OWASP Top 10 (2021)
3. Injection (A03:2021)
A code injection occurs when invalid data is sent by an attacker into a web application in order to make the application do something it was not designed to do.
1. Broken Access Control (A01:2021)
Allows an attacker to gain access to user accounts. The attacker in this context can function as a user or as an administrator in the system.
6. Vulnerable and Outdated Components (A06:2021)
Components with known vulnerabilities, such as CVEs, should be identified and patched, whereas stale or malicious components should be evaluated for viability and the risk they may introduce.
5. Security Misconfiguration (A05:2021)
Design or configuration weaknesses that result from an error or shortcoming.
7. Identification and Authentication Failures (A07:2021)
Functions related to authentication and session management, when implemented incorrectly, allow attackers to compromise passwords, keywords, and sessions, which can lead to stolen user identity and more. (Previously known as broken authentication).
10. Server-Side Request Forgery (A10:2021)
Happens when a web application fetches a remote resource without validating the user-supplied URL. This allows an attacker to make the application send a crafted request to an unexpected destination, even when the system is protected by a firewall, VPN, or additional network access control list. The severity and incidence of SSRF attacks are increasing due to cloud services and the increased complexity of architectures.
9. Security Logging and Monitoring Failures (A09:2021)
Logging and monitoring are activities that should be performed on a website frequently. Failure to do so leaves a site vulnerable to more severe compromising activities.
2. Cryptographic Failures (A02:2021)
Occurs when important stored or transmitted data is compromised. (Formerly known as sensitive data exposure).
4. Insecure Design (A04:2021)
Risks related to design flaws.
8. Software and Data Integrity Failures (A08:2021)
Software updates, critical data, and CI/CD pipelines used without verifying integrity. Also, insecure deserialization which allows an attacker to remotely execute code in the system.
