A SEMINAR REPORT ON

TITLE OF SEMINAR REPORT

Submitted in partial fulfillment of the requirements for the

award of the degree of

BACHELOR OF TECHNOLOGY

In

COMPUTER SCIENCE AND ENGINEERING

Submitted by

BOYA VAMSHI KRISHNA – 18841A05H3

DEPARTMENT OF COMPUTER SCIENCE

ENGINEERING

AURORA’S TECHNOLOGICLA AND RESEARCH INSTITUTE

PARVATHAPUR, UPPAL - 500039
DECEMBER, 2021

1
AURORA’S TECHNOLOGICAL AND RESEARCH INSTITUTE

PARVATHAPUR, UPPAL – 500039

DEPARTMENT OF COMPUTER SCIENCE ENGINEERING

CERTIFICATE

Certified that seminar work entitled OWASP TOP 10 VULNERABILITIES is a

bonafide work carried out in the fourth year by BOYA VAMSHI KRISHNA in partial
fulfillment for the award of degree of Bachelor of Technology in Computer Science
Engineering from JNTU Hyderabad during the academic year 2021-22.

Ms. Subashini Ms. A. Durga Pavani

SEMINAR COORDINATOR HEAD OF THE DEPARTMENT
Associate Professor Department of CSE
Department of CSE

Ms. Rajashree
SEMINAR GUIDE
Department of CSE

2
 ACKNOWLEDGEMENT

I take this opportunity to express my deepest sense of gratitude and sincere thanks to
everyone who helped me to complete this work successfully. I express my sincere
thanks to Ms A Durga Pavani, Head of Department, Computer Science and
Engineering, Aurora’s Technological and Research Institute, Hyderabad for providing
me with all the necessary facilities and support.

I would like to express my sincere gratitude to Seminar Coordinator Ms. D. Subhashini

and to my seminar guide Ms Rajashree department of Computer Science and
Engineering, Aurora’s Technological and Research Institute, Hyderabad for their
support, guidance, mentorship and co-operation throughout the course.

Finally, I would like to thank my friends who helped me to make my work more
organized and well-stacked till the end.

3
 ABSTRACT

The OWASP Top 10 is a list that is published by the Open Web Application Security
Project (OWASP).Website security is a major concern for large organizations as well
as individual developers, the rarer the technology used the harder it becomes to come
up with secure practices for developing a website. Vulnerabilities that are not fixed
during development, and are deployed as such become easy targets for hackers. This
could cause the company or the individual to lose a lot of money. It is not just the
developers who are affected, end users who end up on vulnerable websites may get
exposed to XSS attack which could compromise their system or an unsecured
configuration of database system could lead to a potential data leak and hence the
password of every registered user on the website is compromised, users who use the
same password on multiple websites are affected the most The motivation for this paper
comes from the fact that there is an overwhelming number of vulnerabilities in any
application under development and every developer, experienced or not needs a starting
point to patch these vulnerabilities that might have occurred in their application, this
research provides the most common vulnerabilities which should be taken care of in
any application and thus provide the much-needed starting point for developers. The
objective is to design and develop a secure web application according to Open Web
Application Security Project (OWASP) guidelines. This highlights the mitigation of
vulnerabilities in the web application using configuration changes, coding and applying
patches. The vulnerabilities like SQL injection, Broken authentication, Sensitive data
exposure, Broken Access Control, and XML external entities discussed in this report
are listed under the OWASP top 10 vulnerabilities. The security of the web application
is tested and proved to have defense mechanism implemented for the mentioned
vulnerabilities. It compares how many of those weakness as described in the top ten list
are actually reported invulnerabilities listed in the National Vulnerability
Database(NVD).

4
 TABLE OF CONTENTS

SL NO INDEX PAGE NO

1 INTRODUCTION OF OWASP AND OWASP 10

2 THE OWASP TOP 10 VULNERABILITIES IN 2017

3 THE OWASP TOP 10 VULNERABILITIES IN 2021

4 THE DIFFERENCE BETWEEN OWASP TOP 10

VULNERABILITIES IN 2017 TO 2021
5. OWASP TOP-10 2021 STATISTICS-BASED PROPOSAL.

6.
CATEGORIES OVERLAPS IN OWASP TOP-10

7. METHODOLOGY

8. CALCULATING THE OWASP TOP 10 2021 RATING

9 CONCLUSION

10 REFERENCE

5
 LIST OF FIGURES

Sl. TITLE Page

No No.
1 Traditional and IA-64 Architecture IF-ELSE Execution 12

2 Code Speculation of Traditional Architecture and IA-64 14

3 Data Speculation of Traditional Architecture and IA-64 15

LIST OF TABLES

Sl. TITLE Page No.

No
1 INTEL ITANIUM 2 PROCESSOR FEATURE 25

6
 1. INTRODUCTION

1.1 WHAT IS OWASP?

The Open Web Application Security Project (OWASP) is a non-profit global

community that strives to promote application security across the web. A core OWASP
principle is that their knowledge base is freely and easily accessible on their website.
With its tens of thousands of members and hundreds of chapters, OWASP is considered
highly credible, and developers have come to count on it for essential web application
security guidance.

Every application developer, regardless of experience level, must make the effort to
understand code security vulnerabilities in order to avoid frustrating and often costly
application security failures.

1.2 WHAT IS THE OWASP TOP 10?

Every few years, OWASP revises and publishes its list of the top 10 web applications
vulnerabilities. The list includes not only the OWASP Top 10 threats but also the
potential impact of each vulnerability and how to avoid them. The comprehensive list
is compiled from a variety of expert sources such as security consultants, security
vendors, and security teams from companies and organizations of all sizes. It is
recognized as an essential guide to web application security best practices.

OWASP has recently shared the 2021 OWASP Top 10 where there are three new
categories, four categories with naming and scoping changes, and some consolidation
within the Top 10.

The OWASP Top 10 is largely intended to raise awareness. However, since its debut
in 2003, enterprises have used it as a de facto industry AppSec standard. If we look at
the document closely, it specifically calls out the number of CWE’s (Common
Weakness Enumeration) attached with it.

1.3WHAT ARE THE TOP OWASP VULNERABILITIES?

OWASP’s top ten list is compiled and published every three to four years, highlighting
the most critical security vulnerabilities. Additionally, the list includes examples of the

7
weaknesses, how they can be exploited by attackers, and suggested methods that reduce
or eliminate application exposure.

1 .4 H O W S H OUL D T H E O WA SP T O P 1 0 B E U SE D ?
OWASP’s top 10 list offers a tool for developers and security teams to evaluate
development practices and provide thought related to website application security.
While it is by no means all-inclusive of web application vulnerabilities, it provides a
benchmark that promotes visibility of security considerations.

1 .5 H O W C AN O W A SP T O P 1 0 V U LN ER A BI L IT I E S B E
T E S T E D?

OWASP provides an in-depth testing guide that offers test cases for a multitude of test
scenarios. Many development teams have adopted a more automated solution by
utilizing software to scan code for vulnerabilities with automated warnings and
consistent application of best practices

8
2. THE OWASP TOP 10 VULNERABILITIES IN 2017

2.1 A01:2017 INJECTION

Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when untrusted data
is sent to an interpreter as part of a command or query. Injected data from the attacker
can trick the interpreter into executing unintentional commands or accessing data
without proper authorization.

2.2 A02:2017 BROKEN AUTHENTICATION AND SESSION

MANAGEMENT
The application functions related to authentication and session management are often
implemented incorrectly, allowing attackers to compromise passwords, keys or session
tokens, or exploit other implementation flaws to assume the identities of other users
(temporarily or permanently).

2.3 A03:2017 CROSS-SITE SCRIPTING (XSS)

XSS allows attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites. XSS vulnerabilities
occur whenever an application allows you to include untrusted scripts on a web page
without proper validation.

2.4 A04:2017 BROKEN ACCESS CONTROL

Restrictions on what authenticated users can do are not properly enforced. Attackers
can exploit these vulnerabilities to access unauthorized data and features, such as other
users ‘accounts, view sensitive files, modify other users’ data, change access rights, and
so on.

2.5 A05:2017 SECURITYMISCONFIGURATION

Good security requires having a secure configuration defined and implemented for the
application, frameworks, application server, web server, database server, platform,
etc. Secure configurations must be defined, implemented, and maintained, since
standards are often unsafe. In addition, the software must be kept up to date.

9
2.6 A06:2017 SENSITIVE DATA EXPOSURE

Many web applications and APIs do not adequately protect confidential / sensitive
data. Attackers may steal or modify such weakly protected data to perform credit card
fraud, identity theft, or other crimes. Sensitive data deserves additional protection, such
as strong encryption whether at rest or in transit, as well as special precautions when
exchanged with the browser.

2.7 A07:2017 SENSITIVE DATA EXPOSURE

Most applications and APIs do not have the basic ability to detect, prevent and respond
to manual and automated attacks. Attack protection goes far beyond basic input
validation and involves detection, logging / logging, response, and even blocking of
intrusion attempts. Application owners also need to be able to quickly deploy patches /
patches to protect against attacks

2.8 A08:2017 CROSS-SITE REQUEST FORGERY (CSRF)

A CSRF attack forces the logged-in victim’s browser to send a forged / spoofed HTTP
request, including the victim’s session cookie and any other automatically-entered
authentication information for a vulnerable web application. Such an attack allows the
attacker to force the victim’s browser to generate requests that the vulnerable
application believes are legitimate requests.

2.9 A09 : 2017 USING COMPONENTS WITH KNOWN

VULNERABILITIES

Components such as libraries, frameworks and other software modules run with the
same privileges as the application. If a vulnerable component is exploited, such an
attack can cause data loss or server acquisition by the attackers. Applications and APIs
that use components with known vulnerabilities can undermine application defenses
and allow for multiple attacks and impacts.

2.10 A10 : 2017 UNDERPROTECTED APIS

Modern applications generally encompass applications client and APIs, such as

JavaScript in the browser and mobile applications, which connect to an API of some
kind (SOAP / XML, JSON / REST, RPC, GWT, etc.). These APIs are often unprotected
and contain numerous vulnerabilities.

10
3. THE OWASP TOP 10 VULNERABILITIES IN 2021
3.1 A01:2021-BROKEN ACCESS CONTRO

OWASP Team listed a Broken access control vulnerability in the #1 position, and it has
moved from the 5th position at the OWASP TOP 10 2017 list. To assign this position,
OWASP Team has tested 94% of applications with some soft of Broken Authentication
and also mapped 34 CWEs in it.

A broken authentication vulnerability can allow an attacker to use manual and/or

automatic methods to try to gain control over any account they want in a system – or
even worse – to gain complete control over the system.

Websites with broken authentication vulnerabilities are very common on the web.
Broken authentication usually refers to logic issues that occur on the application
authentication’s mechanism, like bad session management prone to username
enumeration – when a malicious actor uses brute-force techniques to either guess or
confirm valid users in a system.

To minimize broken authentication risks avoid leaving the login page for admins
publicly accessible to all visitors of the website:

• /administrator on Joomla!,

• /wp-admin/ on WordPress,

• /index.php/admin on Magento,

• /user/login on Drupal.

The second most common form of this flaw is allowing users to Brute
Force username/password combination against those pages.

3.1.1 Broken Access Controls Remediation

Broken access control vulnerability can be addressed in a number of ways:

• Adopt a least privileged approach so that each role is granted the lowest level of access

required to perform its tasks.

• Delete accounts that are no longer needed or active.

• Audit activity on servers and websites so that you are aware of who is doing what
(and when).

11
• If there are multiple access points, disable the ones that are not required at that
moment.

• Keep servers lean by shutting down unnecessary services.

3.2 A02:2021-CRYPTOGRAPHIC FAILURES

Cryptographic Failures has been assigned in the #2 position, and it has moved from #3
in the 2017 list where was list as “Sensitive Data Exposure”, and it has been assigned
by considering the “symptom”. Since the currently renewed list focused on the Root
cause, cryptography is a major concern to leak sensitive data.

Data in transit and at rest — such as passwords, credit card numbers, health records,
personal information, and business secrets — require extra protection due to the
potential for cryptographic failures (sensitive data exposures). This is especially true if
the data falls under any of the privacy laws such as GDPR, CCPA, and others. Is any
data is sent in plain text? Are there any outdated or insecure cryptographic algorithms
or protocols in use by default or in older code? Is it possible that default crypto keys
are being utilized, that weak crypto keys are being generated and re-used, or that proper
key management and rotation are being overlooked? Is it possible to check crypto keys
into source code repositories? Is encryption not enforced, and is the received data
encrypted?

3.2.2 Cryptographic Failures Remediation

• On forms that collect data, turn off autocomplete.

• Reduce/minimize the size of the data surface area.

• Encrypt data while it is in transit and at rest.

• Use the most up-to-date encryption techniques.

• Disable caching on data-collecting forms.

• Use Strong adaptive and salted hashing functions when saving passwords.

3.3 A03:2021-INJECTION

Injection attacks are down to the #3 position in this OWASP TOP 10 2021 from the #1
position in the 2017 list. Under this Injection attack category, there are 33 CWEs

12
mapped, including the Cross-site Scripting (XSS) bug that was in the #7 position in the
previous list.

Injection vulnerabilities can occur when a query or command is used to insert untrusted
data into the interpreter via SQL, OS, NoSQL, or LDAP injection. The hostile data
injected through this attack vector tricks the interpreter to make the application do
something it was not designed for, such as generating unintended commands or
accessing data without proper authentication.

Any application that accepts parameters as input can be susceptible to injection attacks.
The level of the threat is highly correlated with the thoroughness of the application’s
input validation measures.

3.3.1 Injection Remediation

Injection attacks can be prevented by any combination of the following approaches:

• Segregate commands from data to avoid exposure to attacks that replace data with
unintended command execution.

• Code SQL queries with parameters rather than structuring the command from user
input content only. These are called parameterized queries or prepared statements.

• Eliminate the interpreter altogether through the use of a safe API.

• Implement positive server-side validation as well as an intrusion detection system that

spots suspicious client-side behaviors.

3.4 A04:2021-INSECURE DESIGN

Insecure design is a new category added in the OWASP TOP 10 2021 list and listed in
the #4 position. Insecure design vulnerability focused on risks related to design flaws.

Insecure design is a wide term that encompasses a variety of flaws and is defined as
“missing or poor control design.” Threat modeling, secure design patterns, and
reference architectures are among the new categories for 2021, with a demand for
increasing the usage of threat modeling, safe design patterns, and reference
architectures. As a community, we must move beyond “shift left” coding to pre-code
tasks that are important to the Secure by Design principles.

13
3.4.1 Insecure Design Remediation
• To help analyze and build security and privacy-related measures, establish and use a
safe development lifecycle with AppSec professionals.

• Create and use a library of secure design patterns or components that are ready to
use.

• Use threat modeling for crucial authentication, access control, business logic, and
key flows.

• User stories should include security language and controls.

• Integrate plausibility checks into your application at each level (from frontend to
backend).

• To ensure that all important flows are resistant to the threat model, write unit and
integration tests. Make a list of use-cases and misuse-cases for each tier of your
app.

• Depending on the exposure and protection requirements, divide tier tiers on the
system and network layers.

• Limit user and service resource consumption.

3.5 A05:2021- S ECU RI TY MI S C ON FI GU RA TI O N

Security configuration moved from #6 position to #5, and the vulnerability has been
tested on 90% of applications. OWASP Team delimited the XML external entities from
the 2017 list and merged them with this Security misconfiguration

Gartner estimates that up to 95% of cloud breaches are the result of human errors.
Security setting misconfigurations are one of the prime drivers of that statistic, with
OWASP noting that, of the top ten, this vulnerability is the most common. There are
many types of misconfiguration that expose the company to cybersecurity risk,
including:

• Accepting default settings that are insecure

• Overly accessible cloud storage resources

• Incomplete configurations

14
• Misconfigured HTTP headers

• Verbose error messages that contain sensitive information

3.5.1 Security Misconfiguration Remediation

Security misconfigurations can strike almost anywhere in the environment, including
network-attached devices, databases, web and application servers, and containers. The
following practices can help maintain a well-configured environment:

• Use templates to deploy development, test, and production environments that are
preconfigured to meet the organization’s security policies.

• Leverage segmented application architectures that minimize the risk from an

insecurely configured element; maintain a library of properly configured container
images.

• Deploy minimal platforms and remove unused features and services.

• Continuously monitor cloud resources, applications, and servers for security

misconfigurations and remediate detected issues in real time, using automated
workflows wherever possible.

3.6 A06:2021-VULNERABLE AND OUTDATED COMPONENTS

This is an alternative title of “Using Components with Known Vulnerabilities” that has
been listed in the #9th position in the 2017 list. Now it is moved up to the #6 position.
OWASP Team said that It is the only category not to have any CVEs mapped to the
included CWE, instead, default exploits and impact weights of 5.0 were considered to
map this position.

Modern distributed web applications often incorporate open source components such
as libraries and frameworks. Any component with a known vulnerability becomes a
weak link that can impact the security of the entire application.

Although the use of open source components with known vulnerabilities ranks low in
terms of security problem severity, it is #1 when ranking the OWASP Top 10 by how
often a vulnerability was the root cause of an actual data breach.

3.6. 1 Vulnerable and Outdated Components Remediation

The most effective defense is continuous scanning of all code components for known
vulnerabilities and deploying a patch or other remedy as quickly as possible when a

15
vulnerability is detected. There are a number of best practices that enhance the
effectiveness of this line of defense:

• All components integrated into the company’s frameworks should be under

configuration management.

• The scanner must be able to automatically discover all the components to be

monitored.

• Scanning should be conducted against a comprehensive vulnerability database that is

enriched with threat intelligence data.

• The patch management workflows for identifying, testing, and deploying the right
patch should be as automated as possible in order to reduce to a minimum the
operational risk associated with patching.

3.7 A07:2021-IDENTIFICATION AND AUTHENTICATION

FAILURES

It was previously known as Broken Authentication that was list in the #2 position and
moved into the #7 position. This category is still an integral part of the Top 10, but the
increased availability of standardized frameworks seems to be helping. OWASP Said.

When applications incorrectly execute functions related to session management or user

authentication, intruders may be able to compromise passwords, security keys, or
session tokens and permanently or temporarily assume the identities and permissions
of other users. This vulnerability poses a grave threat to the security of the application
and the resources it accesses and can also severely compromise other assets connected
to the same network.

3.7.1 Authentication Remediation

The key OWASP best practice recommendations to mitigate broken authentication
vulnerabilities are:

• Implement multi-factor authentication.

• Do not deploy with default credentials, especially for users with admin privileges.

• Enforce strong passwords.

• Carefully monitor failed login attempts.

16
• Use a secure session manager that generates random, time-limited session IDs. Never

include session IDs in URLs.

3.8 A08:2021-SOFTWARE AND DATA INTEGRITY FAILURES

Software & Data integrity Failures is a new list in the OWASP Top 10 2021 list, and
this vulnerability focuses on the software updates, critical data, and CI/CD pipelines
without verifying integrity. also, the OWASP team merged an Insecure Deserialization
from 2017.

Code and infrastructure that do not guard against integrity violations are referred to as
software and data integrity failures. A program that uses plugins, libraries, or modules
from untrusted sources, repositories, or content delivery networks (CDNs) is an
example of this. Unauthorized access, malicious code, or system compromise can all
be risks of an unsecured CI/CD pipeline. Finally, many programs now have auto-update
capabilities that allow updates to be obtained without necessary integrity checks and
applied to previously trusted applications. Attackers could potentially distribute and run
their own updates across all systems with this functionality.

3.8.1 Software and Data Integrity Failures Remediation

• Use digital signatures, or other similar measures, to ensure that the program or data is

genuine and has not been tampered with.

• To reduce the risk of harmful code or configuration being introduced into your
development pipeline, make sure there is a review procedure in place for code and
configuration modifications.

• Ascertain that libraries and dependencies, such as npm or Maven, use trusted
repositories. Consider hosting an internal, approved known-good repository if you
have a higher risk profile.

• To protect the integrity of the code going through the build and deploy processes,
make sure your CI/CD pipeline includes adequate segregation, configuration, and
access control.

• Ensure that unsigned or unencrypted serialised data is not delivered to untrustworthy

clients without some kind of integrity check or digital signature to detect alteration
or replay.

17
3.9 A09:2021-SECURITY LOGGING AND MONITORING
FAILURES

It was previously known as Insufficient monitoring & monitoring, which was list in the
#10 position and moved up to the #9 position. Failure of fixing this vulnerability will
lead to impact visibility, incident alerting, and forensics.

Studies indicate that the time from attack to detection can take up to 200 days, and often
longer. This window gives cyber thieves plenty of time to tamper with servers, corrupt
databases, steal confidential information, and plant malicious code.

3.9.1 Remediation
Implement readily available logging and audit software to quickly detect suspicious
activities and unauthorized access attempts. Even if a detected attack has failed, logging
and monitoring provide invaluable tools for analyzing the source and vector of the
attack and learning how security policies and controls can be hardened to prevent
intrusions.

3.10 A10:2021-SERVER-SIDE REQUEST FORGERY

SSRF is listed in the #10 position with the help of an industrial survey. The data shows
a relatively low incidence rate with above average testing coverage, along with above-
average ratings for Exploit and Impact potential. OWASP said.

Server-side request forgery (also termed as SSRF) is a web security flaw that allows an
attacker to force a server-side application to send HTTP requests to any domain the
attacker chooses.

When a web application fetches a remote resource without validating the user-supplied
URL, an SSRF fault occurs. Even if the program is secured by a firewall, VPN, or
another sort of network access control list, an attacker can force it to send a forged
request to an unexpected location.

3.10.1 Remediation
• Implement input validation.

• Use Regular Expressions (RegEx).

• Only accept the intended IP address format (IPv4 or IPv6).

18
• To compare against the allow list, use the method/output library’s value as the IP
address.

• Validate incoming Domain Names.

• Review the OWASP Cheat Sheet Series

19
4. THE DIFFERENCE BETWEEN OWASP TOP 10
VULNERABILITIES IN 2017 TO 2021
There are three new categories, four categories with naming and scoping changes, and
some consolidation in the Top 10 for 2021.

20
5.OWASP TOP-10 2021 STATISTICS-BASED PROPOSAL.
Everybody knows the OWASP Top-10 as well as the fact that it gets updated only every
other 3-4 years. With the last update published in 2017, it’s no surprise that a new
version is coming this year. During my application security career, I saw OWASP Top-
10 at least in 2003, 2004, 2007, 2010, 2013, and 2017.

Since the OWASP creation process is not documented well, it seems reasonable to build
an open and transparent rating for the same categories based on a large number of
security reports.

The purpose of this work is to make an OWASP Top-10 2021 predictions calculated by
understandable metrics, make everyone able to reproduce the results, and present to an
entire community for the feedback. The following work is based on an analysis of 2
million of security reports from 144 public sources including CVE bulletins, bug bounty
reports, and vendor security bulletins.

21
 6. CATEGORIES OVERLAPS IN OWASP TOP-10

The first thing that I should mention about OWASP Top-10 is that it’s not a
vulnerability classification and not even the classification at any point, since categories
overlap. I am referring to the security boulevard article and our blog post that describes
the interference presented at the following diagram:

6.1 WASP Top 10 2017 categories overlaps

To sum up: OWASP Top-10 IS NOT a vulnerability classification, but rather the list of
the risks that have been revealed during the last period of time. That’s why to predict
the next OWASP Top-10 2021 list, we have to analyze threats to the targeted web assets
for the last four years. So, here we go.
6.2 METHODOLOGY
To find the statistical data, we used the Vulners.com which is an aggregated database
that includes more than 4 million bulletins from 144 vendors, including bug bounty
programs like HackerOne.

The total amount of bulletins used to build this list is 2 168 521 (search query:
“published:[2018-01-01 TO 2020-12-31]”).

To split data by the categories, we built vulners search queries for all the ten OWASP
categories. Even though the full-text search is not the most accurate solution to classify
data, I think I can rely on this particular task. The point is that all the OWASP categories
could be found in security bulletins by searching for acronyms and abbreviations like
XSS, XXE, SQL, RCE, etc.

The category “Known Vulnerabilities” is out of the full-text search query. The total
number of web-related security reports were taken as a total amount of CVE numbers
assigned for the last three years.

It’s not a joke, but according to the Vulners statistics, XSS takes 20% of ALL the
security bulletins for the last three years. It’s almost 10x more than all the CVEs
issued in the last three years. Since many of XSS doesn’t have a CVSS score (meaning
zero), an average score for that many of them is still 0.1. That fact, however, doesn’t
stop XSS from hitting the Top-3 in a chart. Again, because it’s as many of them as each
fifth bulletin was found in the last three years.
 The following queries to validate, modify, or make your own analysis:

Top-10 2017 to 2021 Mapping

Search query

A1. Injections injection OR traversal OR lfi OR “os

command” OR SSTI OR RCE OR “remote
code”

A2. Broken auth

authentication

A3. Sensitive data exposure

sensitive AND data

MERGE: A8. Insecure Deserialization + XXE OR deserialize OR deserialization OR

A4. XXE “external entities”

A5. Broken Access Control

access control

A6. Security Misconfiguration

misconfiguration OR misconfigure

A7. XSS XSS

NEW: SSRF
SSRF OR “server side request forgery”

A9. Known Vulnerabilities

type:cve and (http OR web OR html)

A10. Insufficient Logging & Monitoring logging

As you can see, my strong opinion is that the OWASP community will add the new
category SSRF and merge “A4. XXE – XML External Entity” and “A8. Insecure
Deserialization” in the upcoming OWASP

Top-10 2021. Here is why.

6.2.1 Proposal 1: Add SSRF as a New Category.
As an SSRF inventor and author of the “SSRF bible cheatsheet”, I definitely keep warm
feelings about it.

In spite of this, please allow me to mention just the four most powerful facts related to
SSRF:

• The SSRF attacks become #3 of the most critical vulnerabilities as of H1 2020

stats https://www.hackerone.com/top-ten-vulnerabilities

• Amazon took it seriously and patched in for EC2 meta-data services at the end of
2019: https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-
reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/

• SSRF caused a lot of high-risk security problems, including the most famous Capital
One hack with a WAF bypass, explained in details by Krebs on
Security https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-
one-hack/

• According to the global stats collected by Vulners, SSRF mentioned in 912 bulletins
last three years, almost the same amount of times as OWASP Top-10 2017 A4 / XXE
(1000 results) and 2.5x more often than security misconfiguration (A6 / 481 results).

To sum up, SSRF is a critical issue that causes cloud takeovers, remote code execution,
data breaches, and other information security risks. It’s impossible to fix SSRF by input
filtration and other data validation mechanisms. Amazon and other cloud providers take
it seriously and apply changes to their infrastructures to mitigate these threats. SSRF
issues mentioned in almost the same amount of security bulletins as XXE in the last
three years. That’s why I’m sure nobody will blame me for adding it to the OWASP
Top-10 2021.

6.2.2 Proposal 2: Merge XXE and Insecure Deserialization

XML is the serialization format, according to Wikipedia
(https://en.wikipedia.org/wiki/Serialization). The XXE vulnerability, a.k.a. Xml
eXternal Entities is technically a serialization feature that allows to include local and
remote files content into the XML document. Sometimes it causes SSRF, by the way.
That’s why it’s absolutely true that XXE is a part of Insecure Deserialization category
anyways, which I mentioned in a bunch of articles related to the OWASP Top 10 2017
 weaknesses. Also, there is no way to claim XXE as the separate category if gathering
pretty much everything from SQL injection to Path Traversal and OS commanding a
vague group “A1. Injections” which will lead OWASP for years, for sure. Because of
these two facts, plus based on a statistical data of the amount of security reports in
each of the categories, I decided to merge XXE and Insecure Deserialization to a single
class.

6.3.3 Proposal 3: Introduce Overall Risk Score

To sort my assumptions of the OWASP Top-10, for each of the categories, I applied an
average CVSS score multiplies to the amount of reports. In fact, because a lot of the
bulletins have 0 CVSS score, the result rating should be interpreted as an average CVSS
score for the category, but just demonstrates the right proportions between them.

In a few words, to sort OWASP categories, the following formula was applied:

Overall Risk = Avg. CVSS x Amount of Bulletins

6. 4 Calculating the OWASP Top 10 2021 rating

As mentioned above, I used an aggregated data from 144 data sources such as security
bulletins that Vulners.com indexed. This approach allows to count not only CVE data
but all the reports, including bug bounties, exploits, and scanner detects that rely on the
real state of information security. If we will count only CVEs, the results will be
dramatically different, since the category “Known vulnerabilities” will be technically
equal in a count to all the other categories in a sum.

So, here is the fairest way of building OWASP Top-10, look at that!
#OWASP Top-10 2021 Vulners search Avg. #of Over all
query CVSS bullet score
ins
A1 Injections injection OR 4.83 34061 164514.63
traversal OR lfi OR
“os command” OR
SSTI OR RCE OR
“remote code

A2 Broken authentication 4.08 13735

56038.8
Authentication

A3 Cross-Site Scripting xss 0.1 43335 43335.3

(XSS)
A4 Sensitive Data sensitive AND data 3.55 5990 21264.5
Exposure
A5 Insecure XXE OR 5.33 2985
Deserialization deserialize OR
deserialization OR
15910.05
“external entities”
A6 Broken Access access control 0.72 16967 12216.24
Control

A7 Insufficient Logging logging 3.35 2309 7735.15

& Monitoring

A8 Server Side Request SSRF OR “server 3.8 1139

4328.2
Forgery (SSRF) side request
forgery”

A9 Known type:cve and (http 5.38 376

2022.88
Vulnerabilities OR web OR html)

A10 Security misconfiguration 2.27 480 1089.6

Misconfiguration OR misconfigure
OR misconfig
 9. CONCLUSION

By design, the OWASP Top 10 is innately limited to the ten most significant risks.
Every OWASP Top 10 has “on the cusp” risks considered at length for inclusion, but
in the end, they didn’t make it. No matter how we tried to interpret or twist the data, the
other risks were more prevalent and impactful. Securing your modern apps against
today’s most dangerous vulnerabilities doesn’t have to be complicated, but it does
require some care.

Organizations working towards a mature appsec program or security consultancies or

tool vendors wishing to expand coverage for their offerings, the following issues are
well worth the effort to identify and remediate.

1) Code Quality issues

2) Denial of Service

3) Memory Management Errors

10. REFERENCES
10.1 S. K. Lala, A. Kumar and S. T., "Secure Web development using OWASP
Guidelines," 2021 5th International Conference on Intelligent Computing and Control
Systems (ICICCS), 2021, pp. 323-332, doi: 10.1109/ICICCS51141.2021.9432179.

10.2 S. Rafique, M. Humayun, B. Hamid, A. Abbas, M. Akhtar and K. Iqbal, "Web

application security vulnerabilities detection approaches: A systematic mapping study,"
2015 IEEE/ACIS 16th International Conference on Software Engineering, Artificial
Intelligence, Networking and Parallel/Distributed Computing (SNPD), 2015, pp. 1-6,
doi: 10.1109/SNPD.2015.7176244.

10.3 https://owasp.org/www-project-top-ten/

10.4 https://www.veracode.com/security/owasp-top-10