StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me
No Result
View All Result
StackZero
No Result
View All Result

OWASP Top 10 Breaches of 2021. What You Need to Know!

June 12, 2022
in Ethical Hacking
0 0
OWASP Top 10 Breaches of 2021. What You Need to Know!
0
SHARES
129
VIEWS
Share on FacebookShare on Twitter

In the past year, a number of high-profile data breaches have come to light.
These include both major companies and smaller organizations.
While the causes of these breaches vary, they all have one thing in common: better cybersecurity practices could have prevented them.
The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. As part of this mission, they maintain a list of the top 10 most common security risks.
The organization updates this list annually and released the most recent version in December 2020. Here are the top 10 OWASP breaches of 2021, along with some general tips on how to prevent them.

Owasp released its list of the top 10 breaches of 2021. What were the most prevalent vulnerabilities?

  • Broken Access Control: occurs when an application does not properly restrict access to sensitive data or resources. This can allow unauthorized users to gain access to sensitive data or perform actions that they should not be able to.
  • Cryptographic Failures: A cryptographic failure is a vulnerability in a cryptographic system that allows an attacker to break the system and gain access to the data it is meant to protect. Cryptographic failures can occur due to a number of reasons, including poor design, implementation errors, and weak cryptographic keys.
  • Injection: it occurs when the application executes an untrusted input. This can allow attackers to execute malicious code, access sensitive data, or modify application data.
  • Insecure Design: Insecure design is a category that represents different weaknesses.
    This means that the controls that should be in place to keep the system or software secure are either missing or not effective. This can lead to vulnerabilities that attackers can exploit. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine the required level of security design.
  • Security Misconfiguration: The application might be vulnerable if: –
    • it doesn’t have the right security hardening across the whole application or if it’s a bad configuration on cloud services.
    • There is the presence of unnecessary features, like unnecessary ports open or services active.
    • There are default accounts
    • Error handling reveals too much information to users
  • Vulnerable and Outdated Components: This vulnerability occurs if the versions of some of the components you use are vulnerable or out of date.
  • Identification and Authentication Failures: Identification and authentication failures happen when someone can’t confirm that a user is who they say they are. This can happen if the application permits automated attacks, like credential stuffing or brute force attacks. It can also happen if the application uses weak or ineffective credential recovery processes.
  • Software and Data Integrity Failures: Integrity violations happen when code or infrastructure doesn’t protect against them. This can happen when an app relies on plugins, libraries, or modules from untrusted sources, like repositories or content delivery networks (CDNs).
    Attackers could potentially upload their own updates to be distributed and run on all installations.
    Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.
  • Security Logging and Monitoring Failures: Without logging and monitoring, breaches would be impossible to detect breaches. This means that if something goes wrong, it might be hard to find and fix the problem before it’s too late.
  • Server-Side Request Forgery: Some web applications allow users to fetch a URL, but don’t properly validate the user-supplied URL. This flaw is called SSRF (Server Side Request Forgery). An attacker can use SSRF to coerce the application to send a crafted request to an unexpected destination, even with the protection of a firewall, VPN, or another type of network access control list (ACL). This can allow the attacker to access sensitive information or launch further attacks.

Steps that an organization can take to protect itself

Failing to address these vulnerabilities can have a number of consequences. These include data breaches, loss of customer trust, damage to reputation, and financial losses. Reading the list and protecting from those specific vulnerabilities, can be a big step forward, anyway, there are a bunch of general precautions that an organization can put in place:

  • Implementing strong authentication and session management controls.
  • Validating and sanitizing all input.
  • Restricting access to sensitive data and resources.
  • Configuring applications securely.
  • Enabling logging and monitoring.
  • Using secure communications protocols.
  • Implementing security controls.
  • Designing applications with security in mind.
  • Following change management procedures.

Conclusion

In conclusion, the OWASP top 10 list for 2021 is a great resource for organizations to use to improve their cybersecurity practices. By taking steps to address the most common security risks, organizations can protect themselves from data breaches and other consequences.

How malware evasion works – 2 simple techniques in practice
Trending
How malware evasion works – 2 simple techniques in practice

Tags: cybersecurityinjectionowaspowasp top 10ssrf
Previous Post

How to prank your friends with this hilarious wallpaper locker!

 Next Post

The terrifying world of Cross-Site Scripting (XSS) (Part 1)
Next Post
The terrifying world of Cross-Site Scripting (XSS) (Part 1)

The terrifying world of Cross-Site Scripting (XSS) (Part 1)

You might also like

Cryptographic functions

Cryptographic Hash Functions in Python: Secure Your Data Easily

November 3, 2024
Malware Obfuscation Techniques: All That You Need To Know

Malware Obfuscation Techniques: All That You Need To Know

March 25, 2024
How To Do Process Enumeration: An Alternative Way

How To Do Process Enumeration: An Alternative Way

March 4, 2024
How To Do DLL Injection: An In-Depth Cybersecurity Example

How To Do DLL Injection: An In-Depth Cybersecurity Example

February 8, 2024
Process Injection By Example: The Complete Guide

Process Injection By Example: The Complete Guide

January 24, 2024
How To Build Your Own: Python String Analysis for Malware Insights

How To Build Your Own: Python String Analysis for Malware Insights

November 10, 2023

StackZero

StackZero is a specialized technical blog dedicated to the realm of cybersecurity. It primarily provides insightful articles and comprehensive tutorials designed to educate readers on developing security tools. The blog encompasses a broad spectrum of subjects, starting from the foundational principles of cryptography and extending to more sophisticated areas such as exploitation and reverse engineering. This makes StackZero an invaluable resource for both beginners and professionals in the field of cybersecurity.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking injection javascript malware malware analysis malware evasion network-security pentesting lab picoctf pico ctf python reflected xss reverse engineering sql sqli sql injection static analysis stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Me
  • Contacts
  • HomePage
  • Opt-out preferences
  • Privacy Policy
  • Terms and Conditions

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me