A01:2021 – Broken Access Control
Access controls can be used in web development to ensure that users cannot act outside their intended permissions. Failures in access control can lead to unauthorized disclosure of sensitive information or even to damaging manipulation of accessible data.
A02:2021 – Cryptographic Failures
The category “Cryptographic Failures” (“Sensitive Data Exposure” in previous versions of the OWASP Top 10) refers to vulnerabilities in the encryption of data and data transfers as well as the failure to use adequate encryption methods per se. A high level of cryptographic protection is required, in particular for passwords, credit card numbers, health records, personal information, and business secrets – mainly if the information is protected by regulations, such as the GDPR or the PCI DSS.
A03:2021 – Injection
Attackers use injection attacks to sneak their malicious code into other people’s systems and execute it. This means that all the data contained on the affected system and connected networks and services are potentially at risk. The most common injection attacks include SQL injections and cross-site scripting (XSS). In the 2017 version of the OWASP Top 10, injection attacks were still listed as the number one threat to web applications.
“Security Misconfiguration” was still listed at number 6 in the previous version of the OWASP Top 10. The category includes errors in the configuration of security measures such as missing or insufficient system hardening, improperly configured permissions on cloud services, the use of default passwords, or even ports being enabled unnecessarily.
The new category includes vulnerabilities in software updates, critical data, and CI/CD pipelines without verifying integrity. For example, significant risks result when applications rely on plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can serve as a gateway for cybercriminals to inject malicious code and compromise systems. Automatic updates of individual components without sufficient integrity verification jeopardize the security of the entire application, as malicious code could be introduced via software supply chains.
Previously called “Insufficient Logging and Monitoring,” this category now includes additional risks. Overall, logging and monitoring are used to detect, escalate, and respond to active security breaches. Problems arise here when, for example, errors generate no or only inadequate log messages, when logs are only backed up locally, or when alerting thresholds and escalation processes are ineffectively defined.
Server-side request forgery (SSRF) is when a web application fetches a remote resource without validating the user-supplied URL. This creates a risk that cybercriminals will abuse the affected application to send specially crafted requests to unexpected destinations. This can allow attackers to gain access to sensitive information or even execute remote code. The server itself and the connected network, as well as external third parties, are all vulnerable to SSRF.