9.2 KiB
9.2 KiB
OWASP Top 10 2021 Mapping for Nuclei Findings
Table of Contents
- A01:2021 - Broken Access Control
- A02:2021 - Cryptographic Failures
- A03:2021 - Injection
- A04:2021 - Insecure Design
- A05:2021 - Security Misconfiguration
- A06:2021 - Vulnerable and Outdated Components
- A07:2021 - Identification and Authentication Failures
- A08:2021 - Software and Data Integrity Failures
- A09:2021 - Security Logging and Monitoring Failures
- A10:2021 - Server-Side Request Forgery (SSRF)
A01:2021 - Broken Access Control
Nuclei Template Tags
exposure- Exposed sensitive files and directoriesidor- Insecure Direct Object Referencesauth-bypass- Authentication bypass vulnerabilitiesprivilege-escalation- Privilege escalation issues
Common Findings
- Exposed Admin Panels:
/admin,/administrator,/wp-adminaccessible without authentication - Directory Listing: Open directory listings exposing sensitive files
- Backup Files Exposed:
.bak,.sql,.zipfiles publicly accessible - Git/SVN Exposure:
.git,.svndirectories exposed - API Access Control: Missing authorization checks on API endpoints
Remediation Priority
Critical - Immediate action required for exposed admin panels and authentication bypasses
A02:2021 - Cryptographic Failures
Nuclei Template Tags
ssl- SSL/TLS configuration issuesweak-crypto- Weak cryptographic implementationsexposed-keys- Exposed cryptographic keys
Common Findings
- Weak TLS Versions: TLS 1.0, TLS 1.1 still enabled
- Weak Cipher Suites: RC4, DES, 3DES in use
- Missing HSTS: HTTP Strict Transport Security not configured
- Self-Signed Certificates: Invalid or self-signed SSL certificates
- Exposed Private Keys: Private keys in public repositories or directories
Remediation Priority
High - Update to TLS 1.2+ and modern cipher suites
A03:2021 - Injection
Nuclei Template Tags
sqli- SQL Injectionxss- Cross-Site Scriptingxxe- XML External Entityssti- Server-Side Template Injectionnosqli- NoSQL Injectioncmdi- Command Injection
Common Findings
- SQL Injection: User input reflected in database queries
- Cross-Site Scripting (XSS): Reflected, Stored, and DOM-based XSS
- Command Injection: OS command execution via user input
- LDAP Injection: LDAP query manipulation
- Template Injection: Server-side template injection in Jinja2, Twig, etc.
Remediation Priority
Critical - SQL Injection and Command Injection require immediate remediation
A04:2021 - Insecure Design
Nuclei Template Tags
logic- Business logic flawsworkflow- Workflow bypass vulnerabilities
Common Findings
- Rate Limiting Bypass: Missing rate limiting on authentication endpoints
- Workflow Bypass: Steps in business processes can be skipped
- Insufficient Resource Allocation: No limits on resource consumption
- Unvalidated Redirects: Open redirect vulnerabilities
Remediation Priority
Medium to High - Depends on business impact and exploitability
A05:2021 - Security Misconfiguration
Nuclei Template Tags
misconfig- Generic misconfigurationsheaders- Missing security headerscors- CORS misconfigurationsdebug- Debug modes enabled in production
Common Findings
- Missing Security Headers:
Content-Security-PolicyX-Frame-OptionsX-Content-Type-OptionsStrict-Transport-Security
- CORS Misconfiguration:
Access-Control-Allow-Origin: * - Debug Mode Enabled: Stack traces, verbose errors in production
- Default Configurations: Unchanged default credentials and settings
- Directory Indexing: Apache/Nginx directory listing enabled
Remediation Priority
Medium - Apply hardening configurations and remove debug modes
A06:2021 - Vulnerable and Outdated Components
Nuclei Template Tags
cve- Known CVE vulnerabilitieseol- End-of-life softwareoutdated- Outdated software versions
Common Findings
- Known CVEs: Outdated libraries with public CVEs (Log4Shell, Spring4Shell, etc.)
- End-of-Life Software: Unsupported versions of frameworks and libraries
- Vulnerable JavaScript Libraries: jQuery, Angular, React with known vulnerabilities
- CMS Vulnerabilities: WordPress, Drupal, Joomla plugin vulnerabilities
Remediation Priority
Critical to High - Patch immediately based on CVSS score and exploitability
Example CVE Mappings
CVE-2021-44228 (Log4Shell) → Critical → A06
CVE-2022-22965 (Spring4Shell) → Critical → A06
CVE-2017-5638 (Struts2 RCE) → Critical → A06
CVE-2021-26855 (Exchange ProxyLogon) → Critical → A06
A07:2021 - Identification and Authentication Failures
Nuclei Template Tags
auth- Authentication issuesjwt- JWT vulnerabilitiesoauth- OAuth misconfigurationsdefault-logins- Default credentialssession- Session management issues
Common Findings
- Default Credentials: Admin/admin, root/root, default passwords
- Weak Password Policies: No complexity requirements
- Session Fixation: Session tokens not regenerated after login
- JWT Vulnerabilities:
alg=nonebypass, weak signing keys - Missing MFA: No multi-factor authentication for privileged accounts
- Predictable Session IDs: Sequential or easily guessable tokens
Remediation Priority
High - Change default credentials immediately, enforce strong password policies
A08:2021 - Software and Data Integrity Failures
Nuclei Template Tags
rce- Remote Code Executiondeserialization- Insecure deserializationintegrity- Integrity check failures
Common Findings
- Insecure Deserialization: Unsafe object deserialization in Java, Python, PHP
- Unsigned Updates: Software updates without signature verification
- CI/CD Pipeline Compromise: Insufficient pipeline security controls
- Dependency Confusion: Private packages replaced by public malicious packages
Remediation Priority
Critical - Insecure deserialization leading to RCE requires immediate action
A09:2021 - Security Logging and Monitoring Failures
Nuclei Template Tags
logging- Logging issuesmonitoring- Monitoring gaps
Common Findings
- Missing Audit Logs: Authentication failures, access control violations not logged
- Insufficient Log Retention: Logs deleted too quickly for forensic analysis
- No Alerting: No real-time alerts for suspicious activities
- Log Injection: User input reflected in logs without sanitization
Remediation Priority
Low to Medium - Improve logging and monitoring infrastructure
A10:2021 - Server-Side Request Forgery (SSRF)
Nuclei Template Tags
ssrf- SSRF vulnerabilitiesredirect- Open redirect issues
Common Findings
- SSRF via URL Parameters: User-controlled URLs fetched by server
- Cloud Metadata Access: SSRF accessing AWS/GCP/Azure metadata endpoints
- Internal Port Scanning: SSRF used to scan internal networks
- Webhook Vulnerabilities: SSRF via webhook URLs
Remediation Priority
High to Critical - Especially if cloud metadata or internal services accessible
Severity Mapping Guide
Use this table to map Nuclei severity levels to OWASP categories:
| Nuclei Severity | OWASP Priority | Action Required |
|---|---|---|
| Critical | P0 - Immediate | Patch within 24 hours |
| High | P1 - Urgent | Patch within 7 days |
| Medium | P2 - Important | Patch within 30 days |
| Low | P3 - Normal | Patch in next release cycle |
| Info | P4 - Informational | Document and track |
Integration with Security Workflows
Finding Triage Process
- Critical/High Findings: Assign to security team immediately
- Verify Exploitability: Confirm with manual testing
- Map to OWASP: Use this guide to categorize findings
- Assign Remediation Owner: Development team or infrastructure team
- Track in JIRA/GitHub: Create tickets with OWASP category labels
- Re-scan After Fix: Verify vulnerability is resolved
Reporting Template
## Security Finding: [Nuclei Template ID]
**OWASP Category**: A03:2021 - Injection
**Severity**: Critical
**CWE**: CWE-89 (SQL Injection)
**CVE**: CVE-2024-XXXXX (if applicable)
### Description
[Description from Nuclei output]
### Affected URLs
- https://target-app.com/api/users?id=1
### Remediation
Use parameterized queries instead of string concatenation.
### References
- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)