The OWASP TOP 10 is one of the most famous industry rankings of web application security risks. As we wait for the next version of the ranking, which is going to cover the years 2017-2020, let’s take a look at the ranking itself and the last available edition to find out just how useful and practical it is and why you should look forward to getting the upcoming one.
Three years have passed since the last edition of the OWASP TOP 10 report. In cybersecurity, it’s practically an era. A lot has changed – new frameworks, versions, solutions and vulnerabilities and much more made their way to this dynamically changing world.
This year, we’re expecting to get the latest list of most popular vulnerabilities from the years 2017-2020 – the OWASP TOP 10 2020. Before it happens, let’s shed some light on what the OWASP organization is, how the ranking works and what the 2017 TOP 10 looked like. I’m also going to make predictions about the upcoming edition.
What is OWASP TOP 10?
The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software.
Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
OWASP TOP 10 2017
The 2017 edition of the OWASP TOP 10 vulnerabilities ranking may be somewhat old, but it’s still the latest available version of it. Surely, it still holds some value.
The list of OWASP TOP 10 vulnerabilities included in the ranking is as follows:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging and Monitoring
Let’s take a closer look at each of them.
This category includes SQLi, NoSQLi, OS or LDAP injections. The first two refer to attempts to steal data from SQL/NoSQL databases. If your project is vulnerable, the user may be able to extract some valuable data such as email addresses, user and system data, passwords or logins.
The OS injection makes it possible for the attacker to issue all kinds of system commands. It might cause all the security measures to fail. LDAP is a protocol for accessing and maintaining information services via the TCP/IP protocol. It’s designed for use with directory services, that is object databases that represent network users and resources. The attack involves using LDAP expressions to extract valuable data or to change access rights.
This one has to do with authentication and session management. The attacker’s goal is to compromise passwords, keys and session tokens as well as to exploit app errors in order to take over accounts of other users.
Common methods used to achieve it are brute force attacks and exploiting various weaknesses within the system such as poor password policy and management or weak session cookies. When the attack succeeds, the implications can be quite far-reaching, including leaking of personal data. The best ways to prevent it involve setting strong passwords, implementing multi-factor authentication, blocking users that fail to log in properly in a given number of attempts, session management testing/debugging, best by a dedicated Quality Assurance team.
Sensitive Data Exposure
Nowadays it’s extremely important to take care of the user’s personal and financial data. Otherwise, Sensitive Data Exposure may happen and not only will you stand to compromise the application, but earn yourself a hefty fine in the process (read more about the GDPR). The Sensitive Data Exposure vulnerability is becoming increasingly relevant to the everyday reality of each online business.
XML External Entities (XXE)
This category refers to abusing features of XML parsers. Such vulnerabilities may also cause Denial of Service (DoS) or Server Side Request Forgery (SSRF) attacks, which can in turn force your application to send requests to other applications.
Broken Access Control
The 5th vulnerability of the OWASP TOP 10 2017 is unauthorized access to functions and data – Broken Access Control. It can be done by using the regular user’s account to access the privileges of the admin account. That way, for example, the attacker could be able to access the medical documents of all clients registered in the application. Broken Access Control remains one of the most prevalent issues in the OWASP TOP 10 lists.
Misconfigured security measures are very common in web applications. Some of them include:
- poorly configured cloud permission settings (e.g. S3 buckets),
- default and test accounts with generic passwords that found their way to the production environment,
- too detailed error messages,
- no HTTP Security headers.
This vulnerability is often just a prelude to many of the other, even more, serious ones, such as XXE or command injections.
Cross-site Scripting (XSS)
One of the most popular and talked about vulnerabilities, widely known even outside of the cybersecurity crowd. This time, it ranked 7th and I believe that it’s going to return in the 2020 edition as well. I still find this vulnerability often in the applications I test, despite all the security measures employed in modern-day frameworks. XSS involves injecting malicious scripts and executing them on the computer of the victim.
The official definition describes this vulnerability as a situation in which “untrusted data is used to abuse the logic of an application”. In other words, the app replaces the proper set of data with malicious code, allowing for DoS, RCE and other types of attacks. This code leverages the legitimate serialization and deserialization process recognized by your web app.
Using Components with Known Vulnerabilities
Ensuring that your libraries, frameworks and components are up-to-date goes a long way in making your app more secure. Otherwise, the practice ufo using components with known vulnerabilities may make your app prone to a variety of problems typically caused by outdated software. Therefore, make sure that your content management system, analytics software and libraries are all regularly updated, even after they are released to the production environment!
Insufficient Logging and Monitoring
The last position is not really a typical vulnerability, but an example of oversight on the part of cybersecurity specialists. It has to do with insufficient logging and monitoring of error and inadequate reaction to various incidents. It may result in a variety of attacks, damages and exploits.
To combat such threats, you should definitely store information such as HTTP code statuses, timestamps, API endpoint users, page locations or IP addresses in your logs. Of course, they need to be stored in a secure location, as they contain a lot of sensitive information.
You should also pay special attention to suspicious actions, such as multiple login attempts, script injection attempts, requests made by unusual IPs and locations, the usage of automated tools and more. Other than monitoring and logging, you should also actually act on your findings, for example by blocking users that display this suspicious behavior.
Other security vulnerabilities
It’s important to remember that these ten vulnerabilities by OWASP TOP 10 are just some of the threats found and tackled by pentersters and cybersecurity specialists. There are many other more or less popular forms of attacks such as:
- buffer overflow,
- memory leak,
- process control vulnerabilities,
- heartbleed bug,
- CRFL injection,
- SSRF injection,
- path Traversal,
- HTTP Host Header attacks,
- and more!
OWASP TOP 10 2020
As of today, the 2020 ranking that covers the years 2017-2020 is still yet to be released. In the meantime, I can try to predict some of its content based on my own experience in this field.
In my opinion, XSS will most definitely remain on the list (perhaps somewhat lower than in the 2017 edition).
Aside from XSS, all kinds of injections (SQLi, NoSQLi, Command Injection) should remain in the ranking as they still constitute a very real in today’s world of cybersecurity.
I would also be surprised if GraphQL didn’t make the list. This data query language for APIs has become very popular in the past several months.
Server-Side Request Forgery
Cloud solutions are becoming more and more popular each day. It makes sense for more cloud-related threats to appear in the OWASP TOP 10. This may include Server-Side Request Forgery – a vulnerability that originally showed up in 2002 and recently came back like a boomerang. Initially, it had a rather low-to-medium priority. Today, it’s high or even critical. Back in 2019, Paige Thompson made a point of it when he managed to steal data from 106 million consumer loan applications.
This one may seem comparatively trivial, but it is serious. In today’s software development, there are simply so many things to do that keeping libraries up-to-date is not often prioritized. When the client does not take proper care of it, an audit of libraries and frameworks may be necessary.
It’s an authorization framework that makes it possible for websites and applications to request limited access to the user account or another application. It’s being replaced by OAuth 2.0 – a new standard written from scratch. It’s getting popular, but since it’s so new, it’s also more vulnerable when it comes to errors during the implementation process. Therefore, it may show up on the OWASP TOP 10 2020 list, either as a standalone technology or as part of authentication vulnerabilities.
HTTP/2 related vulnerabilities
Attacks related to the latest HTTP/2 protocol are also a possibility. These usually involve setting up a queue of requests that exhaust server resources – Denial of Service. Fortunately, this vulnerability does not enable the attacker to steal any information or modify data.
OWASP TOP 10 – summary
There are many web application vulnerabilities and it’s difficult to determine the most popular ones. I admit that this list may be a bit subjective. However, some do seem to be particularly popular and as such, I think that they’re going to remain on the list when OWASP finally releases the new edition, just in a different order.
Once the OWASP TOP 10 2020 is here, I’m definitely going to update this article with my analysis of all the latest vulnerabilities so stay tuned!