Last updated on September 17, 2021
After more than 4 years of waiting, OWASP has published the draft of its new list of the 10 most frequently found vulnerabilities in web applications.
THe OWASP top ten is one of the most widely used lists in the IT security world. There have been big changes compared to the 2017 list, one of the most widely used lists in the IT security world. Below we will analyze them one by one.
1. A01:2021-Broken Access Control: 34 CWEs. Access control vulnerabilities include privilege escalation, malicious URL modification, access control bypass, CORS misconfiguration, and tampering with primary keys.
2. A02:2021-Cryptographic Failures: 29 CWEs. This includes security failures when data is in transit or at rest, such as the implementation of weak cryptographic algorithms, poor or lax key generation, a failure to implement encryption or to verify certificates, and the transmission of data in cleartext.
3. A03:2021-Injection: 33 CWEs. Common injections include SQL, NoSQL, OS command, and LDAP, and may be caused by sanitization failures, XSS vulnerabilities, and a lack of protection for file paths.
4. A04:2021-Insecure Design: 40 CWEs. Insecure design elements vary widely, but are generally described by OWASP as “missing or ineffective control design”. Areas of concern include a lack of protection for stored data, logic programming problems, and displaying content that reveals sensitive information.
5. A05:2021-Security Misconfiguration: 20 CWEs. Applications may be considered vulnerable if they lack security hardening, if there are unnecessary features – such as a being too-open hand when it comes to privileges – if default accounts are kept active, and if security features are not configured correctly.
6. A06:2021-Vulnerable and Outdated Components: 3 CWEs. This category focuses on client and server-side components, failures to maintain components, out-of-date support systems – such as an OS, web servers, or libraries – as well as component misconfiguration.
7. A07:2021-Identification and Authentication Failures: 22 CWEs. Security issues include improper authentication, session fixation, certificate mismatches, permitting weak credentials, and a lack of protection against brute-force attacks.
8. A08:2021-Software and Data Integrity Failures: 10 CWEs. Integrity is the focal point of this category, and any failure to ensure the correct implementation – such as the deserialization of untrusted data, or not checking code and updates when pulled from a remote source – may be in scope.
9. A09:2021-Security Logging and Monitoring Failures: 4 CWEs. Issues that can hamper the analysis of a data breach or other form of attack, including logging problems, failing to record security-relevant information feeds, or only logging data locally come under this category.
10. A10:2021-Server-Side Request Forgery: 1 CWE. SSRF vulnerabilities occur when a server does not validate user-submitted URLs when they fetch remote resources. OWASP says that the adoption of cloud services and increasingly complex architectures have ramped up the severity of SSRF attacks.
Analysis of Main Changes
Broken Access Control rises from fifth position, 94% of applications have access control vulnerabilities.
Cryptographic Failures moves up one position to second place. In 2017 this category was known as “Sensitive Data Exposure”, but in fact this exposure of sensitive data is more a symptom than the cause of the problem, so it was decided to change the name to focus on cryptography-related flaws.
Injection falls to third place, although 94% of applications have injection vulnerabilities. It is important to note that Cross-Site Scripting, which in the previous edition had its own category, is now grouped under the category of Injections.
Insecure Design is a new category, which has been included to try to focus on design flaws, and to try to generate best practice through the use of threat modelling, secure design patterns and principles, and reference architectures.
Security Misconfiguration ranks fifth, up one place since the last edition. 90% of applications show some misconfiguration vulnerability. More and more complex applications require correct configuration.
N.B the XML External Entities (XXE) category which previously had its own spot in the list has moved into this category.
Vulnerable and Outdated Components previously known as “Using components with known vulnerabilities” moves up the rankings to be considered the second most important problem according to the surveys. It is the only category that has no CVE associated with CWEs.
Identification and Authentication Failures previously known as “Broken Authentication”. It drops from the second position thanks to the increasing availability of standardized frameworks that have reduced authentication problems. It now also includes CWEs related to identification failures.
Software and Data Integrity Failures new category in 2021, focusing on software updates, critical information and integrity checking in CI/CD pipelines. It is a category with one of the biggest impacts on application security.
N.B The category “Insecure Deserialisation” is now part of this category.
Security Logging and Monitoring Failures previously known as “Insufficient Logging & Monitoring”, moves up one position to be the third most important problem according to surveys. The category has been expanded to include more types of failures that can directly impact visibility, incident alerting and forensics.
Server-Side Request Forgery is considered the number one security problem according to surveys. Although it has a relatively low incidence rate, as well as a medium impact, security professionals have made it clear that it is a very important vulnerability even if the data does not currently show it.
How vulnerabilities are classified
The OWASP Top 10 is largely based on the data collected. In fact, 8 of the 10 categories are selected from the data collected.
The other two categories are based on surveys answered by industry experts. This makes it possible to include in the top the vulnerabilities that are of most concern to professionals at the forefront of IT security, but which have not yet been reflected in the data.
Previously, OWASP’s data collection was based on 30 CWEs that they selected and a field to include other findings. However, companies only included data from those 30 CWEs. So this time they simply asked for data on vulnerabilities found in their applications, without restricting it to specific CWEs. They asked for the number of applications analyzed annually since 2017, in which at least one CWE has been found. That way they can check how prevalent each CWE is given a group of apps. The frequency of CWEs was not taken into consideration when making the Top 10.
As for the categories, they have tried to focus on analyzing the root cause of security problems, rather than focusing on the symptoms (as we can see with the case of “Cryptographic Failure”, which is the cause of the symptom “Sensitive Data Exposure”.
In 2017 they were based on the incidence rate, while this year they wanted to focus on exploitability and impact.
The data is not purely statistical
They take into account that vulnerability scanners can show hundreds of entries for a vulnerability, whereas in manual pentesting the auditor does not record every place where that vulnerability appears. For example, in the case of Cross-Site Scripting, an application can be vulnerable in all fields of a form, which can mean hundreds of vulnerabilities registered by a vulnerability scanner. However, an auditor analysing the same application will only show a couple of examples where the application is vulnerable, indicating that the information in all fields must be validated in order to correct the vulnerability.
- Assigned CWEs: number of CWEs belonging to each category.
- Incidence rate: percentage of applications vulnerable to that CWE.
- Test coverage: percentage of applications analyzed by all applications given a CWE.
- Weighted exploitability: Exploitability score of the CVEs assigned to the CWEs, normalized and weighted on a 10-point scaling.
- Weighted impact: As exploitability, but with the impact of each vulnerability.
- Number of occurrences: number of applications that have at least one CWE of that category.
- Total CVEs: total number of CVEs assigned to CWEs of a category.
Conclusions on the new OWASP Top 10
There is no doubt that OWASP is committed to staying ahead of the curve and strengthening the industry by implementing security from the ground up. This is reflected by the inclusion of the new categories “Insecure Design” and “Software and Information Integrity Flaws” in the top 10.
Given that the vast majority of companies use the OWASP Top 10 as a reference, it is important that they take that view of implementing security in the architecture and design of applications, something that is often overlooked given the speed of development today.
It is important to note that this list, although in principle definitive, may vary depending on the opinion of security experts.
I hope you have found this information interesting.