OWASP Top 10
Broken Access Control occurs when a system does not properly enforce restrictions on what authenticated or unauthenticated users can do. This allows attackers to access data or perform actions they shouldn’t be allowed to.
Key Points:
- Users can view, modify, or delete resources they shouldn’t.
- Happens due to missing or misconfigured access checks.
moves up from the fifth position to the category with the most serious web application security risk; the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
= Privilege Escalation
- A02:2021-Cryptographic Failures shifts up one position to #2, previously known as A3:2017-Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed name focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.
- A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3.37%, and the 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences. Cross-site Scripting is now part of this category in this edition.
4. Insecure Design: The Blueprint Problem
Imagine you're building a house. Insecure Design is like having a flawed blueprint from the very beginning. Even if the builders follow the blueprint perfectly, the house will still have fundamental weaknesses because the design itself wasn't secure.
- What it is: This vulnerability focuses on flaws in the design and architecture of an application. It means that security controls were either missing entirely from the initial plan, or they were poorly thought out and implemented at a conceptual level. It's not about a coding error, but a design error.
- Real-Life Example:
- A "Remember Me" Feature: An application is designed with a "Remember Me" feature that keeps users logged in indefinitely, even after long periods of inactivity or IP address changes. The design didn't include a mechanism to invalidate these sessions securely, making them vulnerable to session hijacking if an attacker gains access to a user's device.
5. Security Misconfiguration: The Setup Problem
Now, let's go back to our house analogy. Security Misconfiguration is like having a perfectly good house blueprint, but the builders made mistakes during construction or didn't set things up correctly. Maybe they left a window unlocked, or didn't install the security system properly.
- What it is: This vulnerability occurs when security settings are not properly configured or maintained. It's about mistakes in the implementation, deployment, or maintenance of an application, server, or network device. This includes using default settings, incomplete configurations, open cloud storage, or unnecessary features being enabled.