Cyber

Public
School

CYBER PUBLIC SCHOOL

OWASP Top 10
Vulnerabilities in 2024

https://cyberpublicschool.com
 OWASP Top 10
Vulnerabilities in
2024

CYBER PUBLIC SCHOOL

https://cyberpublicschool.com 2 >
 Open Web Application Security Project, or OWASP, is a non-
profit global foundation that performs extensive research to
find dangerous security threats to help organizations improve
web application security. Through their platform, they provide a
lot of tools, open-source programs, techniques, research, and
conferences to help developers improve cloud application
security.

The main motive of OWASP is to make their research free and

accessible to everyone. OWASP was founded on 9th September
2001 by Mark Curphey, a cybersecurity enthusiast who wanted
to control the rise of cyberattacks. This non-profit foundation is
backed by thousands of reputed web security individuals, and
that is why it is considered an important source when it comes
to cloud application and API security guidance.

OWASP Top 10 CYBER PUBLIC

is a primary SCHOOL
project conducted by this
organization, and it basically acts as an awareness document
that lists the top ten web application vulnerabilities that can
cause significant breaches. The list offers not only a list of top
potential threats but also ways to solve them. Every year,
OWASP revises the lists accordingly and comes up with new top
ten web application vulnerabilities that are most common and
have the maximum impact.

The list is designed by the most trusted security vendors,

teams, and consultants from various organizations, and they
focus only on major security risks that hamper a web
application.

https://cyberpublicschool.com 3 >
 For the last many years, it has been considered as the primary
guide for best security practices to secure web applications.

OWASP Top 10 Vulnerabilities

CYBER PUBLIC SCHOOL

https://cyberpublicschool.com 4 >
 For the year 2024, OWASP has come up with a new list of the
top 10 vulnerabilities where they have listed the most impactful
security threats to cloud applications. The vulnerabilities have
been ranked according to their impact and number of
occurrences. So here are OWASP’s top 10 vulnerabilities that
every developer and web security team should be aware of;

• Broken access control.

• Cryptographic failures.
• Injection.
• Insecure design.
• Security misconfiguration.
• Vulnerable and outdated components.
• Identification and authentication failures.
• Software and data integrity failures.
• Security logging and monitoring failures.
• CYBER
Server-side request PUBLIC SCHOOL
forgery.

https://cyberpublicschool.com 5 >
 Let’s take a look at all these OWASP top 10 vulnerabilities in
detail;

1. Broken Access Control

Broken access control is the most common and dangerous
security risk web applications face. Almost 94% of web
applications have some form of broken access control, and this
weakness has allowed many attackers to exploit it. Developers
apply access control to web applications which limits users to
access only those data and pages that are needed.

However, failure to deploy access control efficiently leads to

unauthorized access, leading attackers to perform data
modification and information disclosure. Around 34 CWEs
related to broken access control have hampered web
application security more than any other. A convenient way to
CYBER PUBLIC
mitigate this vulnerability SCHOOL
is by building robust access control
with role-based authentication and deploying a least-privileged
approach.

https://cyberpublicschool.com 6 >
 2. Cryptographic Failure
It was previously known as Sensitive Data Exposure, and this
vulnerability refers to a failure in cryptography that leads to
sensitive data exposure. Lack of use of cryptography and
various encryption for essential data leads to exposure and
allows attackers to get hold of them.

Vital data like business secrets, card information, health

records, and personal information that are moving or at rest
require special protection, especially when they fall under
CCPA, GDPR, or PCI-DSS. When these data are stored with poor
key management, like outdated keys, or without the latest
cryptographic algorithm, then it leads to a vulnerability that
exposes the data. The best way to solve it is by encrypting all
the data in transit and also the data at rest through encrypted
algorithms and protocols.
CYBER PUBLIC SCHOOL
There are two types of data:

• Stored data – data at rest

• Transmitted data – data that is transmitted internally
between servers, or to web browsers

3. Injection
Injection is the second most occurring vulnerability that affects
many web applications, and it leads to service denial, data
theft, data loss, and other forms of attacks. According to market
research, 94% of web applications in the last year have been
affected by some form of injection.

https://cyberpublicschool.com 7 >
 Through this vulnerability, the attackers could inject malicious
data, queries, or commands into the interpreter, which
compelled it to take undesignated actions like providing data
access without authentication. SQL and XSS are the most
common and dangerous injection attacks. Using intrusion
detection systems, safe API, and server-side input validation
helps developers tackle this vulnerability.
String query = “SELECT * FROM accounts WHERE custID = ‘” +
request.getParameter(“id”) + “‘”;
4. Insecure Design
It tells you about the vulnerability that often arises due to
implementing ineffective control design, which ultimately leads
to different vulnerabilities. Insecure design is a broad term that
covers a lot of flaws and primarily refers to the security gaps in
the design.
CYBER
This vulnerability guidesPUBLIC
developersSCHOOL
to build a secured
application and also decide the level of security before starting
the development because it will help prevent poor security
control. Implementing robust security practices, utilizing secure
design patterns, and integrating security rights in the SDLC
stage is a better way to ensure a secure design. Threat
modeling for various features is also essential to avoid this
vulnerability.
5. Security Misconfiguration
According to research conducted by OWASP, 90% of native
cloud applications are plagued by security misconfiguration,
even though organizations are focusing more on highly

https://cyberpublicschool.com 8 >
 configured software. Security misconfiguration occurs mainly
due to inaccurately configuring the security controls, and it puts
the whole system at risk.

Security misconfiguration also occurs when the developers go

for default settings, enable unnecessary features, provide
access to cloud storage, and misconfigure HTTP headers. This
vulnerability can occur on any layer of the application stack or
cloud infrastructure and cause exposure of vital data. You can
mitigate this vulnerability by strengthening the app security,
regularly updating the security configuration, and using
preconfigured templates.

6. Vulnerable and Outdated Components

Many modern cloud applications utilize open-source
components like frameworks and libraries for seamless
operation. If anyCYBER PUBLICused
of the components SCHOOL
during development
are outdated or have known vulnerabilities, it become
vulnerable to attack, compromising the security of the whole
system.

Even though this use of components with known vulnerability

doesn’t pose a considerable threat like others, it serves as the
number one cause for the primary reason of the actual breach.
Thus it becomes imperative for developers to maintain a list of
component versions being used and continuously scan all the
core components for any vulnerability. Removing unused and
outdated components also serves as an effective solution.

https://cyberpublicschool.com 9 >
 7. Identification and Authentication Failure
Identification and authentication failure is a widespread
vulnerability in web applications, and it poses a severe threat to
the resources as well as assets associated with the network.
When the web application incorrectly executes any function of
user authentication or session management, it allows malicious
personnel to compromise keys, passwords, and session tokens.

It also allows attackers to exploit permission and assume the

identity of other users either permanently or temporarily.
However, this vulnerability can be easily avoided if you
implement multi-factor authentication or utilize a firm
password policy. Avoiding the use of default credentials is also
an excellent way to mitigate this vulnerability.

8. Software and Data Integrity Failure

CYBER
This vulnerability PUBLIC threat
is a significant SCHOOL to modern web
application security that OWASP wants every developer to be
aware of. When the integrity of critical data, software updates,
installed packers, and CI/CD pipelines are not verified, it can
lead to software and data integrity failures.
This vulnerability mainly occurs in cloud applications utilizing
plugins, modules, or libraries from untrusted sources or CDNs.
Auto updates in many applications without integrity checks also
lead to a vulnerability where attackers can deploy their own
updates across the system. Checking the legitimacy of software
and data along with sources through digital signatures can help
in curbing the security issue. Your application should only use
libraries and modules from trusted repositories.
https://cyberpublicschool.com 10 >
 9. Security Logging and Monitoring Features
This top 10 OWASP vulnerability tells you about the inability of
cloud applications to identify and respond to security risks.
According to reports from IT Governance, it takes around 200
days on average for attack detection, and this colossal time
frame allows attackers to exploit the system.

When monitoring of log activities is not done correctly,

dangerous activities are overlooked, and it ultimately leads to
this vulnerability. Using automated audit and logging software
enabling the system for instant detection will be helpful in
solving this risk. Security controls should be implemented to
prevent tampering.

10 Server-Side Request Forgery

The server-side request forgery, also known as SSRF, is another
CYBER
severe vulnerability PUBLIC
that occurs when SCHOOL
cloud applications access
data from remote resources without validating the supplied
URL.

The attacker has the ability to send a tweaked request to an

unexpected destination, even if the application is protected by
a firewall or VPN. The best way to mitigate this vulnerability is
implementing user-input sanitization and validation and
blocking malicious incoming traffic using strict policies.

https://cyberpublicschool.com 11 >
 Contacts us
https://cyberpublicschool.com/

https://www.instagram.com/cyberpublicschool/

Phone no.: +91 9631750498 India

+91 73047 08634

CYBER PUBLIC SCHOOL

Our Successful Oscp Student.

https://cyberpublicschool.com 12