OWASP Top Ten 2024 – The Complete Guide

owasp top ten 2024
Share article
twitter linkedin medium facebook

OWASP 2024 is a topic that generates a lot of interest, and rightly so. The OWASP Top Ten ranks the most critical security risks to web apps, and it’s truly representative of the most significant current threats because it’s built from data gathered from an industry-wide survey. Since 2003 the list has grown in popularity among Web App developers and security professionals who now use it as a kind of unofficial baseline for secure development.

The Open Worldwide Application Security Project Top Ten core team has been collecting submissions since January 2024. The survey closes in September, after which the team will review the data. It then expects to issue the next update in early 2025. It’s going to be interesting to see what made the list this time and as soon as it’s available, we will bring it to you. For now, here are the OWASP 2024 Web App vulnerabilities you should be mobilizing your resources against.

Top Ten Vulnerabilities for OWASP 2024

1. Broken Access Control

Every application needs access controls. They restrict users to only accessing the resources and performing the actions that they are allowed to. But attackers can get around these restrictions when developers leave certain doors open.  

One of these is missing or inadequate authorization checks. If user privileges aren’t restricted, they can do things like access other users’ accounts, view restricted files, or perform administrative actions that they aren’t entitled to. 

Use Role-Based Access Controls (RBAC) to clearly define roles and positions and ensure that users can only access the resources and functions required by their role. You should also use the Principle of Least Privilege, which means giving users the minimum access privileges they need to do what they have to do. They might sound the same, but there is a subtle difference – where RBAC might limit certain functions to the manager’s role, for example, not all managers are the same so there might be scope to further limit permissions for some of them. In either case, these controls should be periodically reviewed and tested. 

Another example of broken access controls is Insecure Direct Object References (IDOR). When applications ask for user input to access objects like database records or files without validating such requests, attackers can manipulate these references to gain unauthorized access. For example, when a user views their profile, the application might generate a URL that looks like this:

https://forinstance.org/userprofiles/123

An attacker might then guess that the 123 in the URL directly references their own profile record (hence ‘direct object reference’) and try 124, 125… etc., to potentially access other users’ records. The app should check that the user has permission to do this, but if it doesn’t then the attacker has free rein. To mitigate this vulnerability, use Indirect Object References such as mappings or tokens that are difficult for attackers to guess or manipulate.

2. Cryptographic Failures

Cryptography secures all sorts of sensitive information, and failures can happen for a variety of reasons. If an app transmits data over an encrypted network (e.g., using HTTP instead of HTTPS) or sensitive information like credit card numbers or passwords is stored in plain text then it will be vulnerable. Likewise, if the app relies on outdated or insecure hashing algorithms such as MD5 or SHA-1, attackers will have an easy time stealing the data. 

Cryptographic keys need to be properly generated, stored, rotated, and disposed of. They should not be embedded directly in the source code as they can be easily discovered and exploited, and SSL/TLS certificates should be promptly validated to avoid man-in-the-middle (MITM) attacks. TLS (Transport Layer Security) should always be used to encrypt data transmitted over networks.

Use strong, industry-standard encryption algorithms like AES-256 for data both at rest and in transit, as well as robust hashing algorithms to secure passwords like bcrypt, scrypt, or Argon2, along with salting (adding extra random data before encryption which helps to resist attacks), to keep them secure.

3. Injection

Injection attacks are a type of security vulnerability that occurs when unauthorized user input is sent to an interpreter as part of a command or query. This can allow attackers to execute malicious commands or access unauthorized data. Injection vulnerabilities are often found in SQL queries, operating system commands, LDAP statements, or XML parsers. Now they’ve been consolidated under this one umbrella term which occupies the current number three position for OWASP 2024.

For example, if user input is improperly included in an SQL query without proper sanitization, it can result in SQL injection attacks, where the attacker can bypass authentication, modify or delete data, or escalate privileges. 

The main defense against injection attacks is to sanitize user inputs, use parameterized queries or prepared statements, and perform input validation to ensure that user inputs conform to expectations. 

4. Insecure Design

This OWASP 2024 category includes vulnerabilities that are introduced at the design stage of application building rather than the implementation stage. Some of the things we’ve already mentioned also fit into this category, such as failing to include mechanisms to validate or sanitize user inputs, and insufficient user authentication and authorization. Others include poor session management (which can invite session hijacking), poor error handling and logging (which can give malicious actors valuable clues about your defenses), insufficient data protection, and adding unnecessarily complex or non-essential features in core functionality (which can make the attack surface bigger). Finally, there’s inadequate threat modeling and the failure to build testing into the app’s lifecycle. 

5. Security Misconfiguration

These vulnerabilities arise when security settings are poorly defined, implemented, or maintained. They can occur at any level of an application stack, including the web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage.

Examples include using insecure default configurations, such as default usernames and passwords, incomplete configurations where all the necessary security controls aren’t implemented properly and leave parts of the system unprotected, and sensitive debugging information that’s left over from production, which attackers can exploit. 

If systems haven’t had security patches or updates applied, they can be left open to known vulnerabilities, or if directory listing is allowed, this can expose the directory structure and potentially sensitive files.

To avoid these problems, change default credentials, regularly apply security patches to software, frameworks, and dependencies, only install the minimum number of features required as this reduces the attack surface, configure applications to handle errors securely without revealing sensitive information, use configuration management tools to enforce and maintain secure settings, conduct regular audits, apply the principle of least privilege and segment the network to limit access and exposure.

6. Vulnerable and Outdated Components

Most websites now rely on external dependencies like frameworks, libraries, extensions, and plugins, and keeping them all secure and up to date can quickly become an overwhelming task. One of the best ways to ensure that none of them succumb to malware or expose your data is to use a solution like Reflectiz. It scans for vulnerabilities and alerts you promptly to any it discovers, tracks how they use sensitive data and more. 

Outdated components that are no longer maintained or supported by the vendor don’t get the benefit of security updates, and malicious actors are always on the lookout for these easy exploits. It’s the same story with outdated libraries and frameworks, too. Any unpatched plug-ins or extensions will be an easy ‘in’ for attackers, so make sure these components are up to date.

7. Identification and Authentication Failures

This category includes any kind of failure that involves poor gatekeeping, so practices like using weak passwords such as, “password” or “123456,” or reusing passwords, are to be avoided as it’s easy for attackers to crack them. Policies should require users to adopt complex passwords and change them frequently.

Brute-force attacks are an authentication problem. These are when attackers try all possible combinations to guess a password, and it might work if that password is weak. You can prevent this by enforcing account lockout mechanisms after a certain number of failed login attempts and using CAPTCHAs to distinguish between human users and automated scripts.

Another one to watch is credential stuffing, where attackers use lists of stolen usernames and passwords to try logging into different websites. You can counter this tactic with Multi-Factor Authentication (MFA), which adds an extra layer of security, making it harder for attackers to gain unauthorized access even if they have the right credentials.

8. Software and Data Integrity Failures

This category features risks related to the improper validation of software and data, which means situations where neither are adequately protected against unauthorized changes or corruption. 

Common examples of vulnerabilities include insecure software updates, a lack of code signing, and unsanitized data inputs. Attackers may exploit them to modify software or data, so to mitigate them, organizations should implement strong validation checks for software updates, use code signing to ensure authenticity, and regularly audit and monitor the integrity of software and data. 

9. Security Logging and Monitoring Failures

This category focuses on the risks associated with inadequate logging and monitoring of security events. It’s difficult to maintain a robust security posture without detailed logging of every incident, centralized log management, and the monitoring of logs for suspicious activities. Reflectiz helps to fulfill some of these requirements through its ongoing monitoring and reporting of these sorts of security events.

10. Server-Side Request Forgery (SSRF)

This one is about vulnerabilities that allow an attacker to make requests from the server to internal or external resources. It happens when a web application accepts a user-controlled input and uses it to make requests without proper validation or restrictions.

Common vulnerabilities associated with SSRF include unrestricted URL access, improper input validation, and the ability to access protected internal services. If they are successful attackers may be able to interact with sensitive internal systems, access confidential data, or manipulate the server environment.

Once again, this highlights the need for strict input validation to ensure that only permitted URLs are processed. Organizations should also limit the server’s ability to access internal resources and employ network segmentation to protect sensitive services. 

What’s Next for OWASP 2025?

OWASP 2024 provides a useful guide to combatting some of the most challenging vulnerabilities that go with using large numbers of web apps, and you can manage many of them with Reflectiz. Looking into our crystal ball for a second, when the updated list comes out we wouldn’t be surprised to see vulnerabilities related to supply chain attacks being given their own category. With the ever-increasing use of APIs, securing them against threats like broken object-level authorization and excessive data exposure means an API-related heading might be appropriate. We could be seeing something related to AI-assisted malware, and maybe something to do with cloud-specific vulnerabilities like misconfigured storage buckets too, given that so many applications have moved to the cloud now. 

Whatever the final list contains, Reflectiz’s continuous monitoring will keep the third- and fourth-party applications that power your website safe, secure, and compliant with privacy regulations. Get in touch with us today and learn more about how continuous monitoring can keep your business, customers, and reputation safe.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free