The open Web Application Security Project (OWASP) is a non-profit group whose mission is to make applications more secure. The rating system on the OWASP Top 10 has become standard for ranking web application security vulnerabilities and risks. The OWASP Top 10 provides rankings of—and remediation guidance for—the top 10 most critical web application security risks. Founded in 2001, the project has attracted a worldwide community of active and dedicated contributors to its cause.
The list is updated every three years and the latest version, the OWASP Top 10 2021, was released in April 2021.
What is OWASP Top 10 vulnerabilities list?
OWASP top 10 is the list of top 10 most critical security risks to web applications.
OWASP Top 10 Vulnerabilities 2021 List: A Closer Look
- OWASP A01 Broken Access Control
- OWASP A02 Cryptographic Failures
- OWASP A03 Injection
- OWASP A04 Insecure Design
- OWASP A05 Security Misconfiguration
- OWASP A06 Vulnerable and Outdated Components
- OWASP A07 Identification and Authentication Failures
- OWASP A08 Software and Data Integrity Failures
- OWASP A09 Security Logging and Monitoring Failures
- OWASP A10 Server Side Request Forgery (SSRF)
Understanding OWASP Top 10 Security Vulnerabilities in 2022
A01:2021-Broken Access Control
What is broken access control vulnerability?
Broken Access Control, also known as A01:2021 in the OWASP Top 10 2021 list, is a vulnerability that occurs when an application lacks proper controls over who can access certain resources or perform certain actions. This can allow an attacker to gain unauthorized access to sensitive data or to perform actions that they should not be able to perform.
What causes broken access control vulnerability?
There are several ways that access control can be broken, including:
- Lack of proper authentication: If an application does not require strong authentication or does not verify the authenticity of users, an attacker may be able to gain access to restricted resources or perform unauthorized actions.
- Lack of proper authorization: If an application does not properly enforce access controls based on a user’s role or permissions, an attacker may be able to access resources or perform actions that they should not be able to access or perform.
- Insufficient session management: If an application does not properly manage user sessions, an attacker may be able to steal a user’s session and use it to access restricted resources or perform unauthorized actions.
- Lack of input validation: If an application does not properly validate user input, an attacker may be able to manipulate requests in order to gain unauthorized access to resources or to perform unauthorized actions.