OWASP Top 10 2021: A Catalyst for Web Application Security

Anamta Zehra Harpreet Kaur

Department of Computer Science and Engineering Department of Computer Science and Engineering
Lovely Professional University Lovely Professional University
Phagwara, India Phagwara, India
[email protected] [email protected]

Abstract— Web applications have become a crucial part of cornerstone for the security of web application. This list offers a
our daily lives. From net banking to social media and even critical skeleton to reduce and mitigate the most prevalent
straightforward communication, these applications are vulnerabilities. By going through these cyber risks related to the
continuously developing and growing in popularity. However, web application open project, organizations do establish an
this extensive use also increases the possible for security adaptive foundation in their defenses. Although, the ever-
vulnerabilities. Web application attacks are becoming changing threat landscape requires constant attentiveness [16].
progressively common, and any variations made to an The ever-growing complexity of cyberattacks anxieties a
application's assembly can familiarize new weaknesses. These hands-on tactic to web application security. Here, the OWASP
loopholes can be broken by attackers, hypothetically leading to Top 10 stances as a beacon, controlling the developers, security
data breaches that can be terrible for organizations. To professionals, and business organizations towards a better, safer,
efficiently address this task, it's critical for developers to and nicer digital environment. Accumulated by the Open Web
appreciate the mutual security vulnerabilities that plague web Application Security Project (OWASP), a well-known
applications and how to mitigate them. This research mainly communal group of security experts, the OWASP Top 10 is a
aims to discuss the in-depth understanding of OWASP top 10. constantly evolving document that identifies the most critical
It provides a deep dive into the main real-world security threats web application security risks [16]. This study digs into this
confronted by web applications. We will discover these threats essential list, providing an inclusive analysis of each
in detail. This comprises Broken Access Control, vulnerability within the OWASP Top 10. It will explore the
Cryptographic Failure, Injections, Server-side Request technical stuff of each risk, inspect its probable impact on
Forgery, and so on. applications and user data, and most prominently, outline actual
mitigation strategies that can be applied to fortify defenses [20].
Keywords— OWASP, web application, security,
vulnerabilities, attacks, cyber threats
I. INTRODUCTION
Internet plays a vital role in today’s era. Everyone and
everything are somehow connected to each other through
internet. And websites and web application are a massive part of
it. Web applications and web sites have become a crucial part of
our exists, integral to all from online banking and social media
to e-commerce and announcement or chatting application. But,
it also generates an extensive attack surface for spiteful actors.
Data breaches revealing sensitive information, identity theft
leading to financial devastation, and system disturbances
crippling dangerous operations – these are just a number of the
potential instance of the vulnerabilities which can be found in Figure 1 showing OWASP stakeholders
web applications [16]. These cyber threats are solely responsible
Background
for several IT hurdles. The Open Web Application Security
Project Foundation, which is a Non-Profit organization is one As per the official site of OWASP org, OWASP Top 10 Web
such organization. This organization is responsible for issuing a application is regularly updated within three to four years by
list of top web application vulnerabilities. This list is also known Open Web App Security Project Foundation. It is an internet-
as OWASP Top 10. So OWASP Top 10 basically stands for a based or online community which was originally founded the

1
year 2001, on 1st December. It was all initiated by Mark Curphey Understanding OWASP Top 10 for different stakeholders:
and then other volunteers such as Jeff Williams, and Matt Konda Developers: By considering the most dominant
continued the journey with it. OWASP org works on a massive vulnerabilities, developers can integrate secure coding practices
vision “No more insecure software”. And their mission is “To from the very initial stage of the software development lifecycle
be the global open community that powers secure software (SDLC). This positive approach reduces the risk of
through education, tools, and collaboration.” But even after this familiarizing vulnerabilities in the first place.
much precautions, there is a surety of not fully 100% security in
the online resources [2]. There is no argument that OWASP Security Professionals: The OWASP Top 10 aids as a
foundation has played and is playing vital role providing the dedicated tool for cyber security professionals during VAPT
most dedicated professionals and protocols for web app security. process which is penetration testing and vulnerability
The engineer’s teams, security professionals are primarily assessments. By concentrating on the most serious risks, they
focusing on finding out the best possible security measures for can enhance their testing efforts and recognize possible exploits
web applications. Although it was all started for the penetration with greater competence.
testing purposes, but over the time, OWASP has grown up so Organizations: Organizations can pull the OWASP Top 10 to
elatedly [2]. launch the robust security policies and procedures. Mixing these
risk categories into their development and security procedures
nurtures the values of security consciousness and proactive
justification.

II. OWASP TOP 10

Figure 2 showing list of OWASP Top 10 for Web Application

attacker may user the information for their personal benefits

which would impact in the jeopardize of the security of that web
A. Broken Access Control
application and system [1]. Some popular techniques which can
When a program or a system fails to limit the access of data exploit these vulnerabilities are Exploiting Hidden content and
and related resources to the users, it basically exposes itself to URL paths, IDOR (Insecure Direct Object References),
a vulnerability. This vulnerability is known as Broken Access Exploiting the Endpoints, Elevation of User Privilege [2]. As
Control. In short, when an unauthorized user is granted per the study performed on 330 web applications which
permission or ability to achieve their tasks of an authorized included 129 broken access control vulnerable and remaining
user, this circumstance occurs due to weak security policies. non-BAC vulnerable websites and web applications, the main
And this vulnerability is referred to as Broken Access Control reason for Broken Access Control Exploitation is Operating
[9]. In the following case, a user should get or permitted with System and Platforms. In the following study, it has been
only the limited access to the resources. Because it knowingly observed that “.net” based web applications are most likely
unknowingly enables the cyber criminals to get an unauthorized vulnerable to BAC with a rank of 68%. Apart from that, Java
access the crucial web functionality or data resources. Now this and PHP based web applications are affected to Broken Access

2
control by 15 – 16 %. At the same time, operating systems such by using some well-known wordlists such as rainbow table or
as UNIX and Windows also hold 25.58% and 23.26% values in rockyou.txt [6].
the list [13]. In short, those web applications which consists
C. Injections
Session Misconfigurations, Sensitive Disclosure, and Improper
Input Validations are more likely to get effected with the In the era of cybersecurity, there are various injection attacks
Broken Access Control vulnerability [8] [3]. which exploit the vulnerabilities within software applications.
These vulnerabilities ascend from the indecorous handling of
B. Cryptographic Failure user-supplied data. When an application fails to satisfactorily
In the era of Internet and high-end technology, where crucial filter, clean, or authenticate this data, it becomes vulnerable to
information flows regularly from one end to another. manipulation. Spiteful threat actors can then inject unofficial
Cryptography works as a cover shield. It is a mechanism to instructions, often masked as genuine input, into the
convert the plain text into the cipher text [5]. This process application's inner commands. These injected commands trick
requires a hidden key as well. The technique of conversion from the application's translator, a program accountable for dealing
plain text to cipher text is known as Encryption and the out commands, into executing unintentional and potentially
technique which does the proportion reaction is known as harmful actions [6][23]. An attacker can put malicious code
Decryption [8]. Since, both encryption and decryption use that, when injected into the operator input, modifies the unique
common methodologies to perform assigned tasks, hence these command delivered by the application [6].
technologies have their own flaws and loopholes. These The exact type of injection attack be liable on the nature of
circumstances lead to weakness in cryptography and known as the interpreter being beleaguered. SQL injection attacks operate
cryptographic failure. These kinds of failures occur while database queries, while Cross-Site Scripting (XSS) attacks
making mistakes during the implementation process of inject spiteful scripts into web pages [21]. Remote Code
cryptography [20][8]. Execution (RCE) attacks allow attackers to perform their own
In other words, cryptography is a discipline of making the plans on the vulnerable system. Operating System (OS)
data and the information secured and private against the attacks command injection attacks, as the name proposes, grant
which can harm the cryptology techniques. Hence attackers the aptitude to execute random operating system
Cryptographic Failure is a term which belongs to a larger group commands [6]. By accurately examining and sieving user
of loopholes and vulnerabilities that are somehow contribution before its integration into inner commands,
interconnected or related to the cryptography techniques [6]. developers can meaningfully alleviate the risk of injection
Mainly there are two reasons for the cryptographic failure, one attacks and protection the honesty of their applications [23].
is implementation of weak cipher algorithms, and another one
D. Insecure Design
is producing the crack able password hashes [8].
The ever-growing dependence on web applications in our
everyday lives demands continuous vigilance when it originates
to security. One often-overlooked cyber-threat dishonesties
within the design and development mechanism itself “Insecure
Design”. This is not a sole, easily repaired error, but rather a
broad group of vulnerabilities interlaced into the very material
of an application [1][2]. Visualize construction of a house
without a appropriate lock on the forward-facing door – that's
the kind of danger insecure design postures to web applications.
Figure 3 showing MITM attack for Cryptographic Failure Insecure design permits attackers to deed weaknesses in an
application, possibly gaining unauthorized access, thieving
There is no point of using Man in the Middle attack if the sensitive data, or troublemaking critical functionalities [6].
data which is transferring from one end to another encrypted. It Unlike precise coding errors that can be call up with a
is because the data which is being transferred is just reinforcement patch, insecure design defects are often deeply
inaccessible without a valid and legitimate key. This key is embedded and problematic to detect. This can dispense the
helpful in the decryption process. But, there are various application vulnerable for protracted periods, producing a
techniques to bypass this process [8]. As per the Synack’s prime board for attackers [2]. Also, insecure design can
example, if there is a Banking website which uses the HTTP exposed doors to numerous attacks, from code injection where
instead of HTTPS, even after HTTPS which is more secured spiteful or may be malicious code is injected into the
and encrypts the data. [21]. Apart from that, the most aligned application, to broken access control where unauthorized
cryptographic failure yet now is setting up the weak passwords. operators gain access to limited resources [1].
These practices do not adhere to the security policies, which To avoid these matters, developers and security professionals
results to the cryptographic failure. It hardly needs a list of must work hard and smart from the very initiating. By actively
commonly used passwords list to crack the hashes and decrypt getting the potential security threats and developing the
the programs [5]. That is why, it is much needed to examine application with these sorts of cyber-threats in mind, developers
each password during the process of decryption and encryption can actually build in protections from the get-go.
Fundamentally, this involves forestalling how attackers might

3
exploit vulnerabilities and taking steps to stop those crucial. Frequently check for updates and patches from the
vulnerabilities [2] [11]. module developers and smear them promptly. This safeguards
user the benefit from the latest security fixes [6].
E. Security Misconfiguration
In the ever-expanding ordinal world, web applications have G. Identification and Authentication Failure
turn out to be the keystone of countless processes, from net Identification and authentication failures happen when a
banking and well-known social media web applications to e- claim or system fails to appropriately settle a user's
commerce websites and common communication platforms. individuality and access rights. This dimness creates
However, with this increasing dependence derives a concealed introductions for attackers to unveiling various assaults,
danger, which is “Security Misconfiguration”. There are potentially gaining unauthorized access to systems and thieving
several studies which highlights that even tiny and basic basic sensitive information [1]. Attackers can exploit these
improper configuration of these applications can create critical weaknesses through various methods, with brute-force attacks
loopholes and weaknesses for the attackers to exploit [17]. (repeatedly trying different login combinations), session
Security misconfiguration is basically not a hypothetical threat, hijacking (thieving a user's active session), rapid hashed
it is a real, well-known and obviously a present danger that passwords (decrypting stored passwords), and proxy-based
regularly ranks from top to bottom on the OWASP Top 10 list attacks (using intermediate servers to cover their location) [2].
of web application security risks [20] [21] [24]. Fortunately, there are steps one can take to alleviate these
By succeeding OWASP strategies, organizations can risks. Applying the use of multifaceted passwords, restrictive
methodically recognize and speech security misconfigurations the number of login efforts, executing multi-factor
beforehand they develop a serious issue. Penetration testing, authentication, clearly important user roles and permissions,
also known as pen testing, includes pretending an attacker's necessitating HTTPS connections, and applying virtual private
method to classify faintness in a system's security [11] [15]. networks (VPNs) are all critical security practices [2]. A lack
OWASP ZAP is a general tool utilized for the grey box of consciousness about security threats, underrating the risks
penetration testing. This kind of testing includes having some complex, or simple negligence can all contribute to
information around the application's interior mechanisms, authentication failure [6]. These letdowns can be broken
which permits for a more beleaguered and efficient method to through various methods, such as operating existing login
recognizing security misconfigurations. By exploiting tools like forms, adjusting URL parameters, or even impersonating
OWASP ZAP, organizations can advance appreciated existing user sessions to artificial the application to thoughtful
understandings into the security attitude of their web a user is previously authenticated [6].
applications and take counteractive procedures to address any
H. Software and Data Integrity Failure
recognized misconfigurations [24]. Recollect, a protected web
application is the substance of a secure alphanumeric Now just think about a system where data and software are
ecosystem, nurturing trust and self-assurance for users and pretend to be the bricks in a building. Software and Data
officialdoms alike [20] [21]. Integrity Failures are loopholes and weak points that generate
openings, permitting attackers to interfere with these bricks [1].
F. Vulnerable and Outdated Components This could include unauthorized alteration, loss, or even
Imagine constructing a building, but instead of utilizing the injection of malicious code. These letdowns often stalk from
hard and red bricks and secure locks, one relies on the outdated vulnerabilities in the system's underpinning [2]. For example,
components with well-known loopholes – an old doorknob, a applications might trust on untrusted websites for updates or
broken window glass. This is the precise situation that explains code libraries. Hackers can attack and also exploit such
with vulnerable and outdated components in web applications vulnerabilities to inform-in the hidden threats that change how
[6]. These mechanisms, often in the shape and size of libraries the system works or manipulate the data it supplies [20]. The
or frameworks, which basically act as building chunks for significances can be severe. Attackers can snip subtle
modern applications. However, when they encompass security information, disrupt operations, or advance unauthorized
flaws, they become marking time bombs coming up to be control [6].
exploited by cyber threat actors (also known as hackers) [1].
I. Security Logging and Monitoring
Moreover, if developers don't fully comprehend the security
inferences of the mechanisms they use, they might innocently Security Logging and Monitoring act as attentive guards for
familiarize vulnerabilities into their applications [2]. the system. They uninterruptedly track activity, soundtrack
These vulnerabilities are like crashes in a dam, permitting events and deviations within the software and data [1]. This
attackers to introduction various beatings. They can get the observance helps recognize suspicious conduct that might
unauthorized access into the system, get sensitive data like specify an attack. Think of security logs as a comprehensive
passwords or login credentials, and even disrupt serious s journal of everything happening within the system [2]. By
functionalities. The add-on complexity of web applications examining these logs, security professionals can notice outlines
increases the problem regularly [21]. Modern applications are or contradictions that recommend unauthorized access or
made up using a multitude of components, such as frameworks, tampering [6]. Moreover, monitoring tools provide real-time
plugins, libraries, functions, APIs and other software packages understandings into system health, permitting for quick
[1] [2]. Trusting the components by keeping them up-to-date is response to probable threats. Effective logging and monitoring

4
are critical for maintaining a strong security position [21][6]. SSRF vulnerability could let an attacker to inject a spiteful URL
They act as initial warning systems, helping to classify and instead. This malicious URL might board an inner server that
address subjects before they worsen into major breaches. stores subtle customer data. By deceiving the application into
retrieving the information from this inner server, the attacker
J. Server-Side Request Forgery
could advance unofficial access to that data [7][14]. The
Server-Side Request Forgery (SSRF) is a safety faintness significances of a positive SSRF attack can be simple. Attackers
found in web applications. It permits attackers to operate the might avoid access controls intended to protect subtle
application's backend into creation unintentional requirements information, steal intimate data, or even disturb critical business
to other servers. These waitpersons can be internal, be inherent operations by intrusive with internal systems. In rare
in on the same network as the application, or external, measured belongings, SSRF vulnerabilities can be broken to implement
by the attacker themselves [22]. This can be a thoughtful issue, random commands on the server, theoretically giving attackers
as it allows attackers access beyond what the application was comprehensive control over the system and agreeing them to
intended for. Visualize a web application that permits users to unveiling further attacks from within the network [7].
checkered the exists stock of products by giving up aa URL. An

III. LITERATURE SURVEY

S. No.
Authors Summary Techniques Used

O. ben Fredj, et.al, 2021 This paper has discussed about the importance and It has also cover up the average running time for
the usage of web application security and testing. the web application which has already been tested
1. Well, the growth of web apps is tremendous in but then exploited. And for all the above-
different business sectors, and so as the necessity mentioned tasks, machine learning has been
of securing them. implemented. It uses DAST and SAST.

S. K. Lala, 2021 This paper mainly focuses on the designing and the This paper is referenced to develop and design a
development part of a web app security process by successfully secure web application by following
2. using Node Java Script. It is based on the OWASP the OWASP guidelines, and addressing and
guidelines and identification of vulnerabilities by identifying the vulnerabilities such as Broken
testing it. Access Control, data exposure, XML external
entries and so on.

P. Sharma, 2023 This paper basically discusses the necessity of web This paper discusses about the top 3 vulnerabilities
app security, draws the outline for the top three as per OWASP guidelines. Then it discusses the
3. security threats and vulnerabilities as per the analytical study of how HAITI HHA project is
OWASP guidelines. mitigating the risks and offering such great
recommendations for vulnerabilities prevention.

Y. Armando, 2023 This paper discusses on the necessity of web app This study basically uses previous researches and
security, and the uses of OWASP Top 10 study material to identify the several
4. framework for web security. vulnerabilities through the process of penetration
testing on a specific website Tangerang City.

IEEE Communications Society, This paper suggests that web app security The main findings and outcomes of this paper are
et.al, 2022 vulnerabilities can take out to the several cyber emphasizing the necessity of addressing and
5. attacks and cyber threats on the user. identifying the vulnerabilities which are related to
web application security purposes, it also
highlights the crucial role of the Open Web App
Security Project Top 10 list.

2017 and 2021 reveals the dynamic nature of web application

security. Both continuity in certain vulnerabilities and
IV. CONCLUSION recognition of emerging threats underscore the need for security
OWASP framework plays a vital role in the critical practitioners and organizations to continually adapt their
measurement of security. In 2021, OWASP Top 10 web measures.
application list was last originated. And it continued as the best
guide for developers, security professionals, and organizations
to cornerstone web application security. Organizations follow V. REFERENCES
up with the following framework to improve their internal and [1] S. Patil, M. Rao, L. Misal, D. Phaldesai, and K. Shivsharan, “A
external security. Examining the OWASP Top 10 lists from Review of the OW ASP Top 10 Web Application Security Risks and
Best Practices for Mitigating These Risks,” in 2023 7th International

5
Conference On Computing, Communication, Control And Automation, [13] M. Maruf Hassan, M. Asraf Ali, T. Bhuiyan, and M. Hasan Sharif,
ICCUBEA 2023. “Quantitative Assessment on Broken Access Control Vulnerability in
Web Applications.”
[2] T. Petranovic and N. Zaric, “Effectiveness of Using OWASP TOP
10 as AppSec Standard,” in 2023 27th International Conference on [14] N. Krishnaraj, C. Madaan, S. Awasthi, R. Subramani, H. Avinash,
Information Technology, IT 2023, Institute of Electrical and and S. Mukim, “Common vulnerabilities in real world web
Electronics Engineers Inc., 2023. applications,” 2023.

[3] Vuk. Bevanda and Association of Economists and Managers of the [15] Y. Armando, “Penetration Testing Tangerang City Web
Balkans (Beograd)., Recent advances in information technology, Application With Implementing OWASP Top 10 Web Security Risks
tourism, economics, management and agriculture : Fourth Framework.” 2023
International Scientific Conference ITEMA 2020 : online-virtual
October 8, 2020. Conference proceedings. Association of Economists [16] N. Nedeljković, N. Vugdelija, and N. Kojić, “USE OF ‘OWASP
and Managers of the Balkans, 2020. TOP 10’ IN WEB APPLICATION SECURITY,” 2020.

[4] IEEE Communications Society, Global IT Research Institute, and [17] O. ben Fredj, O. Cheikhrouhou, M. Krichen, H. Hamam, and A.
Institute of Electrical and Electronics Engineers, The 24th Derhab, “An OWASP Top Ten Driven Survey on Web Application
International Conference on Advanced Communication Technology : Protection Methods.”2021
conference proceedings : Phoenix Park, Pyeongchang, Korea (South)
(on-line conference) : Feb. 13-16, 2022. [18] F. Faisal and H. T. Elshoush, “Input Validation Vulnerabilities in
Web Applications: Systematic Review, Classification, and Analysis of
[5] K. Ranjan and K. Herath, “Cryptographic Issues and the Current State-of-the-Art,” IEEE Access, 2023.
Vulnerabilities in Web Applications Specialized in Cyber Security,”
2021. [19] B. Jabiyev, O. Mirzaei, A. Kharraz, and E. Kirda, “Preventing
server-side request forgery attacks,” in Proceedings of the ACM
[6] G. ben Brahim, G. S. Tomar, and Institute of Electrical and Symposium on Applied Computing, Association for Computing
Electronics Engineers Saudi Arabia Section, 2022 14th IEEE Machinery, Mar. 2021.
International Conference on Computational Intelligence and
Communication Networks (CICN 2022). [20] "OWASP Top," Open Web Application Security Project,
Available: https://owasp.org/www-project-top-ten.
[7] N. Krishnaraj, C. Madaan, S. Awasthi, R. Subramani, H. Avinash,
and S. Mukim, “Common vulnerabilities in real world web [21] B. Kang, "Blog: Preventing Cryptographic Failures: The No. 2
applications,” 2023. Vulnerability in the OWASP Top 10," April 2022.

[8] D. Upadhyay and N. R. Ware, “International Journal of [22] P. Kour MTech Student, “A Study on Cross-Site Request Forgery
Engineering Technology and Management Sciences Evolving Trends Attack and its Prevention Measures,” Int. J. Advanced Networking and
in Web Application Vulnerabilities: A Comparative Study of OWASP Applications, pp. 4561–4566, 2020.
Top 10 2017 and OWASP Top 10 2021”,
[23] P. Wang, X. Zhou, and K. Lu, “Sabotaging the System Boundary:
[9] P. Sharma, “Securing Your Web Application A Deep Dive into A Study of the Inter-boundary Vulnerability A R T I C L E I N F O.”
OWASP Top 3 Security Risks,” 2023.
[24] SCAD College of Engineering and Technology and Institute of
[10] M. Idris, I. Syarif, and I. Winarno, “Web Application Security Electrical and Electronics Engineers, Proceedings of the 4th
Education Platform Based on OWASP API Security Project,” International Conference on Trends in Electronics and Informatics
EMITTER International Journal of Engineering Technology, pp. 246– (ICOEI 2020) : 15-17, June 2020.
261, Dec. 2022.
[25] A. Rai, M. M. I. Miraz, D. Das, H. Kaur, and Swati, “SQL
[11] S. K. Lala, A. Kumar, and T. Subbulakshmi, “Secure web Injection: Classification and Prevention,” in Proceedings of 2021 2nd
development using OWASP guidelines,” in Proceedings - 5th International Conference on Intelligent Engineering and
International Conference on Intelligent Computing and Control Management, ICIEM 2021, Institute of Electrical and Electronics
Systems, ICICCS 2021, Institute of Electrical and Electronics Engineers Inc., Apr. 2021.
Engineers Inc., May 2021.
[26] G. Jayasuryapal, P. M. Pranay, H. Kaur, and Swati, “A Survey on
[12] B. Mahesh, D. Upadhyay, and N. R. Ware, “Evolving Trends in Network Penetration Testing,” in Proceedings of 2021 2nd
Web Application Vulnerabilities: A Comparative Study of OWASP International Conference on Intelligent Engineering and
Top 10 2017 and OWASP Top 10 2021 Article in,” International Management, ICIEM 2021, Institute of Electrical and Electronics
Journal of Engineering Technology and Management Sciences, 2023. Engineers Inc., Apr. 2021.