24th September 2021
5 min read
The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP develop and manage a public framework that documents the top 10 risks to application security, the OWASP Top 10. It provides developers and security professionals with the industry’s consensus on the most significant risks to web applications and recommends security controls to mitigate them.
A new release of the OWASP Top 10 has been published today, bringing some positional changes, merges, and new categories for the most severe application security risks in 2021. We discuss the latest updates in the OWASP Top 10, comparing the previous version (2017), and our insights into each category.
Broken Access Control has replaced the former top spot vulnerability, Injection, becoming the most critical vulnerability in application testing. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category. This is a vulnerability we identify frequently, so its rise to the top is not a shock to us.
Malicious actors use vulnerability scanning tools and manual approaches to identify the lack of appropriate access controls within applications. Where broken access controls are found, it’s possible to execute actions intended for a specific user or privileged group. This can have devastating effects, such as allowing an unauthorised user to change the password of an administrator, or a customer to see another customer’s information.
Moving up one position from 2017, Cryptographic Failures, previously known as Sensitive data exposure, can lead to the compromise of sensitive information. Malicious actors can steal sensitive data that’s inadequately protected by web applications and APIs. A common cause is a failure to encrypt sensitive data using best practice methods, especially where information traverses a network or resides in an insecure storage environment.
The misconfiguration of cryptographic protocols (such as TLS) is a common finding within this category. The release of HTTP3 and the QUIC protocol, which encapsulates properly configured TLSv1.3, could see a large reduction in misconfigured cryptographic services, as previous versions of the TLS protocol (requiring manual configuration) are deprecated.
Injection, the former king of the OWASP Top 10, has fallen down the rankings to 3rd place, and Cross-Site Scripting (XSS) has merged into this category in the latest edition. This is no surprise considering web frameworks, defence solutions and developers have improved application resilience to injection attacks across the board. However, this is still a common threat to web applications that don’t employ best practices.
Injection flaws occur when malicious data is sent to an interpreter, such as a database or terminal, and performs unintended actions by manipulating the execution logic. This can lead to a breach of sensitive data or a compromise of the application environment. User-supplied data shouldn’t be trusted, and a “whitelist” should be used on the server-side to validate user input. Safe functions, such as parameterised queries, should be used to effectively mitigate this risk.
Insecure Design is a new category for 2021 and focuses on risks related to design flaws. Applications are often built from the ground up without security in mind. This can lead to insecure designs and critical vulnerabilities being introduced to applications, which can be costly or complicated to remediate once in a production environment.
We often see this in our daily testing projects; from multi-tenanted application environments with poor data segregation, to weak implementation of access control that requires a significant modification to the core functionality. Applications must be designed with security in mind to avoid fundamental weaknesses. Too often, problems are found where spot fixes are applied at the surface, but underlying technical controls aren’t implemented to fix the problem. The bigger and more complex an application becomes, the more challenging and ineffective this approach becomes.
Security Misconfiguration has moved up to position 5, and XML External Entities (XXE) from 2017 has merged into this category for 2021. Misconfiguration is the most common Top 10 risk, often caused by exposed administrative functionality, default accounts or insecure cloud storage. It’s generally considered a “Catch All” category for implementation mistakes made in a highly configurable or complex application environment.
Such complex application environments can be difficult to securely configure without specialist knowledge of the particular application and it’s supporting services. Many organisations don’t have the resources to facilitate the training and skills needed to achieve this effectively. To do so requires experts, often via a third party, to ensure you can effectively configure the application environment and secure sensitive information.
Previously titled ’Using Components with Known Vulnerabilities’, this category moves up to 6th position from 2017. OWASP described this category as “a known issue that we struggle to test and assess risk.” Some components have known vulnerabilities that malicious actors can exploit to gain access to data and systems. Software components, such as underlying application libraries and frameworks, often contain weaknesses that may impact the security of the application as a whole.
When developing an application, there are tools and libraries that you use to achieve the intended functionality. However, the ever-expanding range of libraries and frameworks can be difficult to keep on top of. This means software components often become outdated or unsupported. Although, difficulty balancing development time and costs and keeping up with the latest changes can lead to misconfigurations and security implications. Read more about dealing with dependencies.
Falling down from 2nd position, Identification and Authentication Failures which was previously known as Broken Authentication, now includes CWEs that are related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardised frameworks and new authentication models seem to be helping.
Properly configured multi-factor authentication is the most effective way to mitigate this attack when used in combination with a strong password management process. The rise of zero trust and identity-based authentication and authorisation models further reduces the reliance on traditional username-password login pages to secure applications. As investment in these areas continues, we may see a further decrease in Identification and Authentication Failures.
This is a new category for 2021, merging with Insecure Deserialisation from 2017, and is related to the validity and integrity of software and data within an environment.
Software and data integrity failures occur when infrastructure fails to protect against data integrity violations. This may result from relying on plugins or libraries from untrusted sources or content delivery networks (CDNs). Alternatively, from failing to properly sanitise or handle data, such as serialised payloads, or from automatic updates applying patches that haven’t had sufficient integrity verification.
Previously named Insufficient Logging and Monitoring, Security Logging and Monitoring Failures moves up from 10th position. This category now includes more types of failures that are often challenging to test for, and aren’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
Logging and monitoring are important processes to enable fast detection and response to malicious activity, such as attempted or successful attacks, and provide essential information to perform an investigation following an incident. In some cases, there may be regulatory or legal requirements for logging and monitoring, which can increase the contextual impact of issues for your organisation.
Even though it’s not illustrated in the data, industry professionals have told OWASP that Server-Side Request Forgery, which is new for 2021, is important at this time. Server-Side Request Forgery (SSRF) attacks occur when malicious actors send payloads, such as modified URLs, that are processed by the server to read or modify data, extract information, or connect to internal services that wouldn’t normally be accessible.
With recent attacks, such as the vulnerability in Microsoft Exchange that allowed malicious actors to compromise exposed hosts, it’s clear to see why SSRF is a new Top 10 entry. However, SSRF isn’t a new attack vector; it made the top web hacking techniques list produced by Portswigger in 2017.
Sentrium provides web and mobile application security testing and threat modelling as part of the routine development lifecycle.
Your security assessment is tailored to the size and complexity of your application environment. This gives you an efficient and comprehensive testing approach that will add value to your secure development lifecycle.
Contact us to discuss your application security requirements and learn how our services support your security strategy.
In an increasingly digital world, the importance of quality and security cannot be overstated. Sentrium Security Ltd is excited to share our recent achievement –…
As digital business becomes more widespread, the need to ensure data security increases. One way to test its effectiveness is through penetration testing. Penetration tests…
Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…
Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…
The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…
Server Header Information Disclosure The most common HTTP header that is enabled by default in most web servers is the ‘Server’ header, which can lead…
The Follina Exploit A zero-click Remote Code Execution (RCE) vulnerability has started making the rounds which is leveraging functionality within applications such as Microsoft Word.…