Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/21/2017
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New OWASP Top 10 List Includes Three New Web Vulns

But dropping cross-site request forgeries from list is a mistake, some analysts say.

After months of review, the Open Web Application Security Project has finally formally updated its widely used, if somewhat disputed, ranking of top Web application security vulnerabilities.

OWASP's Top 10 list for 2017 replaces three vulnerability categories from the previous list with new ones and shuffles a couple of others around in moves that not everybody agrees with.

As with previous years, injection vulnerabilities such as SQL and LDAP injection topped the list of OWASP's concerns for 2017, followed by incorrectly implemented authentication and session management functions. Cross-site scripting errors, which ranked third in OWASP's 2013 list, dropped to the seventh spot in this year's ranking, while cross-site request forgeries (CSRF) dropped out altogether.

Making its appearance for the first time in OWASP's top 10 list is a category dubbed XML external entities (XXE), pertaining to older and poorly configured XML processors. Data gathered from source code analysis testing tools supported inclusion of XXE as a new vulnerability in the top 10 list, according to OWASP.

The two other new additions to the list are insecure deserialization errors, which enable remote code execution on affected platforms, and insufficient logging and monitoring. Both of these new vulnerability categories were added to the list based on feedback from community members who contribute to the OWASP effort.

Making way for these new categories were insecure direct object references and missing function level access control errors, which along with CSRF, dropped out of the OWASP's top 10 ranking.

The list was compiled using community feedback, from data collected from dozens of organizations that specialized in application security and from a survey of more than 500 individuals. Data in the report was distilled from vulnerability information gathered from more than 100,000 applications and APIs used by hundreds of organizations.

Like OWASP's previous vulnerability rankings, the new one — the first major revision to the list in four years — should end up being a vital asset for organizations looking for high-level guidance on prioritizing Web application vulnerabilities. But not everyone is convinced that the updated list necessarily includes the top Web application security concerns.

Jeremiah Grossman, chief of security strategy at SentinelOne, says one problem is that the list focuses less on legacy application concerns and more on what developers of modern applications should be paying attention to. It's a bit surprising, for instance, that CSRF has been removed from the list, considering how common the vulnerability is in existing legacy environments. In contrast, XXE, one of the flaws on the list, is not very common but is of high severity.

"The change speaks partially to bias in the data and a split between what legacy applications and modern applications tend to be vulnerable to," Grossman says.  While modern application frameworks tend to have native protections against CSRF, legacy applications do not.

"It's important to remember that the OWASP top 10 is not an accounting for all the vulnerabilities that might cause an organization to get hacked, but more a list of the most common and risky issues that should be considered. In that way, the list is a great community resource."

Others, such as infosec consultant Josh Grossman has also expressed some skepticism in the past over the influence some security vendors have had in shaping the OWASP list. He has called out how a single vendor with a potentially vested interest has influenced two of the newly listed vulnerability categories in the OWASP list.

Ryan Barnett, principal security researcher at Akamai, expressed similar surprise at the removal of CSRF from the list and lowering the importance of cross-site scripting errors.

"While strides have been made within frameworks to build in protections for these issues, many are not used or are incorrectly applied. Additionally, XSS and CSRF are often linked in attack chains. If you have an XSS flaw on your site, it can circumvent CSRF protections," he notes.

Another concern is that the data used to justify inclusion of some security vulnerabilities in the list is almost exclusively based on static and dynamic code analysis and penetration testing from vendors, Barnett says.

While the data highlights vulnerability prevalence, it does not offer much perspective on attack likelihood. "I hope in the future that we can get more data from Web application defender organizations such as Web application firewall vendors," he says. "This data could help to justify including/excluding different items as well as help with rankings."

Some of the new vulnerability categories in OWASP's list, such as security misconfigurations, are also a bit too broad and may lead to confusion for organizations in detecting and remediating security issues, says Ilia Kolochenko, CEO of High-Tech Bridge.

But while the ordering and prioritizing of some of the flaws in the list are certainly subjective, the OWASP list does a decent job reflecting the overall state of affairs in Web security, he said. "It's pretty difficult to make a one-size-fits-all rating for Web vulnerabilities," he says.

The OWASP top 10 provides a valuable application security framework for companies and organizations. "It reminds, enumerates, and guides through the most common perils and pitfalls related to Web applications," Kolochenko says.

Related Content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DavidLycope
100%
0%
DavidLycope,
User Rank: Apprentice
11/21/2017 | 6:38:59 PM
Thanks
Great share you made there. Thank you for pointing out this vulns
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.