The Open Web Application Security Project (OWASP) is a leading resource for online security best practices. In particular, its list of the top 10 “Most Critical Web Application Security Risks” is a de facto application security standard.
The recently released 2017 edition of the OWASP Top 10 marks its first update since 2013 and reflects a number of fundamental changes to the architecture of applications seen in recent years.
Security researchers will face some of the attack types detailed in the OWASP Top 10 on a daily basis and will have good insight into how to defend against them.
But how has the top ten list changed, are the new additions justified and how does the list compare to the attacks security teams are encountering most frequently today?
The Latest Report
OWASP’s 2017 report includes an updated threat/risk rating system comprised of such categories as exploitability, prevalence, detectability, as well as technical and business impacts. The attacks outlined below represent the newest web application threats, as seen in the 2017 OWASP Top 10.
A4 — XML External Entity (XXE)
A new category primarily supported by SAST data sets, an XML External Entity (XXE) takes advantage of older or poorly-configured XML processors to upload hostile content in an XML document.
By exploiting processors’ vulnerable code, dependencies or integrations, perpetrators can initiate a remote request from the server, scan internal systems and launch denial-of-service (DoS) attacks. This can render any application accepting XML, or inserts into XML documents, vulnerable. Companies could help to mitigate this particular threat by engaging with the following:
- Using multiple techniques in order to block XXE threats, as opposed to a single line of defence which an attacker might be able to leapfrog over; a multi-pronged approach can offer extra layers of protection from this emerging threat vector.
- Using a correlation engine (a genomic data and decision tool) to combine information from the web application profile with out-of-the-box attack signatures.
- Using Attacker data (e.g. IP addresses, attack signatures, etc.) as correlated by security researchers in order to quickly and accurately pinpoint known malicious users and block their access to protected sites.
A8 — Insecure Deserialization
Deserialization, i.e., the extraction of data from a series of bytes, is a constantly occurring process between applications communicating with each other. Improperly secured deserialization can lead to remote code execution, replay attacks, injection attacks, privilege escalation attacks and more.
Researchers for Imperva recently discovered that insecure deserialization attacks have increased by 300 percent in the last three months. Attackers are taking advantage of insecure deserialization vulnerabilities in networks and installing malware on target machines to illegally mine for cryptocurrency.
Insecure deserialization is a very real and prominent threat on today’s threat landscape. The best ways organisations can protect against this attack vector is by ensuring all their systems are up to date with the latest security patches. This can be done either through manual or virtual patching.
A10 — Insufficient Logging and Monitoring
Insufficient logging and monitoring, when combined with ineffective incident response, allows attackers to strengthen and prolong attack strategies, maintain their persistence, “pivot to more systems, and tamper, extract, or destroy data”.
To make room for these new editions, OWASP adjusted the following threats:
- Insecure direct object references and missing function level access control were merged into a new category called broken access control.
- CSRF was downgraded to number 13 on OWASP’s list of security threats.
- Invalidated redirects and forwards was downgraded to number 25.
This is an interesting addition to the OWASP’s list of application threats. Organizations that fail to log and monitor threats properly run the risk of wasting already scarce resources combing over old incidents, which if properly logged would not be necessary, and could reduce the number of false positive present, particularly when used in conjunction with a well-programmed machine learning product.
2017 Top 10 in Comparison with Today’s Threat Landscape
The 2017 OWASP Top 10 report contains a number of changes that better reflect the current application threat landscape. However, there are several points that could have been better explained as well as several missed opportunities to address additional application threats.
The 2017 Top 10 looks sharper than the 2013 version, in that it focuses more on trending topics and technologies.
A number of attacks listed in the 2013 report have since become less of an issue and were removed from the list with good reason. For example, less than five percent of data sets support CSRF today, while less than one percent support invalid redirects and forwards.
Meanwhile, new categories, such as XML external entity (XXE), insecure deserialization, as well as insufficient logging and monitoring allow for a better security posture against new kinds of attacks and threats, such as REST requests, API interactions and XML data transmissions.
There were several categories in the new Top 10 that weren’t well described. In particular, injection is still too broad a topic and doesn’t add enough background to the types of injections to which vulnerable applications might be exposed.
Regarding “Unvalidated Redirects and Forwards”, which is also an input validation control and a highly probable XSS, its removal from the Top 10 seems sensible. That said, it’s still a prominent threat that should have been more explicitly mentioned or included as part of another control, and not just downgraded.
While the addition of new controls into the Top 10, “insufficient logging and monitoring” doesn’t seem like it fits the bill. The Top 10 should be focused on tangible controls that can prevent or minimize the risk of being exposed to a bug. A logging and monitoring solution is an important tool for web application security. That said, it’s a reactive control and doesn’t exactly fit with the other controls on the list, which are preventative.
Daniel Svartman, Security Researcher at Imperva
Image Credit: BeeBright / Shutterstock