The Open Web Application Security Project or OWASP is an international non-profit organization that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security. To avoid the security vulnerabilities in web applications such as broken access control, denial of service, injection attack and so on. The OWASP foundation created the OWASP Top 10, which is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.
Following is a brief explanation of what has changed of OWASP Top 10 since 2017.
A03:2021 - Injection
The first change in the OWASP Top 10 is related to the injection attacks.
The injection is a type of vulnerability in which an attacker attempts to insert malicious user input or code or query into the web application to execute something that the web application was not designed to do. The injection vulnerability includes SQL, OS command or LDAP injections. The vulnerability A07:2017-Cross Site Scripting (XSS), which is also an injection, is included in the latest OWASP Top 10 update.
A04:2021 - Insecure Design
It is a new category for 2021 and placed in the fourth position in the OWASP Top 10 list. This includes architectural flaws and design mistakes in the web applications.
A05:2021 - Security Misconfiguration
It moved up from the sixth position in 2017. The improper configuration of security settings, permissions and controls that can lead to vulnerabilities and unauthorized access. The former category for A4:2017- XML External Entities (XXE) is now part of this risk category.
A08:2021 - Software and Data Integrity Failures
It is a new category for 2021. The software and data integrity failures, focuses on the issues related to code, software updates, critical data, CI/CD pipeline and infrastructure that are not protected against integrity violations. The former vulnerability A08:2017-Insecure Deserialization is now a part of this category.
A10:2021 - Server-Side Request Forgery (SSRF)
An SSRF is a web security vulnerability that can occur when an attacker has full or potential control over the requests that a web application sends. In this attack, the attacker sends manipulated requests to other destinations or the application’s own resources which might cause the server to make a connection to the internal services within the organization’s infrastructure. This would allow an attacker to gain unauthorized access to the sensitive information which is not accessible from the outside, because of firewall, VPN or some kind of ACL.
Helpful resources: