The OWASP Top 10 2021: what has changed in the new version of the ranking?

Every self-respecting developer is certainly familiar with the OWASP — the acronym for the Open Web Application Security Project. As its name suggests, it is an open and global community that aims to promote a more secure web application development ecosystem, providing programmers with educational material, periodic meetings, and useful tools. However, OWASP is better known for its famous and respected Top 10 list.

The OWASP Top 10 can be described as a “ranking” of the most common (and dangerous) vulnerabilities, problems, and bugs in web applications.  Although updates are not published on a regular basis, the list nevertheless serves as a guide for developers to know what to focus on when creating and testing their own applications (or for bounty bug hunters/penetration testers who are studying a certain online environment).

The most recent version of the Top 10 list was published in 2017. However, to the surprise of many (as we said, the list is not updated on a regular basis), a new version was published in September 2021. A lot has changed in the OWASP Top 10 2021, and it is very important that these changes are properly analyzed to understand the current vulnerability trends and how to act to make the web a safer place throughout this decade.

Like a game of musical chairs

Overall, the Top 10 list updates are basically how vulnerabilities moved up and down in the ranking itself. This year was no different, but three new categories were added, and a much broader description of several others was included. But, first of all, let's talk about which ones were moved up and which went down. Interestingly, the gold medal (A01) was given to Broken Access Control, which in the 2017 list was in fifth place.

This category includes any and all bugs that allow breaking user permissions policies, facilitating access to information that should not be accessible to unauthorized people. In total, 94% of the applications tested by OWASP had some flaw in this area. In second place (A02), we have Cryptographic Failures, which moved up one notch compared to 2017. Finally, in third place (A03), we have the Injection category, which was in first place in the previous update. Check out the full list:

• A01:2021 — Broken Access Control

• A02:2021 — Cryptographic Failures

• A03:2021 — Injection

• A04:2021 — Insecure Design

• A05:2021 — Security Misconfiguration

• A06:2021 — Vulnerable and Outdated Components

• A07:2021 — Identification and Authentication Failures

• A08:2021 — Software and Data Integrity Failures

• A09:2021 — Security Logging and Monitoring Failures

• A10:2021 — Server-Side Request Forgery

New problems for new times

Three new categories were added to this complete list: Insecure Design (created precisely to differentiate structure problems from implementation problems), Software and Data Integrity Failures (code and infrastructure that do not protect data integrity against third parties, such as malicious plugins), and Server-Side Request Forgery (a failure that occurs when an attacker manages to coerce the application to complete a request to an unexpected destination).

As mentioned earlier, it is very important that developers and professionals who work with penetration testing study the vulnerabilities and changes on the list. Fortunately, due to the popularity of OWASP Top 10, it is now possible to find all the documentation for the 2021 edition in other languages.