StackZero
  • Homepage
  • Categories
    • Basics
    • Cryptography and Privacy
    • Ethical Hacking
      • Web Security
      • Network Security
    • Reverse Engineering
      • Malware Analysis
  • Contacts
No Result
View All Result
StackZero
No Result
View All Result

OWASP Top 10 Breaches of 2021. What You Need to Know!

June 12, 2022
in Ethical Hacking, Web Security
0 0
OWASP Top 10 breaches
0
SHARES
6
VIEWS
Share on FacebookShare on Twitter

In the past year, a number of high-profile data breaches have come to light.
These include both major companies and smaller organizations.
While the causes of these breaches vary, they all have one thing in common: better cybersecurity practices could have prevented them.
The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. As part of this mission, they maintain a list of the top 10 most common security risks.
The organization updates this list annually and released the most recent version in December 2020. Here are the top 10 OWASP breaches of 2021, along with some general tips on how to prevent them.

Owasp released its list of the top 10 breaches of 2021. What were the most prevalent vulnerabilities?

  • Broken Access Control: occurs when an application does not properly restrict access to sensitive data or resources. This can allow unauthorized users to gain access to sensitive data or perform actions that they should not be able to.
  • Cryptographic Failures: A cryptographic failure is a vulnerability in a cryptographic system that allows an attacker to break the system and gain access to the data it is meant to protect. Cryptographic failures can occur due to a number of reasons, including poor design, implementation errors, and weak cryptographic keys.
  • Injection: it occurs when the application executes an untrusted input. This can allow attackers to execute malicious code, access sensitive data, or modify application data.
  • Insecure Design: Insecure design is a category that represents different weaknesses.
    This means that the controls that should be in place to keep the system or software secure are either missing or not effective. This can lead to vulnerabilities that attackers can exploit. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine the required level of security design.
  • Security Misconfiguration: The application might be vulnerable if: –
    • it doesn’t have the right security hardening across the whole application or if it’s a bad configuration on cloud services.
    • There is the presence of unnecessary features, like unnecessary ports open or services active.
    • There are default accounts
    • Error handling reveals too much information to users
  • Vulnerable and Outdated Components: This vulnerability occurs if the versions of some of the components you use are vulnerable or out of date.
  • Identification and Authentication Failures: Identification and authentication failures happen when someone can’t confirm that a user is who they say they are. This can happen if the application permits automated attacks, like credential stuffing or brute force attacks. It can also happen if the application uses weak or ineffective credential recovery processes.
  • Software and Data Integrity Failures: Integrity violations happen when code or infrastructure doesn’t protect against them. This can happen when an app relies on plugins, libraries, or modules from untrusted sources, like repositories or content delivery networks (CDNs).
    Attackers could potentially upload their own updates to be distributed and run on all installations.
    Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.
  • Security Logging and Monitoring Failures: Without logging and monitoring, breaches would be impossible to detect breaches. This means that if something goes wrong, it might be hard to find and fix the problem before it’s too late.
  • Server-Side Request Forgery: Some web applications allow users to fetch a URL, but don’t properly validate the user-supplied URL. This flaw is called SSRF (Server Side Request Forgery). An attacker can use SSRF to coerce the application to send a crafted request to an unexpected destination, even with the protection of a firewall, VPN, or another type of network access control list (ACL). This can allow the attacker to access sensitive information or launch further attacks.

Steps that an organization can take to protect itself

Failing to address these vulnerabilities can have a number of consequences. These include data breaches, loss of customer trust, damage to reputation, and financial losses. Reading the list and protecting from those specific vulnerabilities, can be a big step forward, anyway, there are a bunch of general precautions that an organization can put in place:

  • Implementing strong authentication and session management controls.
  • Validating and sanitizing all input.
  • Restricting access to sensitive data and resources.
  • Configuring applications securely.
  • Enabling logging and monitoring.
  • Using secure communications protocols.
  • Implementing security controls.
  • Designing applications with security in mind.
  • Following change management procedures.

Conclusion

In conclusion, the OWASP top 10 list for 2021 is a great resource for organizations to use to improve their cybersecurity practices. By taking steps to address the most common security risks, organizations can protect themselves from data breaches and other consequences.

How to embed shellcode payload into an executable
Trending
How to embed shellcode payload into an executable

Tags: cybersecurityinjectionowaspowasp top 10ssrf
Previous Post

How to prank your friends with this hilarious wallpaper locker!

Next Post

The terrifying world of Cross-Site Scripting (XSS) (Part 1)

Next Post
XSS tutorial part 1

The terrifying world of Cross-Site Scripting (XSS) (Part 1)

You might also like

Hack File Inclusion in DVWA: A Full Walkthrough

Hack File Inclusion in DVWA: A Full Walkthrough

January 18, 2023
How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction.

How To Exploit File Inclusion Vulnerabilities: A Beginner’s Introduction.

December 15, 2022
What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

November 29, 2022
How To Exploit CSRF In DVWA

How To Exploit CSRF In DVWA

November 23, 2022
CSRF intro featured

CSRF Introduction: What you need to know!

November 15, 2022
Bruteforce attack

How to Brute Force DVWA login with Python

November 3, 2022

StackZero

StackZero is a technical coding blog that focuses on cybersecurity. It mainly offers articles and tutorials that teach readers how to write security tools.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c certification command injection csrf csrf attack cybersecurity dom-based xss dvwa ethical-hacking exploitation file inclusion file upload hacking injection javascript kali linux local file inclusion malware malware analysis network-security penetration testing pentesting lab python reflected xss registry remote file inclusion security shellcode sql sqli sql injection stored xss virtual machine vulnerable application web application security web exploitation web security windows windows api windows virtual machine xss
  • Contacts
  • HomePage
  • Privacy Policy
  • Terms and Conditions

No Result
View All Result
  • Homepage
  • Categories
    • Basics
    • Cryptography and Privacy
    • Ethical Hacking
      • Web Security
      • Network Security
    • Reverse Engineering
      • Malware Analysis
  • Contacts

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In