Top ten security risks in web applications
Web applications are an element that we use in our daily lives, in the case of companies, they are the connection to the world and the main pillar for their business. To this end, OWASP carries out complex research to test applications, detect the most common cyber risks and collect best security practices. Here are the most up-to-date top 10 vulnerabilities:
The Ten Most Important Web Application Security Risks
Web applications are an element that we use in our daily lives, in the case of companies, they are the connection to the world and the main pillar for their business.
To this end, OWASP carries out complex research to test applications, detect the most common cyber risks and collect best security practices. Here are the most up-to-date top 10 vulnerabilities:
A01:2021-Broken Access Control
Restrictions on the permission levels of authenticated users are not always properly enforced and cause users to access other user accounts, change permissions, view sensitive data and modify their data.
A02:2021-Cryptographic Failures
Cybersecurity specialists use cryptography to create algorithms, encrypted text, and other security measures that encrypt and protect business and consumer information. However, when cryptographic flaws exist, they expose sensitive data or system compromise.
A03:2021-Injection
When untrusted data is interpreted and can be injected into a query such as SQL, Operating System, NoSQL, Cross Site Scripting (XSS). LDAP, resulting in the execution of unwanted commands or unauthorized access to information.
A04:2021-Unsafe Design
Insecure design occurs when a vendor adds documented “features” to a product that allow an attacker to undermine the availability or integrity of the application.
A05:2021-Security Configuration Error
It includes the use of insecure default values, incomplete or ad hoc configuration, and detailed error messages containing sensitive information. All operating systems, frameworks, applications and libraries must be securely configured and patched when possible. The XML External Entities (XXE) category is now part of this risk category.
A06:2021-Vulnerable and obsolete components
The components of the application run with the same level of access as the application itself, so if a vulnerability in a component can be exploited, it can compromise the applications' defenses against attacks. Previously, it was called “Using Components with Known Vulnerabilities”.
A07:2021-Identification and Authentication Failures
When user authentication and administration are incorrectly handled, attackers can gain access to keys, passwords, session tokens, or exploit the system to assume the identity of other users. Formerly referred to as Broken Authentication.
A08:2021-Software and Data Integrity Failures
It focuses on making assumptions about software updates, essential data, and CI/CD (continuous integration and continuous delivery/continuous deployment) pipelines without validating integrity. This category now includes unsafe deserialization.
A09:2021-Security Tracking and Logging Failures
Without adequate recording and monitoring of an internal system and an inefficient response to incidents, attackers can enter a system and continue to gain access to more systems and extract, alter or destroy information. The commitment of a website can be significantly worse if we don't have it. Previously known as insufficient logging and monitoring.
A10:2021-The falsification of server-side requests
Server-side request forgery or SSRF is a web security flaw that allows an attacker to force a server-side application to send HTTP requests to any domain the attacker chooses.
Thanks to OWASP, Compucloud uses this ranking as a guide to help its customers make web applications more secure and prepared to face any malicious attack.
Contact us for any questions or comments you may have.
Published: 11/4/2024
Author: Ing. Adrián Morales | Consultor de soluciones
Related Posts
