Top 10 Web Vulnerabilities of 2022

With digital transformation, many companies are implementing web applications in their company. For this reason, it is essential to know the security measures that can be implemented to develop a new application or one already in operation. Almost all vulnerabilities can be applied regardless of the size of the company.

The ‘Open Web Application Security Project is a community that, through its collaborators, who give them data from over 500,000 web applications, issues a document called OWASP Top 10 that compiles the 10 most common web vulnerabilities, in this case from 2022.

Today, software is present in our lives, and, as is logical, the more complex it becomes, the more critical it becomes; that is, the more complex it is, the more likely it is to be compromised by cybercriminals.

What are Those Vulnerabilities, and How Can They Affect?

1. Loss of access control ( Broken Access Control )

Access control allows a policy of permissions and roles to be fulfilled; a user can access certain places. These restrictions imply that users cannot act outside the permissions and keep track of who accesses each resource. The Broken Access Control vulnerability allows unprivileged users to access a resource they should not have access to. 

What impact can this have on my business?

• A cybercriminal could act on the system with user or administrator permissions.
• Access to confidential records, directories or files for possible subsequent disclosure.

2. Cryptographic Failures

There are specific data that must be encrypted, such as access credentials, bank details, confidential company information, etc., since apart from being required by law, the fact that a cybercriminal can do with them can be catastrophic for the company. In short, for these to be seen only by authorized people in the company, they must be encrypted with standard and robust algorithms and protocols. 

What impact can this have on my company?

• Exposure of sensitive data to a cybercriminal (personal, critical or strategic data for the company; credentials…).

3. Injection

This happens when a cybercriminal can send harmful data to an interpreter. New this year, Cross-site Scripting is part of this category. To do this, you must have secure APIs and verification controls when entering data. 

What impact can this have on my company?

• Exposure and possible modification of sensitive data by a cybercriminal.
• Under certain circumstances, it could allow the cybercriminal to take control of the server.

4. Insecure Design

When developing a web application, it is essential to include the application’s security from the design phase since this new category has been included this year due to the large number of applications that do not comply with it. Many applications have flaws in their design. 

What impact can this have on my company?

• Exposure and possible modification of data by a cyber-criminal.
• Access to the server/application by a cybercriminal with administrator or user permissions.

5. Faulty security configuration ( Security Misconfiguration )

In our web application environment, cybercriminals will try to access through default accounts, obsolete versions with updated vulnerabilities, unprotected directories, etc. For this reason, everything must be well configured and avoid using default credentials, such as in the case of our server, applications or devices. 

What impact can this have on my company?

• Unauthorized access to the system by the cyber-criminal.

6. Vulnerable and Outdated Components

A cybercriminal may compromise a system through known vulnerabilities in standard components, such as the version of the operating system or applications installed on the server, among others.

What impact can this have on my company?

• Some of these vulnerabilities may have a small impact. Still, the most significant security breaches have occurred by exploiting these vulnerabilities.

7. Identification and Authentication Failures

This happens when the number of authentication attempts is not controlled in the access interfaces, there is a low complexity of the passwords or a multifactor “2FA” system is not implemented. This could allow a cybercriminal to use brute force or dictionary attacks to break into it or when your app allows weak passwords to be used.

What impact can this have on my company?

• Cybercriminals will have access to administrative or employee accounts in the application.

8. Software and Data Integrity Failures

Many apps update automatically. Cybercriminals could modify these updates by uploading their own updates and distributing them when these updates are not verified. 

What impact can this have on my company?

• Inclusion of unwanted code by a cybercriminal in my application.

9. Security Logging and Monitoring Failures

There is a lack of records about events, so-called logs, in the application or system, such as logins (both valid and failed). For example, the fact that these logs are not stored remotely prevents violations from being detected.

What impact can this have on my company?

• Unawareness about unauthorized logins.
• Lack of knowledge about the acts of a cybercriminal in our system.

10. Server-side Request Forgery or SSRF

When our web application obtains an external resource and does not validate the URL, a cybercriminal could modify it for malicious purposes and make unauthorized requests.

What impact can this have on my company?

• Theft of sensitive company data.
• Access to internal company systems.