OWASP security researchers have updated the organization’s list of the ten most dangerous vulnerabilities – and the list has a new number one threat for the first time since 2007.
The last update took place in November 2017, and the last draft is available for peer review until the end of the year.
The Open Web Application Security Project (OWASP) is a non-profit foundation and open community dedicated to security awareness. The respected top ten list of OWASP is often used as a coding and testing standard, and many platforms also use it to set and adjust bug bounties.
OWASP teams update the list organized every three to four years to reflect the current threat and web application landscape. There have been some interesting changes to the rankings this year, and a new leader isn’t the only change.
Many entries are broad categories that contain various CWE (enumerations of common weaknesses, usually errors that can lead to vulnerabilities) and CVE (common vulnerabilities and exposures, or specific instances of a vulnerability within a product or company). a system). These flaws are documented by MITER, a government-funded organization that administers the CVE program, which aims to identify, define and catalog publicly disclosed cybersecurity vulnerabilities.
A major new vulnerability
The number one safety risk is no longer injection. Broken access control vulnerabilities are now at the top of the list, followed by crypto failures, with injection moving to third place.
Broken access control violations occur whenever attackers gain unauthorized access to content, files and functions. 34 CWE are mapped to a faulty access control. Whether it’s a misconfiguration or a faulty access control scheme in the application, hackers love these vulnerabilities because they are not that hard to discover and exploit. The damage can be enormous. They can access sensitive files or impersonate a user with elevated privileges to perform harmful actions. They can even degrade the entire site in some cases.
Access control issues are often discovered when performing penetration testing. The most common mistakes are:
- Bad practices in the code such as unverified data, unprotected cookies
- Unsecured authentication process like a faulty account recovery or password reset, or unsecured session tokens
- Bad configurations such as bad CORS rules
- Unprotected API endpoints like no rate limit
- No defense against directory traversal. For example, if you use , hackers will try something like https://yourwebsite.com/getImages?filename=../../../etc/ password
These vulnerabilities are quite common and implementing secure access control can be difficult.
Further Reading: How To Defend Common Computer Security Vulnerabilities
The full list of OWASP
In the provisional 2021 list, many entries have been moved and new categories have been added. We’ve marked them as rising (▲), descending (▼), or new in the list.
- Broken access controlI (▲): When hackers gain unauthorized access to content and functions.
- Cryptographic failures (▲): Previously known as “sensitive data exposure”. As the name suggests, it focuses on weak cryptography.
- Injection (▼): Hackers trick the interpreter into executing unwanted commands. For example, this happens with non-escaping SQL calls (such as SELECT * FROM users WHERE email = $ _POST[’email’]).
- Insecure design (New): Applications must integrate security from the earliest stages, including the design stage, and into all processes.
- Incorrect security configuration (▲): Installations often remain insecure (missing reinforcement, wrong permissions) due to the many settings and options.
- Vulnerable and obsolete components (▲): formerly “Use of components with known vulnerabilities”. Obsolete applications are often weak.
- Identification and authentication failures (▼): Previously, “Authentication terminated”. These vulnerabilities are often due to bad code practices or the lack of multi-factor authentication.
- Software and data integrity failures (New): Includes the ‘insecure deserialization’ of 2017 and many critical CWEs. It focuses on software updates and CI / CD pipelines.
- Security logging and monitoring failures (▲): Previously, “Insufficient logging and monitoring”. When logging and monitoring is missing or insufficient, web applications are easier to compromise.
- Server-side query forgery (New): Added from a survey of industry professionals. SSRF attacks typically target internal systems behind a firewall that cannot be accessed from external networks. The hacker takes control of the main server to send spoofed requests.
How developers can use the OWASP Top Ten
OWASP is at the heart of web security. Developers can use the list to write more secure code, and security teams can use various tools such as the OWASP Zed attack proxy (ZAP) to check whether the application is secure or not.
The list is useful for assessing vulnerabilities. Security checklists and code reviews should not be overlooked. Developers can use the top ten to set their security guidelines to ensure code meets standards and best practices for secure development.
As security risks are constantly evolving, the OWASP List is a good way to stay on top of major web application security trends. You can even include the OWASP Zap in your CI / CD pipelines and automate testing and reporting.
Implementing best practices early in a project can ensure a much more secure design, which is essential for easier maintenance and avoiding vulnerabilities that can harm your business.
This new ranking has several changes and renaming for better understanding and readability, and OWASP experts are expected to approve the draft by the end of the year.
Further Reading: Best Debugging and Code Security Tools