After four years, OWASP published the new OWASP Top 10 list of the most common vulnerabilities. We have taken a look at the new list to see what has changed, what remains the same, and what it tells us about the state of web security.
The OWASP Top 10 project was initially created to raise security awareness among developers, but has since grown to become an international security standard. The list is the result of a cooperation between the security industry and the community, brought to life by OWASP volunteers. Let’s get right to it! Here the OWASP Top 10 2017 list:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE) (NEW!)
- Broken Access Control (MERGED)
- Security Misconfiguration
- Cross-site Scripting (XSS)
- Insecure Deserialization (NEW!)
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring (NEW!)
OWASP Top 10 2017 brings three new vulnerabilities and retires two. Despite these changes, many vulnerabilities from 2013 remain on the list, making OWASP Top 10 2017 very similar to its predecessor. In other words, while a lot has happened since 2013, the most common security mistakes remain the same.
The three newcomers to the list are XML External Entity (XXE), Insecure Deserialization, and Insufficient Logging and Monitoring. Detectify’s co-founder and security researcher Fredrik Nordberg Almroth says that Insufficient Logging and Monitoring has received a lot of attention in the security community:
“There is some uncertainty as to whether this vulnerability belongs on the OWASP list and many say that the lack of logging doesn’t make a system vulnerable. Others claim that logging and monitoring needs to be in place, but can’t really explain why not having it is a vulnerability.”
Another change is the Broken Access Control category, combining two previously separate vulnerabilities, Missing Function Level Access Control and Insecure Direct Object References.
What’s been removed?
CSRF and Unvalidated Redirects and Forwards did not make it to the new list as they are not as common as they used to be. CSRF is only found in 5% of applications thanks to frameworks that include CSRF defenses, while Unvalidated Redirects and Forwards are found in 8% of applications. Based on OWASP’s data cited in Release Candidate 2, the two vulnerabilities have now dropped to #13 and #25, respectively.
What it means
New technologies and new approaches to building web apps have changed web security and the new OWASP Top 10 is a timely update that reflects recent developments. Fredrik Nordberg Almroth explains:
“Many technologies are built on XML, making companies vulnerable to XXE even though they might not expect it. The same goes for Insecure Deserialization. There’s been a lot of research lately showing that deserialization of various objects can lead to RCE in different programming languages. Java, PHP, Ruby and Python are particularly affected by this.”
The 10 vulnerability categories on the list are, of course, just the tip of the security iceberg. Detectify’s security researcher Linus Särud points out that working with security stretches far beyond the OWASP list:
“There is a lot more to security than ten vulnerabilities, and this is something that is also emphasised by OWASP. However, the list is a good place to start if you want to improve your web security and write better code.”
Why some vulnerabilities remain on the list
Despite these changes, some widespread vulnerabilities have been on the OWASP Top 10 list since 2010. Fredrik says that the reason categories like Cross-site Scripting and Injection remain on the list is simple – they are everywhere:
Similarly, Injection remains on the list as no. 1: “Injection is an umbrella term for the majority of server-side vulnerabilities (like SQL Injection, path traversals and RCE). These are ‘game over’ vulnerabilities and because they are so common and have such a serious impact, they remain at the top of the list,” Fredrik explains.
What does Detectify check for?
Detectify can discover all OWASP Top 10 vulnerabilities that can be validated by an outside attacker (or, in this case, a security scanner) and automated. Some vulnerabilities are difficult for a scanner to identify, Fredrik Nordberg Almroth says: “For example, Insufficient Logging and Monitoring is tricky because we don’t know whether our customers use some sort of logging.”
When you run a Detectify scan, your site is checked for the following vulnerabilities on the OWASP Top 10 2017 list:
* A1: Injection
* A3: Sensitive Data Exposure
* A4: XML External Entities (XXE) – we have a range of tests covering XXE vulnerabilities in various platforms like Magento
* A6: Security Misconfiguration
* A7: Cross-Site Scripting (XSS)
* A9: Using Components with Known Vulnerabilities
To learn more about how OWASP Top 10 vulnerabilities work and what you can do to make your code more secure, take a look at our OWASP Top 10 attack demo playlist (currently covering OWASP Top 10 2013, but we are working on updates – stay tuned!)