logo

PenTest Hub

Your Ultimate Pentesting Arsenal

Critical Security Risks

OWASP Top 10 - 2021

The most critical security risks for web applications according to OWASP

1
Broken Access Control
Critical
Restrictions on what authenticated users can do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality or data.

Examples

Modifying the URL to access other users' resources
Changing the 'id' parameter in the URL to view other users' data
Accessing the API without proper authentication

Prevention

  • Implement role-based access control (RBAC)
  • Deny access to resources by default
  • Validate session tokens and permissions on each request
  • Implement rate limiting to prevent brute force attacks

References

2
Cryptographic Failures
Critical
Failures related to cryptography that often lead to exposure of sensitive data. This includes lack of encryption, weak or poorly implemented algorithms.

Examples

Storing passwords without hashing or with weak algorithms
Transmitting sensitive data without encryption
Using obsolete or insecure encryption algorithms

Prevention

  • Use modern and secure encryption algorithms
  • Implement TLS for all communications
  • Store passwords with secure hashing algorithms
  • Rotate encryption keys regularly

References

3
Injection
Critical
User-supplied data is not validated, filtered, or sanitized by the application. This can allow the execution of malicious code.

Examples

SQL Injection: ' OR '1'='1
XSS: <script>alert('XSS')</script>
Command Injection: & cat /etc/passwd

Prevention

  • Use parameterized queries for SQL
  • Implement strict input validation
  • Escape special characters in output
  • Use secure frameworks that prevent injections

References

4
Insecure Design
High
Flaws in design and architecture that cannot be fixed by proper implementation. These issues require architectural changes.

Examples

Architecture that doesn't implement layered authentication
Design that allows direct access to sensitive resources
Lack of validation in system design

Prevention

  • Implement a secure design process
  • Perform threat modeling during design
  • Use secure design patterns
  • Document and review security architecture

References

5
Security Misconfiguration
High
Incorrect configuration of cloud service permissions, unnecessary features enabled, insecure default settings.

Examples

Servers with detailed error messages
Debug features enabled in production
Overly permissive file permissions

Prevention

  • Implement a hardening process
  • Keep systems updated
  • Use secure default configurations
  • Perform regular configuration audits

References

6
Vulnerable Components
High
Use of components with known vulnerabilities. This includes frameworks, libraries, and other dependencies.

Examples

Using old versions of jQuery with known XSS
Dependencies with remote execution vulnerabilities
Outdated frameworks with security flaws

Prevention

  • Maintain a component inventory
  • Monitor vulnerabilities in dependencies
  • Implement a regular update process
  • Use dependency analysis tools

References

7
Authentication Failures
High
Failures in user identity confirmation, authentication, and session management.

Examples

Weak or predictable passwords
Sessions that don't expire
Multi-factor authentication not implemented

Prevention

  • Implement multi-factor authentication
  • Use strong passwords and change policies
  • Manage sessions securely
  • Implement protection against brute force attacks

References

8
Software Integrity Failures
Medium
Software and data integrity failures related to code and infrastructure.

Examples

Downloading code without integrity verification
Unsigned updates
Dependencies from untrusted sources

Prevention

  • Implement integrity verification
  • Use digital signatures for code
  • Verify dependency authenticity
  • Implement integrity controls in CI/CD

References

9
Security Logging Failures
Medium
Insufficient logging and monitoring, along with lack of integration with incident response systems.

Examples

Lack of critical event logs
Logs without sufficient information for investigation
Lack of alerts for suspicious activities

Prevention

  • Implement comprehensive logging
  • Centralize logs in a SIEM
  • Configure alerts for critical events
  • Maintain logs for the required time

References

10
Server-Side Request Forgery
Medium
SSRF vulnerabilities occur when a web application is fetching a remote resource without validating the user-supplied URL.

Examples

Access to cloud instance metadata
Internal port scanning
Access to internal services

Prevention

  • Validate and sanitize input URLs
  • Implement allowlists of permitted hosts
  • Disable redirects
  • Use application firewalls

References