OWASP Top 10 2021 Vulnerabilities Flashcards
A01:2021 – Broken Access Control
Represents a failure to enforce an access control policy, allowing users to act outside of intended permissions. For example, not adhering to the principle of least privilege can lead to an attacker viewing sensitive information after compromising an account with excess privileges.
A02:2021 – Cryptographic Failures
Represents a failure to implement strong cryptographic controls to encrypt information while in transit and at rest, leading to undesirable data disclosure. To prevent this, you should encrypt sensitive information should be encrypted while in transit or at rest.
A03:2021 – Injection
Represents an application that is vulnerable to an injection attack when user-input data is not validated by the application. Some common injections are SQL, NoSQL, OS Command, Lightweight Directory Access Protocol (LDAP), and Expression Language (EL). You should use safe APIs and use positive server-side input validation.
A04:2021 – Insecure Design
Represents a vulnerability created when appropriate business and security requirements are not considered during the business case phase. Secure software development life cycle (S-SDLC) practices should be adopted. OWASP recommends using the OWASP Software Assurance Maturity Model (SAMM) for application development.
A05:2021 – Security Misconfiguration
Represents a vulnerability created in applications when there are no standard configurations and no security hardening process. Examples include unnecessary ports and services enabled, default accounts and passwords are enabled and not changed.
A06:2021 – Vulnerable and Outdated Components
Represents a vulnerability created when you are using unsupported versions of software or unsupported components embedded in the application. You should always use supported and updated software and application components in your production environment.
A07:2021 – Identification and Authentication Failures
Represents a vulnerability created when there are authentication weaknesses in the applications. For example, your application may be prone to credential surfing, brute force, or other automated attacks.
A08:2021 – Software and Data Integrity Failures
Represents a vulnerability created in applications when appropriate software integrity controls are not enforced or when applications rely on untrusted plugins, libraries, or modules. Untrusted sources can be vulnerable to unauthorized access, malicious code, and system compromise.
A09:2021 – Security Logging and Monitoring Failures
Represents a vulnerability created in applications when appropriate logging and monitoring is not in place. You cannot detect incidents attacks without appropriate logging and monitoring. You should have logging enabled for logins, failed login attempts, warnings, and errors.
A10:2021 – Server-Side Request Forgery
Represents a vulnerability created in applications when a remote source is retrieved by the web application without validating the user-supplied URL. You can implement appropriate controls at the network layer and application layer to prevent a SSRF vulnerability.
