The Open Web Application Security Project (OWASP) Web Top 10 list has long been the “Gold Standard” for application security testing and when it comes to the Web Top 10, the OWASP standards are due for an update in 2017.
Typically, this list is updated and adjusted every three years (as it was in 2007, 2010 and 2013) to account for changes in the threat landscape for web applications, however, the current OWASPWeb Top 10 has not been updated since 2013.
Dave Wichers, the OWASP Web Top 10 project lead, noted that the 2016 edition was deferred to 2017 due to the lack of significant changes seen in threats to web applications.
“However, we’ve been thinking about what might change in a 2016 release of the Top 10 and we don’t actually think it would change much, if at all, which is kind of sad actually. I suspect some Top 10 items might move up or down based on the vulnerability prevalence statistics that we would need to gather and process, but I have my doubts that any new vulnerability types would break into the Top 10.”
With the change to the OWASP Web Top 10 just around the corner, here is a look at some examples of appearances that the OWASP Web Top 10 made in the wild over 2016. As anyone with any familiarity with the tempo to attacks and exploits over 2016 will know, this list is by no means exhaustive.
OWASP Top 10 in the Making the Headlines in 2016
Topping the list are injection flaws (SQL, LDAP or OS) which are easy to exploit, occur often and can have a severe impact on organizations who fail to secure their code against them.
While the news of hacks over the 2016 American election become a regular occurrence, the aftermath didn’t stop once the polls closed on November 8th, 2016.
In December 2016, a malicious entity dubbed “Rasputin” was found to be selling log-on credentials for access to computers at the US Election Assistance Commission (EAC) on an underground cyber-market. The Register stresses the impact that such a sale could have made: “These administrative accounts could potentially be used to access sensitive information as well as to surreptitiously modify or plant malware on the EAC site, an excellent staging ground for a potential watering hole attack targeting government employees.”
“Rasputin” was able to access the EAC system by exploiting an unpatched SQL injection.
A2 Broken Authentication and Session Management
Since the OWASP Top 10 lists are ranked by the damage each weakness that could introduce to an application, Broken Authentication and Session Management flaws follow injections in terms of severity. These security flaws have a widespread prevalence and join injections as having a severe business impact when exploited.
Sławomir Jasek from the research firm SecuRing discovered that a number of Bluetooth devices used for keyless entry and mobile point-of-sales systems that are vulnerable to man-in-the-middle attacks, an issue stemming from the Bluetooth Low Energy (BLE) feature for access control.
Read more about it here.
A3 Cross-Site Scripting (XSS)
Following injections, Cross-Site Scripting (XSS) is probably the most well known item on the OWASP standards list. XSS attacks are very widespread, however detection is relatively easy. When it comes to the damage that can be done when exploited, the impact is moderate as attackers can execute scripts in the victim’s browser which can lead to hijacked user sessions, defaced web sites, or users who are redirected to malicious sites.
Out of the numerous XSS flaws exposed in the wild this year, one of the most frightening examples was found in Yahoo’s email system. This was reported by Finland-based security researcher Jouko Pynnonen who received $10,000 USD from Yahoo’s bug bounty program for his efforts.
Hackread.com notes just how severe the ramifications from this specific flaw were: “all an attacker needed was to send an email and read the victim’s email – There was no need for the sending of a virus or tricking the victim into clicking a specific link.”
More information about this exploit can be found on Jouku’s blog here.
A4 Insecure Direct Object References
Insecure Direct Object References (IDOR) are common vulnerabilities that are easy to exploit where malicious parties are able to go around authorization safeguards and gain direct access to an application’s system or settings. The impact that this flaw can have on an organization, when exploited, is as severe as the data that it exposes.
An IDOR in Verizon’s email system was discovered by Randy Westergren, a senior software developer with XDA Developers which left millions of users exposed was discovered in April 2016.
“I confirmed a very serious vulnerability: any user with a valid Verizon account could arbitrarily set the forwarding address on behalf of any other user and immediately begin receiving his emails — an extremely dangerous situation given that a primary email account is typically used to reset passwords for other accounts that a user might have, .e.g banking, Facebook, etc.,” described Westergren on his blog following Verizon fixing his flaw.
Read more about Verizon’s vulnerability here.
A5 Security Misconfiguration
Security misconfigurations can include a variety of potentially crippling security flaws such as using out of date software, the use of default passwords, when error handling reveals stack traces or other overly informative error messages and more.
To avoid introducing an attack vector, secure settings should be defined, implemented, and maintained, due to the fact that default settings are often insecure
Making, and literally breaking, the headlines in late October 2016, some of the most popular websites on the internet went down as a result of a DDoS attack which happened when IoT devices with default passwords were turned into a malicious botnet.
Read more about this massive DDoS attack here.
A6 Sensitive Data Exposure
While sensitive data exposures are usually difficult to exploit, the impact is often severe. Application’s sensitive data that can be accessed by malicious parties includes credit cards, tax IDs, and authentication credentials and the result of the exploit is usually credit card fraud, identity theft and other crimes with a severe potential impact on both the victim and the organization breached.
It was a sensitive data exposure flaw that led to 100 Million plus hacked user records
from Russia’s biggest social networking site VK.com put up for sale including plain text passwords.
Read more about the VK hack here.
A7 Missing Function Level Access Control
Vulnerabilities involving missing function level access control are easy to exploit and can cause moderate damage as a result. When missing function level access control flaws are exploited, hackers become able to gain access to unauthorized functionality such as administrative privileges. This vulnerability includes path traversals.
A path traversal flaw is discovered in Ubuntu Linux desktops which allows hackers to to remotely execute code by tricking a victim into downloading a dangerous booby-trapped file.
Read more about the Ubuntu vulnerability here.
A8 Cross-Site Request Forgery (CSRF)
Compared to other items on the Web Top 10 list, CSRFs are easy to detect. When hackers exploit a CSRT, they make a logged-on user’s browser send a forged HTTP request which includes the victim’s session cookie and other authentication information to a vulnerable web application. As a result, the malicious party is able to generate requests to this application which appear to be legitimate requests from the victim.
Security researcher Andrew Fasano found 10 flaws, including a CSRF, which hackers can combine to compromise McAfee Linux clients by spinning up malicious update servers.
Read more about the McAfee vulnerabilities here.
A9 Using Components with Known Vulnerabilities
This is one of the broader items on the OWASP Top 10 as it covers a wide array of attack vectors. As most modern applications are assembled rather than entirely built with homegrown code, many use plugins, code or components that may include known vulnerabilities.
Hackers were able to leak 45 million records from over 1,000 forums and websites in the VerticalScope network due, in part, to the use of vulnerable WordPress components and plugins.
Read more about this hack here.
A10 Unvalidated Redirects and Forwards
While the OWASP 2013 Top 10 PDF considers this flaw to be uncommon, examples of these sort of attacks are more common than many think. All websites forward their users to other pages in both their own site and others and sometimes the data used to determine the destination pages is untrusted which, without proper validation, allows attackers to redirect users to phishing or other fraudulent sites.
In February, Threatpost reported on how an open redirect vulnerability was found, and patched, on the login page for WordPress users running WordPress version 4.4.1. The patched update, 4.4.2, is WordPress’ second update in 2016 as 4.4.1 was designed to fix an XSS flaw.
Read more about this WordPress flaw here.
Learn more about how Checkmarx can secure your code against these security threats and more here.