:

  • A software update is downloaded over HTTP instead of HTTPS, allowing an attacker to modify the update package.

Mitigation:

  • Use code signing for software updates.
  • Implement checksums and cryptographic signatures.
  • Use secure CI/CD pipelines.

9. Security Logging and Monitoring Failures (A09:2021)

Lack of security monitoring makes it difficult to detect attacks.

Example Attack Scenario:

  • An attacker attempts multiple failed logins, but no alerts are triggered.
  • Security logs are not collected or reviewed.

Mitigation:

  • Implement SIEM (Security Information and Event Management) solutions.
  • Monitor login attempts and failed authentication events.
  • Enable audit logging with proper log retention policies.

10. Server-Side Request Forgery (SSRF) (A10:2021)

Attackers force a server to make unauthorized requests to internal or external resources.

Example Attack Scenario:

  • A web app fetches URLs based on user input: GET /fetch?url=http://internal-server/admin
  • The attacker accesses internal admin pages by modifying the URL.

Mitigation:

  • Validate user input and enforce allowlists for external URLs.
  • Use firewalls and network segmentation to block unauthorized requests.

Leave a Reply

Your email address will not be published. Required fields are marked *