Week 10.2 OWASP Introduction - Hsanokklis/2023-2024-Tech-journal GitHub Wiki

Project: OWASP_Object-Reference Slideshow

What are the differences between 2017 and 2021 OWASP Top 10?

There are multiple changes from 2017 to 2021 in the OWASP Top 10 ranking. Below you can find the visualization of the changes.

One of the main changes is that some of the names of categories have been changed to focus on the root cause over the symptom, to make it better to understand. A term to define as to better understand why some of the vulnerabilities have moved is Common Weakness Enumeration (CWE). CWEs are a community created set of software and hardware vulnerabilities. They can be used when building software/hardware to identify areas of most concern.

A01:2021 Broken Access Control moved from fifth to first in 2021 to be named the most serious web application security risk. This is due to the fact that there were 34 CWEs mapped to Broken Access Control with more occurrences in applications than any other category.

A02:2021-Cryptograpic Failures was previously known as A3:2017 Sensitive Data Exposure and moved up to second from third. Its name changed because it was originally a broad symptom, and the new name is now a specific cause. The new name highlights the failures related to cryptography and what that impacts. As mentioned in the retired name, cryptographic failures can lead to the exposure to sensitive data or even system compromise. This is why it is ranked second on the list.

A03:2023 Injection was moved down to third place. The CWEs mapped into this category have the second most occurrences in applications. This category includes Cross-Site Scripting, which is one of the most common forms of injection.

A04:2021 Insecure Design is a new category that focuses on risks that are related to design flaws of applications. Insecure designs cannot be fixed by perfect implementation, thus creating standardized secure design architecture is imperative for the security of applications. This is why this vulnerability is ranked fourth, as design is one of the fundamental parts of application security.

A05:2021 Security Misconfiguration moved from sixth to fifth position. 90% of applications were tested for misconfiguration and they returned an incidence rate of 4.5% with 208k occurrences of CWEs mapped to the category.

A4:2017-XML External Entities (XXE) was consolidated into this category, due to the fact that an attacker is able to interfere with an applications processing of XML data when a poorly configured parser processes XML input with a pathway to an external entity.

A06:2021 Vulnerable and Outdated Components was previously known as Using Components with Known Vulnerabilities and moved from ninth to sixth. This category does not have any CWEs, but it makes the ranking due to the complexities of assessing risk and vulnerabilities of applications with vulnerable and outdated components.

A07:2021 Identification and Authentication Failures was previously known as Broken Authentication and went from second place to seventh place. The newly named category includes more CWEs that are related to identification failures. It was placed lower down in the ranking as the availability of standardized frameworks appear to be helping lessen the failures.

A08:2021 Software and Data Integrity Failures is a new category that centers around implementing,installing, updating and maintaining software without first checking its integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. This category now includes A8:2017 Insecure Deserialization because it encompasses checking if serialized objects such as JSON, XML or YAML are non-malicious.

A09:2021 Security Logging and Monitoring Failures was previously known as A10:2017 Insufficient Logging and Monitoring and moved up one ranking from tenth to ninth. The category was broadened to include more types of failures, but it's lower down on the ranking because it isn’t well represented in CVE/CVSS data and is a challenge to test for.

A10:2021 Server-Side Request Forgery is a new category at tenth place. This is due to the impact of the attack. An CSRF attack is a web security vulnerability that allows an attack to cause the server-side application to make requests to an unintended or unauthorized location.

New entries for 2021

A04:2021 Insecure Design

The building of an application is the foundation of its security. This vulnerability highlights risks related to the design of applications and calls for the implementation of the “Secure by Design'' principle that emphasizes building cybersecurity into the design of technology products. This principle is meant to be implemented at the design phase of a products development lifecycle with the goal of decreasing the number of vulnerabilities in the product before it's introduced to the market for consumption. Features of this would include secure configurations enabled by default, and security features like MFA, logging and SSO available at no additional cost to the user. A factor that has contributed to the insecure design of applications is the lack of business risk assessments that are needed to determine the level of security design required in a piece of software or system. A way to remediate this issue is creating standard business security requirements, such as protection requirements of the CIA of data in the business.

A08:2021 Software and Data Integrity Failures

Keeping the integrity of data entails making sure that it cannot be corrupted or altered in any way by an unauthorized entity. This vulnerability details the failures of code and infrastructure of protecting the integrity of data and software. It emphasizes the need for secure continuous integration/continuous delivery (CI/CD) pipelines in order to deter the ability for malicious actors to attain unauthorized access, inject malicious code into updates or even compromise an entire system. Ways to verify the integrity of software and data would be to include digital signatures, use trusted repositories, or use a correctly configured CI/CD pipeline.

A10:2021 Server-Side Request Forgery

Server-Side Request Forgery (SSRF) is an attack in which an attacker gains access to a web server and is able to use it to make requests of unauthorized internal/external resources. They are able to do this in a variety of ways such as manipulating URLs or URL parameters and crafts a URL so that when the server processes it, it makes an unintended request of a resource. This can be done with URL redirection, protocol manipulation, IP address manipulation, or URL encoding. The attack can cause data breaches, server exploitation or system/network compromise. In order to prevent this attack developers should implement defense in depth controls such as: segmenting remote resources to separate networks or enforce“deny by default” firewall policies or access control rules to block all but essential intranet traffic.

---

Sources:

• https://www.hackerone.com/knowledge-center/xxe-complete-guide-impact-examples-and-prevention#:~:text=XXE%20attacks%20are%20possible%20when,scanning%20from%20the%20parser's%20locations.

• https://www.techtarget.com/searchsecurity/definition/insecure-deserialization#:~:text=Insecure%20deserialization%20is%20a%20vulnerability,the%20logic%20behind%20an%20application.

• https://www.imperva.com/learn/application-security/server-side-request-forgery-ssrf/#:~:text=In%20a%20server%20SSRF%20attack,file%20system%20on%20the%20server.

• https://portswigger.net/web-security/ssrf#:~:text=Server%2Dside%20request%20forgery%20is,services%20within%20the%20organization's%20infrastructure.

• https://www.cisa.gov/securebydesign

• https://www.redhat.com/en/topics/devops/what-cicd-pipeline