OWASP security researchers have updated the organization’s list of the ten most dangerous vulnerabilities – and the list has a new number one threat for the first time since 2007.
The last update was in November 2017, and the latest draft is available for peer review until the end of the year.
The Open Web Application Security Project (OWASP) is a nonprofit foundation and an open community dedicated to security awareness. The respected OWASP top ten list is often used as a coding and testing standard, and many platforms also use it to set and adjust bug bounties.
OWASP teams update the curated list every three or four years to reflect the current threat and web application landscape. Interesting shifts happened in the rankings this year, and a new leader isn’t the only change.
Many entries are broad categories that contain various CWEs (common weakness enumerations, typically errors that can lead to vulnerabilities) and CVEs (common vulnerabilities and exposures, or specific instances of a vulnerability within a product or system). Those flaws are documented by MITRE, a government-funded organization that administers the CVE Program, which is meant to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
A New Top Vulnerability
The number one security risk is no longer injection. Broken access control vulnerabilities are now at the top of the list, followed by cryptographic failures, with injection dropping to third place.
Broken access control breaches happen every time attackers gain unauthorized access to content, files, and functions. 34 CWEs are mapped to broken access control. Whether it’s a misconfiguration or a flawed access control scheme in the application, hackers love such vulnerabilities as they’re not so challenging to discover and exploit. The damages can be massive. They might gain access to sensitive files or impersonate a user with high privileges to perform harmful actions. They can even deface the entire site in some cases.
Access control issues are often discovered when performing penetration tests. The most common mistakes are:
- Bad practices in code such as unverified data, unprotected cookies
- Insecure authentication process such as flawed account recovery or password reset, or insecure session tokens
- Misconfigurations such as wrong CORS rules
- Unprotected API endpoints such as no rate limit
- No defense against directory traversal. For example, if you use <img src=”/getImages?filename=image12.png”>, hackers will try something like https://yourwebsite.com/getImages?filename=../../../etc/passwd
Those vulnerabilities are quite frequent, and implementing secure access control can be challenging.
Further reading: How to Defend Common IT Security Vulnerabilities
The Full OWASP List
In the draft 2021 list, many entries have been moved, and new categories have been added. We’ve marked them as moving up (▲), down (▼) or new to the list.
- Broken Access Control (▲): When hackers gain unauthorized access to content and functions.
- Cryptographic Failures (▲): Previously known as “Sensitive Data Exposure.” As the name suggests, it focuses on weak cryptography.
- Injection (▼): Hackers trick the interpreter into executing unwanted commands. For example, it happens with unescaped SQL calls (such as SELECT * FROM users WHERE email = $_POST[’email’]).
- Insecure Design (new): Apps should integrate security in the earliest stages, including the design step, and in all processes.
- Security Misconfiguration (▲): Installations often remain insecure (missing hardening, wrong permissions) because of the numerous parameters and options.
- Vulnerable and Outdated Components (▲): previously “Using Components with Known Vulnerabilities.” Outdated applications are often weak.
- Identification and Authentication Failures (▼): Previously “Broken Authentication.” Those vulnerabilities are often due to bad practices in code or missing multi-factor authentication.
- Software and Data Integrity Failures (new): Includes “Insecure Deserialization” from 2017 and many critical CWEs. It focuses on software updates and CI/CD pipelines.
- Security Logging and Monitoring Failures (▲): Previously “Insufficient Logging & Monitoring.” When logging and monitoring are missing or insufficient, web apps are easier to compromise.
- Server-Side Request Forgery (new): Added from a survey of industry professionals. SSRF attacks usually target internal systems behind a firewall that are not accessible from external networks. The hacker takes control of the back-end server to send forged requests.
How Devs Can Use the OWASP Top Ten
The OWASP is at the heart of web security. Developers can use the list to write more secure code, and security teams can use various tools such as the OWASP Zed Attack Proxy (ZAP) to check whether the application is secure or not.
The list is beneficial for assessing vulnerabilities. Security checklists and code reviews should not be neglected. Developers can use the top ten to define their security guidelines to ensure the code is compliant with standards and best practices for secure development.
As security risks are constantly evolving, the OWASP list is a good way to stay on top of major trends in web app security. You can even include the OWASP Zap in your CI/CD pipelines and automate tests and reports.
Implementing best practices early in a project can guarantee a much more secure design, which is critical for easier maintenance and avoiding vulnerabilities that can harm your business.
This new ranking has multiple shifts and renaming for better understanding and readability, and OWASP experts should approve the draft by the end of the year.
Further reading: Top Code Debugging and Code Security Tools