The Open Web Application Security Project (OWASP) has published the 10 most critical web application risks, 2017 edition, which points injection attacks as the greater security risk once again, as in the 2013 and 2010 editions.
Code Injection Attacks, mainly targeted at web applications, allow a cyber-attacker to execute commands in a web site in order to steal, modify or delete data, taking advantage of fields aimed at any other purposes. This is mainly due to bugs, as a result of a lacking or insufficient validation of the input data in the web applications, not implemented by the application developers, and that are detected and used by the attackers to carry out these malicious actions.
According to the Veracode security company, 77% of the applications have at least one bug. Veracode, which is involved in the preparation of the OWASP Top 10, states that around a 70% of the analyzed applications would not pass a security audit regarding the OWASP Top 10 measures. Specifically, the manufacturer says that in 2017, 27.6% of the analyzed applications are easily vulnerable through SQL Injections.
What has changed in the last 10 years?
The scenario of the security threats in applications changes constantly, mainly due to the development of new techniques to conduct web attacks.
Between 2007 and 2017, OWASP has primarily made the following changes:
- Command Injection has been ranked at the highest positions of the OWASP Top 10 since 2007 due to the lack of validation of the input data, which is still one of the greatest mistakes made by the software developers.
- Authentication Loss has moved from the 7th position in 2007 to the 2nd position, staying at the top 3 since 2010.
- Sensitive Data Exposure climbs three positions since its emergence in the 2013 OWASP.
- Three new risks have emerged: "XEE”, “Insecure Deserialization” and “Insufficient Logging&Monitor”
- “Insecure Direct Object References” and “Missing Function Level Access Control” have been merged under the designation “Broken Access Control”.
- Cross-Site Scripting(XSS) has moved from the 1st position in 2007 to the 7th position in 2017, mainly due to the implementation of tools that avoid and protect against these vulnerabilities, as already mentioned in the article OWASP Top Ten 2013 RC: Evolución de las vulnerabilidades web (Evolution of web vulnerabilities).
- Insecure Deserialization is a new vulnerability proposed by the OWASP community that has been included on the OWASP Top 10 for the first time. It is a vulnerability that could lead to remote code execution in web services.
- Using Components with Known Vulnerabilities stays at the 9th position regarding the previous ranking, which indicates that it is an existing vulnerability partly due to the widespread use of multiple components in web applications, as well as to the development of IoT and the difficulties associated with this model in terms of updates management.
- Insufficient logging and monitoring is one of the two new vulnerabilities included on the OWASP Top 2017.
Analysis and new additions
In this new edition some movements must be noted. On the one hand, the climbing of the Sensitive Data Exposure, which has ascended three positions and is now in the third position of the table. One of the main causes is the lack of encryption or the usage of inadequate encryption algorithms. In this case, and given that the implementation will be required in the UE countries very soon (25th May, 2018), the web applications of the European companies must make extra efforts on this matter.
Likewise, we can see significant drops as the XSS and the CSRF, two Top 10 classics which are now declining. The protections which are currently included on many of the web application development frameworks, as well as the browsers, are responsible for the drops of these two vulnerabilities.
One of the major additions this year is the incorporation of two new vulnerabilities that have been chosen through a public survey completed by numerous professionals. The two highest-ranked vulnerabilities are included on this year's list:
- On the one hand, Insecure Deserialization, a somewhat difficult vulnerability, has been included in the 8th position. Serialization is a concept that implies converting data from one format into a different specific format (from an admitted format into an XML format, for example) that allows their transmission or storing. Not accepting serialized data from unreliable sources or only accepting primitive data for their serialization are good practices that our architecture should implement in all cases. This vulnerability could allow the remote execution of those serialized codes.
- Ranking 10 is the Insufficient logging and monitoring, whose name perfectly expresses the meaning of this vulnerability. It is a crucial action that may not be seen as a vulnerability itself, but its absence may cause the management of a security incident not to be diligently carried out or the detection of a data leakage to be delayed by several years.
The OWASP Top 10 is the de facto standard for the software developers to determine and fight against the causes that make the software insecure. There are numerous guides and tools for assessing security in web applications that must be considered in all the stages of the applications development.