StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • About
  • Contact
No Result
View All Result
StackZero
No Result
View All Result

OWASP Top 10 Breaches of 2021. What You Need to Know!

June 12, 2022
in Ethical Hacking
0 0
OWASP Top 10 breaches
0
SHARES
94
VIEWS
Share on FacebookShare on Twitter

In the past year, a number of high-profile data breaches have come to light.
These include both major companies and smaller organizations.
While the causes of these breaches vary, they all have one thing in common: better cybersecurity practices could have prevented them.
The Open Web Application Security Project (OWASP) is a nonprofit organization that works to improve the security of software. As part of this mission, they maintain a list of the top 10 most common security risks.
The organization updates this list annually and released the most recent version in December 2020. Here are the top 10 OWASP breaches of 2021, along with some general tips on how to prevent them.

Owasp released its list of the top 10 breaches of 2021. What were the most prevalent vulnerabilities?

  • Broken Access Control: occurs when an application does not properly restrict access to sensitive data or resources. This can allow unauthorized users to gain access to sensitive data or perform actions that they should not be able to.
  • Cryptographic Failures: A cryptographic failure is a vulnerability in a cryptographic system that allows an attacker to break the system and gain access to the data it is meant to protect. Cryptographic failures can occur due to a number of reasons, including poor design, implementation errors, and weak cryptographic keys.
  • Injection: it occurs when the application executes an untrusted input. This can allow attackers to execute malicious code, access sensitive data, or modify application data.
  • Insecure Design: Insecure design is a category that represents different weaknesses.
    This means that the controls that should be in place to keep the system or software secure are either missing or not effective. This can lead to vulnerabilities that attackers can exploit. One of the factors that contribute to insecure design is the lack of business risk profiling inherent in the software or system being developed, and thus the failure to determine the required level of security design.
  • Security Misconfiguration: The application might be vulnerable if: –
    • it doesn’t have the right security hardening across the whole application or if it’s a bad configuration on cloud services.
    • There is the presence of unnecessary features, like unnecessary ports open or services active.
    • There are default accounts
    • Error handling reveals too much information to users
  • Vulnerable and Outdated Components: This vulnerability occurs if the versions of some of the components you use are vulnerable or out of date.
  • Identification and Authentication Failures: Identification and authentication failures happen when someone can’t confirm that a user is who they say they are. This can happen if the application permits automated attacks, like credential stuffing or brute force attacks. It can also happen if the application uses weak or ineffective credential recovery processes.
  • Software and Data Integrity Failures: Integrity violations happen when code or infrastructure doesn’t protect against them. This can happen when an app relies on plugins, libraries, or modules from untrusted sources, like repositories or content delivery networks (CDNs).
    Attackers could potentially upload their own updates to be distributed and run on all installations.
    Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.
  • Security Logging and Monitoring Failures: Without logging and monitoring, breaches would be impossible to detect breaches. This means that if something goes wrong, it might be hard to find and fix the problem before it’s too late.
  • Server-Side Request Forgery: Some web applications allow users to fetch a URL, but don’t properly validate the user-supplied URL. This flaw is called SSRF (Server Side Request Forgery). An attacker can use SSRF to coerce the application to send a crafted request to an unexpected destination, even with the protection of a firewall, VPN, or another type of network access control list (ACL). This can allow the attacker to access sensitive information or launch further attacks.

Steps that an organization can take to protect itself

Failing to address these vulnerabilities can have a number of consequences. These include data breaches, loss of customer trust, damage to reputation, and financial losses. Reading the list and protecting from those specific vulnerabilities, can be a big step forward, anyway, there are a bunch of general precautions that an organization can put in place:

  • Implementing strong authentication and session management controls.
  • Validating and sanitizing all input.
  • Restricting access to sensitive data and resources.
  • Configuring applications securely.
  • Enabling logging and monitoring.
  • Using secure communications protocols.
  • Implementing security controls.
  • Designing applications with security in mind.
  • Following change management procedures.

Conclusion

In conclusion, the OWASP top 10 list for 2021 is a great resource for organizations to use to improve their cybersecurity practices. By taking steps to address the most common security risks, organizations can protect themselves from data breaches and other consequences.

How malware evasion works – 2 simple techniques in practice
Trending
How malware evasion works – 2 simple techniques in practice

Tags: cybersecurityinjectionowaspowasp top 10ssrf
Previous Post

How to prank your friends with this hilarious wallpaper locker!

Next Post

The terrifying world of Cross-Site Scripting (XSS) (Part 1)

Next Post
XSS tutorial part 1

The terrifying world of Cross-Site Scripting (XSS) (Part 1)

You might also like

GDB Baby Step 4: Decoding Multiplication in Assembly with GDB

GDB Baby Step 4: Decoding Multiplication in Assembly with GDB

July 10, 2023
GDB Baby Step 3: Unraveling Debugging Secrets

GDB Baby Step 3: Unraveling Debugging Secrets

July 6, 2023
Unravelling PicoCTF: The GDB Baby Step 2 Challenge

Unravelling PicoCTF: The GDB Baby Step 2 Challenge

July 5, 2023
Cracking PicoCTF Challenge: GDB Baby Step 1

Cracking PicoCTF Challenge: GDB Baby Step 1

June 28, 2023
How To Crack PicoCTF ASCII FTW With Ghidra

How To Crack PicoCTF ASCII FTW With Ghidra

June 27, 2023
Cracking PicoCTF: ‘Hurry Up! Wait!’ With Ghidra

Cracking PicoCTF: ‘Hurry Up! Wait!’ With Ghidra

June 22, 2023

StackZero

StackZero is a technical coding blog that focuses on cybersecurity. It mainly offers articles and tutorials that teach readers how to write security tools.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security assembler blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking javascript malware malware analysis network-security pentesting lab picoctf pico ctf python reflected xss registry reverse engineering social engineering sql sqli sql injection stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Us
  • Contacts
  • HomePage
  • Privacy Policy
  • Terms and Conditions

No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • About
  • Contact

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In