...
A06:2021 – Vulnerable and Outdated Components
You are likely vulnerable:
· If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.
· If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.
· If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.
· If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities.
· If software developers do not test the compatibility of updated, upgraded, or patched libraries.
· If you do not secure the components’ configurations (see A05:2021-Security Misconfiguration).
A07:2021 – Identification and Authentication Failures
Confirmation of the user's identity, authentication, and session management is critical to protect against authentication-related attacks. There may be authentication weaknesses if the application:
· Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
· Permits brute force or other automated attacks.
· Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
· Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
· Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).
· Has missing or ineffective multi-factor authentication.
· Exposes session identifier in the URL.
· Reuse session identifier after successful login.
· Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.
A8:2021 – Server-Side Request Forgery (SSRF)
SSRF flaws occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).
As modern web applications provide end-users with convenient features, fetching a URL becomes a common scenario. As a result, the incidence of SSRF is increasing. Also, the severity of SSRF is becoming higher due to cloud services and the complexity of architectures.