OWASP Report

Web application security is a key concern for any organization that develops or uses web applications. The software security community created the Open Web Application Security Project (OWASP)  to help educate developers and security professionals on the latest web application security risks. This report provides organizations the ability to monitor web applications by identifying the top 10 most critical web application security risks as described in the OWASP Application Security Risks document. 

The OWASP Top 10 Application Security Risks document outlines several different categories of web-based security concerns, such as Cross-Site Scripting attacks (XSS), security misconfigurations, and sensitive data exposure. OWASP’s focus is to reduce risk across the most vulnerable business assets across the internet. Following these guidelines empowers organizations to reduce risk of organizational and consumer data theft.

Administrators need to ensure that their organization is not vulnerable to any of the attacks identified by OWASP. Compliance related issues, such as known vulnerable components and insufficient logging, are important to eliminate gaps in an organization’s security that are not directly tied to exploitable attacks.

The report begins with a summary of vulnerabilities displayed for each category and plugin family. Following the widget are ten sections, one for each OWASP category. The data is displayed in the Asset Summary table, which provides a summary of assets vulnerable to the category. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities. The information guides organizations on the actions to mitigate business risk through strong security practices. The requirements for this report are Tenable Web App Security.

By default, this report has the most current OWASP Chapter, in this case from 2021. Organizations that want to see data based on an older OWASP year, can select the appropriate chapter from the Chapter Library when creating the report.

Sections

A1 - Broken Access Control – Application functions related to authentication and session management are often implemented incorrectly. Attackers exploit these weaknesses to compromise passwords, keys, session tokens, or to exploit other implementation flaws, enabling the attackers to assume other users’ identities. This section displays information directly related to authentication risks.

Displayed in this section is the OWASP 2021 A1 Asset Summary table, providing a summary of assets with broken authentication. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A2 - Cryptographic Failures – Many web applications do not have strong controls to protect sensitive data, such as credit cards, Social Security Numbers (SSNs), and authentication credentials, with strong encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. In addition, applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic or use SSL/TLS key exchanges that are cryptographically weaker than recommended. Key exchanges must be recommended by IANA and must provide at least 224 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges. This section displays information directly related to risks of cryptographic failures.

Displayed in this section is the OWASP 2021 A2 Asset Summary table, providing a summary of assets with cryptographic risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A3 – Injection – Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data. This section displays information directly related to risks from injection flaws.

Displayed in this section is the OWASP 2021 A3 Asset Summary table, providing a summary of assets vulnerable to injection flaws. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A4 - Insecure Design – Many web applications do not properly protect sensitive data, such as credit cards, Social Security Numbers (SSNs), and authentication credentials, with appropriate encryption or hashing. Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes. By injecting a specific request and using various protocols, such as HTTPS or the attackers can exploit weaknesses to gain access to sensitive data, or perform remote code execution in the target environment. This section displays information directly related to risks posed by insecure software architecture.

Displayed in this section is the OWASP 2021 A4 Asset Summary table, providing a summary of assets with software design risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A5 - Security Misconfiguration – An effective security program requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. All these settings need to be defined, implemented, and maintained as many are not shipped with secure defaults. Administrator and user activity over time degrades security configuration controls, if the system is not maintained properly by keeping all software up to date, including all code libraries used by the application. This section displays information directly related to configuration risks.

Displayed in this section is the OWASP 2021 A5 Asset Summary table, providing a summary of assets with security misconfigurations. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A6 - Vulnerable and Outdated Components – Components, such as libraries, frameworks, and other software modules, often run with full privileges. Determining if a component has a vulnerability can be difficult, unless there has been widespread reporting of the component being actively exploited, as there was for the log4j vulnerabilities. Exploitation of a widely used component can lead to serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. This section displays information directly related to risks of outdated components.

Displayed in this section is the OWASP 2021 A6 Asset Summary table, providing a summary of assets with outdated components. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A7 - Identification and Authentication Failures – Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. This section displays information directly related to authentication risks.

Displayed in this section is the OWASP 2021 A7 Asset Summary table, providing a summary of assets with authentication risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A8 - Software and Data Integrity Failures – Vulnerabilities in the software supply chain have led to significant attacks in recent years. Third party software libraries that are embedded in applications can put an organization at risk. The more pervasive the library, the more likely there will be attempts to exploit it. Vulnerabilities in Log4j, a Java logging library used by hundreds of applications and services, is a prime example of how much impact one library can have. Exploitation of a widely used component can lead to serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. This section displays information directly related to these risks.

Displayed in this section is the OWASP 2021 A8 Asset Summary table, providing a summary of assets with data integrity risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A9 - Security Logging and Monitoring Failures – Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to advance attacks, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. This section displays information directly related to security logging and monitoring risks.

Displayed in this section is the OWASP 2021 A9 Asset Summary table, providing a summary of assets with security logging and monitoring risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.

A10 - Server-Side Request Forgery – Web applications often rely on network requests to query external resources and retrieve data in order to process it. Server-Side Request Forgery (SSRF) vulnerabilities occur when an attacker is able to control these outbound requests and send it to a resource controlled by the attacker, to the localhost itself, or to a private host in the target application internal network. This section displays information directly related to SSRF risks.

Displayed in this section is the OWASP 2021 A10 Asset Summary table, providing a summary of assets with SSRF risks. The summary table is followed by a detailed list of the assets with these concerns along with key attributes for the asset and a list of related vulnerabilities.