Professional Documents
Culture Documents
com/topic/owasp-top-10-application-security-risks-2013-vs-
2017/
APPLICATION SECURITY
The OWASP Top 10 is a list of common and critical security vulnerabilities that
could affect applications. The first version was released back in 2003, which
was updated in 2013. However, as OWASP puts it, “change has accelerated
over the last four years, and the OWASP Top 10 needed to change.”
Using feedback from firms specializing in application security and data from
surveys filled by over 500 individuals, OWASP issued a new release candidate
in April 2017. The first release was controversial and pushed back by the
AppSec community, so OWASP had to make new changes and issued a new
draft in August. The latter was finally adopted and published in November 2017.
This article clarifies the new web security risks as defined by OWASP, and
draws a comparison between 2013 and 2017 versions by listing all the changes
that have taken place.
Comparative table of 2013 and 2017 OWASP Top 10 Lists (Image from OWASP)
OWASP 2013 vs 2017: What has remained the same?
The A1 – Injection class of vulnerabilities tops both lists as the risk will remain
present as long as applications blindly trust user input and do not have a proper
sanitization mechanism in place. SQL injection, for instance, is still hackers all-
time favorite attack vector, and according to Verizon, SQL injection is involved
in nearly a quarter of incidents where card details are compromised.
OWASP 2013 vs 2017: What has changed?
A2 – Broken authentication and Session Management was shortened and
renamed Broken Authentication which makes sense since the latter is more
general and includes sessions-related issues.
A3 – Cross-Site Scripting (XSS) has dropped in ranking to hold the 7th
position after it was the 3rd in 2013 list. Although XSS is still a severe risk that
would lead to session hijacking, remote code execution in the victim’s browser,
etc., most frameworks are now automatically escaping XSS by design, such as
the latest Ruby on Rails, React JS, etc.
A4 – Insecure Direct Object References was merged with A7 – Missing
Function Level Access Control into a new category called A5 – Broken
Access Control. Both categories were relatively similar and share the same
root cause, which is missing control access. It all boils down to a simple
question: Am I supposed to have access to this data when logged in? As a
result, merging both categories is logical and expected based on the AppSec
community feedback over the past years.
A5 – Security Misconfiguration is still a relevant issue, but dropped in the list
by one ranking to settle in the 6th position.
Sensitive Data Exposure was listed as A6 in OWASP 2013. In 2017, it moves
up to the A3 position. Sensitive data exposure has been a huge issue in the
past few years, which resulted in very alarming security breaches at Uber,
Deloitte, Equifax and other large companies. This is especially concerning with
GDPR on the horizon.
OWASP 2013 vs 2017: What risks were retired?
A8 – Cross-Site Request Forgery (CSRF) was retired and dropped from the
2017 list. This does not mean the risk doesn’t exist anymore. According to
OWASP, the reason behind this is “many frameworks include CSRF defenses,
[CSRF] was found in only 5% of applications.”
Similarly, A10 – Unvalidated Redirects and Forwards was retired from the
list. According to OWASP, “while found in approximately in 8% of applications, it
was edged out overall by XXE.” Open redirect itself is a relatively low severity
issue. It is usually exploited for phishing purposes but is still a weakness
attackers abuse and chain with other vulnerabilities in order to achieve a higher
security impact.
It is important to keep in mind just because these have slipped outside the
OWASP Top 10, it does not mean they should be ignored. Rather,
organizations must continue to ensure the coding practices they use are
mitigating these well-documented vulnerabilities, as well as those in the current
OWASP Top 10.
OWASP 2013 vs 2017: What new risks were added?
Based on the community insights and supported data, OWASP added three
new classes of security risks to the list:
1. A4 – XML External Entities (XXE)
This is a class of attacks that target applications using XML parsers. The attack
takes place when an XML user input contains a reference to an external entity,
which then is processed by a misconfigured XML parser.
A successful exploitation leads to disastrous consequences, such as accessing
web server resources, conducting an SSRF attack to scan ports and enumerate
internal network, denial of service when chained with billion laughs attack, etc.
This particular attack has been around for decades, but it has only recently
received attention as high-profile companies such as Facebook, Twitter and
Google are also finding themselves vulnerable via bug bounty programs.
Most XML parsers are vulnerable to XXE by default, but the proper way to
mitigate XXE is to completely disable DTDs (external entities).
2. A8 – Insecure deserialization
This attack takes advantage of how applications make use of serialization and
deserialization. Serialization is the process of converting objects into data
format, commonly JSON and XML, to store them or use them in
communications. Deserialization is the opposite process which takes formatted
data and structures it into objects.
The attack, however, targets the deserialization process through untrusted user
input. Attackers abuse deserialization features when the application is
deserializing untrusted user input. A successful exploitation allows it to carry out
denial of service (DoS) attacks, bypass access controls and eventually remote
code execution.
3. A10 – Insufficient logging & monitoring
This is more of a lack of control than a vulnerability. It’s nevertheless very important to
have proper mechanisms in place to log and monitor all kinds of events and activities,
whether operational or security related. These logs are indispensable to detect malicious
activity or unauthorized breaches in a timely manner; the lack of this control only
benefits attackers, giving them a persistence access or pivot to others’ systems.
According to OWASP, a lack of proper logging and monitoring carries the following
risks:
Auditable events, such as logins, failed logins and high-value transactions are not logged.
Warnings and errors generate no, inadequate or unclear log messages.
Logs of applications and APIs are not monitored for suspicious activity.
Logs are only stored locally without any Cloud backup.
Appropriate alerting thresholds and response escalation processes are not in place or effective.
Penetration testing and scans by
DAST tools (such as
OWASP ZAP) do not trigger alerts.
The application is unable to detect, escalate or alert for active attacks in real time or near real
time.
Source
OWASP Top 10 – 2017, OWASP
Posted: April 2, 2018
---
SEGURIDAD DE LA APLICACIÓN
Tabla comparativa de las listas OWASP Top 10 de 2013 y 2017 (Imagen de OWASP )