🦉
Programming Notes
  • My Programming Notes
  • CKA Exam Preparation
    • Certified Kubernetes Administrator
    • Setup Minikube
    • Network Design Principles
    • Role-Based Access Control (RBAC)
    • Namespace
    • Resource Quota
    • Pod
    • Deployment
    • Deployment: Rollout
    • ConfigMap
    • Service
    • Service: kubectl expose
    • Pod: Resources Management
    • Pod & Container: Quality of Service Class
    • Pod & Container: Probes
    • Limit Range
    • Scaling: Manual
    • Scaling: Horizontal Pod Autoscaler
    • Persistent Volume & Claim
    • Secret
    • Ingress: Routing
    • Ingress: TLS
    • Ingress: Rate Limit
    • Ingress: Basic Auth
    • Ingress: CRD (Custom Resource Definition)
    • Job
    • CronJob
    • Mutli-Node Cluster
  • Golang
    • Generics
    • Context
    • Goroutines and Channels in Go
    • Goroutine: Concurrency vs Parallelism
    • Goroutine: Performance & Tradeoffs
    • JSON: omitzero
  • Rust
    • Arrays & Slices
    • Closures
    • Generics & Traits
    • Iterators
    • Run Code Simultaneously
    • String vs &str
    • Tests
    • Rustlings Exercises
      • Variables
      • Functions
      • If
      • Primitive Types
      • Vectors
      • Move Semantics
      • Structs
      • Enums and Matching Pattern
      • Strings
      • Modules
      • Hashmaps
      • Options
      • Error Handling
      • Generics
      • Traits
      • Lifetimes
      • Tests
      • Iterators
      • Smart Pointers
      • Threads
      • Macros
      • Quiz 1
      • Quiz 2
      • Quiz 3
  • Software Engineering
    • CAP Theorem
    • Circuit Breaker
    • Decoupling
    • GraphQL: Query Caching
    • HMAC Signature
    • Idempotency
    • Monolith VS Microservice
    • OWASP Top 10 2021
    • PCI DSS
    • PostgreSQL: Partitioning
    • PostgreSQL: Replication
    • Protobuf & gRPC
    • Redis: Streams
    • Resource Scaling
    • Signed URL
    • SOLID
    • Stack VS Heap
    • Stateful VS Stateless
  • Site Reliability Engineering
    • Chaos Engineering
    • Distributed Tracing
    • Kubernetes (k8s)
    • SLA, SLO, and SLI Metrics
    • Site Reliability Engineer
  • Others
    • FFMPEG Cheat sheet
Powered by GitBook
On this page
  • Broken Access Control
  • Cryptographic Failures
  • Injection
  • Insecure Design
  • Security Misconfiguration
  • Vulnerable and Outdated Components
  • Identification and Authentication Failures
  • Software and Data Integrity Failures
  • Security Logging and Monitoring Failures
  • Server-Side Request Forgery (SSRF)
  • References
  1. Software Engineering

OWASP Top 10 2021

PreviousMonolith VS MicroserviceNextPCI DSS

Last updated 1 month ago

The OWASP Top 10 is a regularly updated list of the most critical security risks to web applications, published by the Open Web Application Security Project (OWASP). It's designed to raise awareness of common vulnerabilities and provide guidance for mitigating them.

Source:

Here’s an in-depth look at each item in the OWASP Top 10 (2021):

Broken Access Control

  • Description: Occurs when users can access data or perform actions outside their intended permissions.

  • Examples:

    • Modifying a URL or request to access restricted resources (e.g., /admin instead of /user).

    • Using insecure direct object references (IDOR) to access unauthorized data.

  • Mitigation:

    • Enforce server-side access controls.

    • Use role-based access control (RBAC).

    • Log and monitor failed access attempts.

Cryptographic Failures

  • Description: Inadequate protection of sensitive data due to weak or improper cryptographic implementations.

  • Examples:

    • Storing passwords in plain text.

    • Using outdated encryption algorithms like MD5 or SHA-1.

    • Failing to encrypt sensitive data in transit (e.g., HTTP instead of HTTPS).

  • Mitigation:

    • Use strong encryption algorithms (e.g., AES-256 for data at rest, TLS 1.2+ for data in transit).

    • Store passwords using algorithms designed for hashing, like bcrypt or Argon2.

    • Implement proper key management.

Injection

  • Description: Occurs when untrusted data is sent to an interpreter as part of a query or command, allowing attackers to execute malicious commands.

  • Examples:

    • SQL Injection: SELECT * FROM users WHERE id = '$input'.

    • Command Injection: Executing OS commands through user input.

  • Mitigation:

    • Use prepared statements (parameterized queries).

    • Validate and sanitize input.

    • Use an ORM (Object-Relational Mapping) library.

Insecure Design

  • Description: Flaws in application design that leave it vulnerable, even if implemented securely.

  • Examples:

    • Lack of threat modeling or secure design patterns.

    • Failure to anticipate abuse cases during the design phase.

  • Mitigation:

    • Adopt a secure development lifecycle (SDLC).

    • Perform threat modeling.

    • Implement security by design principles.

Security Misconfiguration

  • Description: Errors in configuration that expose the application to risks.

  • Examples:

    • Using default credentials (e.g., admin/admin).

    • Overly permissive CORS policies.

    • Exposing unnecessary services or debug endpoints.

  • Mitigation:

    • Harden server configurations (disable unused services, limit privileges).

    • Use automated tools to detect misconfigurations.

    • Regularly review and update configurations.

Vulnerable and Outdated Components

  • Description: Using libraries, frameworks, or other software with known vulnerabilities.

  • Examples:

    • Relying on an old version of a library with security flaws.

    • Ignoring software dependency updates.

  • Mitigation:

    • Regularly update dependencies.

    • Use dependency-checking tools (e.g., OWASP Dependency-Check, Snyk).

    • Monitor vulnerability databases like NVD (National Vulnerability Database).

Identification and Authentication Failures

  • Description: Weaknesses in authentication mechanisms that allow unauthorized access.

  • Examples:

    • Missing multi-factor authentication (MFA).

    • Session fixation or weak session management.

    • Insecure password recovery processes.

  • Mitigation:

    • Implement strong MFA.

    • Use secure session management (e.g., regenerate session IDs after login).

    • Enforce strong password policies and secure recovery mechanisms.

Software and Data Integrity Failures

  • Description: Lack of integrity checks or use of untrusted software components.

  • Examples:

    • Failing to validate updates or dependencies for integrity.

    • Using unsigned software or libraries.

  • Mitigation:

    • Use code-signing and integrity checks.

    • Verify third-party libraries and ensure they are from trusted sources.

    • Implement CI/CD security measures.

Security Logging and Monitoring Failures

  • Description: Insufficient logging and monitoring to detect and respond to security breaches.

  • Examples:

    • Missing logs for sensitive actions.

    • No monitoring for suspicious activities.

  • Mitigation:

    • Log security-relevant events (e.g., authentication attempts, privilege changes).

    • Use centralized logging systems and SIEM tools.

    • Regularly review logs and set up alerts for anomalies.

Server-Side Request Forgery (SSRF)

  • Description: Exploiting server functionality to send unauthorized requests to internal or external resources.

  • Examples:

    • Accessing internal APIs or metadata services via SSRF.

    • Manipulating URLs in user input to gain unauthorized access.

  • Mitigation:

    • Restrict outbound network access from servers.

    • Validate and sanitize URLs in server-side requests.

    • Use a whitelist for permitted destinations.

References

https://owasp.org/www-project-top-ten/
https://owasp.org/www-project-top-ten/