The first top 10 list of OWASP security testing was released in 2003. It has been updated several times over the years. The current version of top 10 list of OWASP security testing was released in 2021 which made transition in the list on the basis of a comprehensive study that looked at more than 50,000 applications and analyzed some 2.3 million vulnerabilities.
1. Broken Access Control
From 2017 Top 10 Web security list, Broken Access Control has transitioned from the fifth position to first in 2021 list since 94% of applications were found to have this vulnerability. Broken access control refers to a set of security flaws in which permission checks are insufficient to prevent unauthorized users from accessing data or executing operations. Access control can often be compromised due to a lack of security procedures such as authorization checks.
2. Cryptographic failures
Cryptographic Failure was once known as Sensitive Data Exposure. From 2017 Top 10 Web security list it has transitioned from third position to second position on the 2021 list. It focuses on cryptographic flaws, which frequently lead to the disclosure of sensitive information or system compromise.
3. Injection
Injection has dropped its position from first to third place in 2021 list. Injection occurs when an untrusted user data is supplied to the web application Pentesting as part of a command or query. XSS from 7th position in 2017’s list has been merged under Injection.
SQL injections, Cross-Site Scripting (XSS), NoSQL injections, code injections, OS command injections, host header injections, and other injection attacks are the most common.
4. Insecure Design
Insecure Design is the newly added category in 2021 list. The risks associated with design flaws that lead to weak security controls are highlighted in this list. It reflects the industry’s increased emphasis on developing apps that are secure by design.
5. Security Misconfiguration
From 2017 Top 10 Web security list, it has transitioned from sixth position to fifth position on 2021 list with inclusion of the former category for XML External Entities (XXE). This indicates a lack of security hardening across the stack. It can infect network-attached devices, databases, web and application servers, and containers, among other places in the system.
6. Vulnerable and outdated components
Formerly named as “Using Components with Known Vulnerabilities” is now known as Vulnerable and outdated components has received sixth position in 2021 risk category list. Unsupported and obsolete components, software, libraries, frameworks, and other components lead to this risk. Applications that are not built or used using the most recent/updated versions of components are vulnerable to attacks.
7. Identification and authentication failures
Formerly named as “Broken Authentication” faced a big fall from second position to seventh over 3 years of time. Attackers may be able to compromise passwords, security keys, or session tokens and permanently or temporarily assume the identities and permissions of other users if apps improperly execute functions related to session management or user authentication.
8. Software and data integrity failures
A new risk category called Software and data integrity failures; will put an emphasis on making assumptions about software upgrades, critical data, and CI/CD processes without verifying their integrity. Insecure Deserialization has been added to this category.
9. Security logging and monitoring failures
Formerly named as “Using Components with Known Vulnerabilities” now termed as “Security logging and monitoring failures” positions on ninth. This aids companies in detecting and analyzing security incidents in real time. This category includes errors in detecting, escalating, and responding to current breaches. Without logging and monitoring, it is impossible to discover breaches.
10. Server-Side Request Forgery
Server-Side Request Forgery is newly added risk category in 2021 list. This permits users to access data from remote resources using URLs that have not been validated by the application. An attacker can exploit this vulnerability to internal port scan, DoS attack, and fetching the internal metadata of the application.
Our web application security protects your site from all cyber threats. We have been safeguarding billions of online transactions across the globe. We use cyber security solutions to detect cyber risks with automated penetration testing methods. We have a certified team of virtual security experts who are well-familiar with using AI-based automated scanners.
