OWASP 2013 vs 2017 vs 2021

Who is Owasp?

→ Open Web Application Security Project
→ its a non-profit foundation dedicated to improving the security of software. @owasp operates as open community model, where anyone can participate in & contribute to projects, events, online chats, and more.

What is Owasp?

→ OWASP Top 10 is an online document on OWASP’s website that provides ranking of and remediation guidance for the top 10 most critical web application security risks

Why Owasp it important?

→ OWASP maintains the Top 10 list and has done so since 2003. The list is updated in accordance with advancements and changes in the AppSec Industry every few years.

OWASP 2013 vs 2017 ?

Key Differences:
NEW added: ↓
→ XXE
→ Insecure Deserialization
→ Insufficient Logging & Monitoring

Merged :↓
→IDOR + MFLAC = BAC

Injection :

→ Injection occurs when an attacker exploits insecure code to inject their own code into a program/website/DB.
→ Examples — SQLi, LDAP Injection, Python Injection, Command Injection, Remote Code Execution

Fix: Source code review, SAST & DAST.

Broken Authentication:

→ Improper authentication mechanism where attacker is able to bypass the login mechanism like Email/Pass, OTP, Captcha etc.
→ Session Related issues like session mismanagement, lack of expiration etc.

Fix: MFA System, Strong Session Management

Sensitive Data Exposure:

→ Any sensitive data including source code,api,passwords etc been disclosed
→ Directory listing, Github leaks, EXIF Data

Fix: Data encryption, tokenization, proper key management, disabling response caching, Restricted access control

XML External Entities:

→ Attacker is able to include hostile XML content due to insecure code, integrations, or dependencies in applications
→ Can lead to file disclosure, DOS, SSRF

Fix: Disabling External DTDs, Whitelisting, Server side input validation

Broken Access Control:

→ The attacker is able to operate as the user or as an administrator in the system. He is able to elevate privileges on the app
→ Privilege Escalation — Horizontal (Same access) & Vertical (higher access)

Fix: Patch unintended access-controls

Security Misconfiguration:

→ Occurs when design or configuration weaknesses result from a configuration error
→ App running on default configuration, poorly secured systems

Fix: Updating/Patching the systems, Updating Default / secure configs.

Cross-Site Scripting (XSS):

→ Attacker is able to load & execute arbitrary supplied javascript code in the application
→ 3 Types — Reflected, Stored, DOM

Fix: Input Sanitization, HTML Encoding

Insecure Deserialization:

→ In app like PHP, Ruby where deserialization flaws allow an attacker to remotely execute code in the system
→ It deserializes hostile objects that were supplied by an attacker.

Fix: do not accept serialized objects from untrusted sources

Insufficient Logging And Monitoring:

→ Timely Logging to be done for the application to be aware of ongoing or upcoming risks
→ Failure to log & monitor a site leaves it vulnerable to more severe compromising activities

Fix: All Activities to be logged on the server

2017 vs 2021 :

Key Differences:
NEW added: ↓
→ Insecure Design
→ Software & Data Integrity failures (SDIF)
→ SSRF

Merged :↓
→ XSS = Injection
→ XXE = Security Misconfiguration
→ Insecure Deserialization = SDIF
→ SDE = Cryptographic Failures

Interesting distribution of these categories by amount of security reports, mean bulletins, bug bounties, exploits etc. ( XSS is the champ) src: lab.wallarm.com/owasp-top-10–2…

OWASP Top-10 2021, statistically calculated proposal.The purpose of this work is to make an OWASP Top-10 2021 predictions calculated by understandable metrics, make everyone able to reproduce the results, and present to an entire community for the feedb…https://lab.wallarm.com/owasp-top-10-2021-proposal-based-on-a-statistical-data/

How OWASP is useful for pentesters and bug bounty hunters?

→ OWASP is a standard document to categorise the most common issues in the general appsec space
→ The top 10 list will provide sufficient help to understand the current trends/shift for vulnerabilities

My Views on OWASP Top 10 2021

→ The shift is more towards secure design and architecture issues
→ With XXE, ID & SSRF could be merged into Security Misconfiguration
→ Broader Visualization of Business Logic & supply chain attacks in issues in Insecure Design

🧑🏻‍🏫 💥Stay Tuned and follow us for more:💥🧑🏻‍🏫

🧑🏻‍💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻‍🏫 Join our Live Trainings: https://www.isacindia.org/certified-bug-bounty-researcher/
🔐Github: https://github.com/shifa123
📌 Youtube :
https://www.youtube.com/channel/UCS82DNnKOhXHcGKxGzQvNSQ
💬 Linkedin: https://www.linkedin.com/company/hacktifycs