Let’s discuss on OWASP’s new top 10 for 2021. We will cover every vulnerability in the list and I will share some practice labs too!

Introduction

Recently OWASP had published a new Top 10 list for common webapp vulnerabilities:

Source: https://owasp.org/Top10/

This list is quite different from the 2017 list, with a few new additions and some categories got merged into a bigger category to reflect the root cause instead of symptoms. Take Sensitive Data Exposure for instance which was a symptom, while Cryptographic Failures was the root cause. And I feel this is really good!

In this series of posts, I will cover all the 10 issues, some are old but since we didn’t had blogs on them, I would touch upon those, giving an overview on…


Let me brief you about the recent happening from the cloud world and beyond!

Introduction

Gone are the days when we used to own servers or even rent them for our needs and then do scaling and other stuff manually. Now it’s all about cloud: AWS, GCP, Azure (and maybe even Oracle). It provides all the features that you might want, in a single place. Pay as you go and you get a lot of benefits: no headache of managing the infra and if things go wrong, cloud providers provide you the patches. If your workloads increase, you can get the…


Let’s briefly discuss about ChaosDB, which has been a recent highlight in the cloud world.

Introduction

Gone are the days when we used to own servers or even rent them for our needs and then do scaling and other stuff manually. Now it’s all about cloud: AWS, GCP, Azure (and maybe even Oracle). It provides all the features that you might want, in a single place. Pay as you go and you get a lot of benefits: no headache of managing the infra and if things go wrong, cloud providers provide you the patches. If your workloads increase, you can get the instances auto-scaled to serve the increased load. All seems perfect.

But what happens if…


Let’s discuss about the #10 vulnerability OWASP Top 10 2021 list…

Introduction

This is another new member to the OWASP Top 10 list and was added from the industry survey, where the professionals tell how important it is, but the data points are still not able to show this.

By the way, if you are interested in how OWASP conducts it’s study and selects these top 10 vulnerabilities, then surely check out this post covering in detail, the complete process.

Now back to the discussion…

Server-Side Request Forgery

If an attacker can make the server issue (typically) HTTP requests on it’s behalf, then that’s SSRF.

Therefore, an attacker can get access to internal services or…


Let’s discuss about the #8 vulnerability OWASP Top 10 2021 list…

Introduction

We consume a variety of software and data from different sources and it must be obvious that not all of it gets vetted by us, that would definitely be insane at the very least. But how sure are you about the integrity of the apps or data that you are consuming?

Is the latest VS Code package (or any other app you use) you downloaded safe?

Photo by Alexander Shatov on Unsplash

Is the data that you getting in the messaging app or your email client legit? Do you trust it?


Let’s discuss about the #9 vulnerability OWASP Top 10 2021 list…

Introduction

How many times have you faced some issues or were performing incident response but were not able to track things due to missing logs and no monitoring at all?

This is one of the issues that is even in API Security Top 10. It was previously on #10 in the OWASP 2017 Top 10 list and has been promoted to #9. In that list, it was named as Insufficient Logging & Monitoring but since the scope of things covered increased, a revised name is assigned to it.

Security Logging and Monitoring Failures

There is no direct vulnerability that can arise due to these issues but…


Let’s discuss about the #7 vulnerability OWASP Top 10 2021 list…

Introduction

Authentication and Authorization are the 2 areas where most of the APIs suffer! If you notice the OWASP’s API Security Top 10 list, the top 6 vulnerabilities are all due to broken Authentication or Authorization.

The situation is same in case of web apps too: Access controls are not implemented properly in a lot of cases and that’s why Broken Access Control is on the first position. Even Authentication issues are on #7. …


Let’s discuss about the #2 vulnerability OWASP Top 10 2021 list…

Introduction

I am sure you must have heard a lot about “not rolling your own crypto”, so much that it became a cliché. But ofcourse it’s so true. If you are not into crypto, then chances are that you don’t understand some constructs, which have been well thought of by some of the great minds.

Maybe you might have built this crazy scheme that looks damn too secure to be broken, but chances are that it’s just a matter of time that your scheme gets broken because if you don’t have a good enough understanding of crypto and don’t know what…


Let’s discuss about the #4 vulnerability OWASP Top 10 2021 list…

Introduction

Planning is the most important part, not just in our lives and work but also in software designing. Before you undertake a big project, I am sure there must be a requirements document based-off which you start to conceptualize things and plan them before writing the code.

Now as they say: a house with a weak foundation is also weak and cannot withstand adverse conditions. …


Let’s discuss about the #5 vulnerability OWASP Top 10 2021 list…

Introduction

I am sure if you have designed or audited software and services, you would understand how easy it is to have a misconfiguration in-place. These issues are prevalent and it’s in top 5, which really backs this statement.

The chances of having a misconfiguration is directly dependent on the number of possible ways you can mess up — the more the number of dials and knobs the service/app gives, more are the chances to mess up. And if a these dials and knobs, when used incorrectly lead to security issues, that can have more pronounced impact.

Photo by Adi Goldstein on Unsplash

The simplest example would…

Shivam Bathla

Security Researcher @ Pentester Academy, https://www.linkedin.com/in/shivambathla

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store