The latest edition of the Open Web Application Security Project Top Ten was released in 2017, four years after the previous one. Therefore, we can expect that the new version of this cybersecurity report will be out sometime next year. Let us have a look at the current state of web application security based on Acunetix research (the 2020 Acunetix Web Application Vulnerability Report) and market observation, see how it aligns with the latest OWASP Top 10, and forecast what it may mean for OWASP Top 10 2021.
A1:2017-Injection → A5
The Injection category in OWASP Top 10 includes many different types of security flaws that are easily detected by professional DAST tools such as Acunetix. These are, for example, SQL injections, code injections, OS command injections, LDAP injections, and many more. Most of these vulnerabilities are of high severity and may lead to even more serious issues such as remote code execution.
The latest Acunetix Web Application Vulnerability Report, however, sees a decline in the number of injections in general. We only included two major types in the report: SQL injection attacks and host header injection attacks.
SQL injections, which are the most common and one of the most dangerous types of injections, are steadily declining, mostly due to the fact that the majority of development environments and programming languages now have suitable mechanisms to easily protect against them.
Despite the fact that Injection was the number one category in both 2013 and 2017, we predict that in OWASP Top 10 2021, it will be classified as A5:2021.
A2:2017-Broken Authentication → A1
The Broken Authentication category in OWASP Top 10 focuses on weak or default passwords. Unfortunately, such passwords remain a major problem for all types of web applications. With the advances in GPU technology, weak passwords (even when using strong ciphers) are now very easy to break using brute-force attacks.
What is even worse is that administrators teach bad habits to their users. Many organizations follow the worst possible policies for password selection. They focus on lowercase and uppercase, numbers, and special characters – not on password length itself. They also force users to change their passwords often, which causes people to use insecure passwords by adding predictable characters or numbers at the end of the previous password.
Password strength meters also lie to users, as recently exposed by Paul Moore on Twitter. A 10-character password including uppercase and lowercase letters and numbers took just 5 days to crack (hashed using very secure SHA-256). Password strength meters suggested that this password is safe.
It is very important to follow good password habits. Also, a professional DAST scanner like Acunetix will help you find the most common or default passwords if used for your web applications. Based on the last Acunetix report, weak passwords in web applications are not that common, but this does not take into consideration the possibility of easily breaking passwords shorter than 10 characters using a GPU if hashes are exposed.
Due to the prevalence of this problem, its potential consequences, and the rise in GPU processing power, we predict that the Broken Authentication category will be classified as A1:2021.
A3:2017-Sensitive Data Exposure → A2
The Sensitive Data Exposure category in OWASP Top 10 does not apply directly to web vulnerabilities but rather to the consequences of web vulnerabilities. If an attacker uses a different type of web vulnerability to access data and that data contains sensitive information that is not encrypted, the sensitive information is immediately exposed.
In the last few years, we saw a lot of data breaches due to exposed databases. In most such cases, data in these databases was not even encrypted, hence the A3:2017 category applied as an attack escalation. This is very worrying, especially since finding exposed databases is not a problem for professional web application vulnerability scanners.
Due to the fact that many businesses seem to still ignore the security of their databases, especially Elasticsearch databases, we predict that the Sensitive Data Exposure category will be classified as A2:2021.
A4:2017-XML External Entities (XXE) → A9
The XML External Entities category in OWASP Top 10 was a newcomer. At that time, XXE was a new type of attack and a lot of web resources were not protected against it. It replaced Cross-site Request Forgery (CSRF), which was present in 2013 and 2010 editions of the report.
However, issues related to external entity references in XML documents are not difficult to detect using a professional tool like Acunetix. The vulnerability is also not that difficult to protect against. Therefore, the category did not even make it to the latest Acunetix report and it was not featured in the 2019 edition, either. While XXE vulnerabilities are detected by Acunetix, they are simply not present that often.
Therefore, we predict that XXE was just a temporary peak in 2017, and in 2021 it will be classified as A9:2021 or will be left out of the list completely.
A5:2017-Broken Access Control → A4
The Broken Access Control category in OWASP Top 10 covers situations leading to vulnerabilities such as forced browsing and insecure direct object references. Unfortunately, this category of vulnerabilities cannot be detected by any type of automated tools. A tool can recognize the lack of proper authorization but cannot guess whether particular users’ accounts should have access to certain resources or whether certain unauthorized functionality is available to a user – this can only be judged by a human.
In previous releases of the OWASP Top 10 (2010 and 2013), this category was represented by two separate ones: Broken Authentication and Session Management and Insecure Direct Object References. These categories were classified in the top 4 in both the 2010 and the 2013 edition of the Top 10.
Due to the difficulty of automatic detection, such vulnerabilities often go unnoticed until detailed manual penetration tests are performed. Therefore, we can expect that they won’t be eliminated anytime soon. We believe they will keep their strong position in 2021 and be classified as A4:2021, making a comeback to the top 4.
A6:2017-Security Misconfiguration → A6
The Security Misconfiguration category in OWASP Top 10, unlike most other vulnerability categories in this report, applies to all the security issues that are caused not by a programming error but by a configuration error. This includes a wide range of potential issues, including a lack of operating system hardening and out-of-date software, and extends to the web server itself.
Security misconfigurations are easy to spot using a professional web application vulnerability scanner that goes beyond testing only the code – as is the case with Acunetix. Since some security misconfigurations may also be part of network security, the fact that Acunetix integrates with OpenVAS is an additional advantage.
We believe that security misconfigurations will retain their position in the OWASP Top 10 2021 and be classified as A6:2021. This trend will continue all the way from 2010 (classified as A6) through 2013 (classified as A5).
A7:2017-Cross-Site Scripting (XSS) → A3
We found it curious why the Cross-Site Scripting category in OWASP Top 10 has dropped to position A7 while previously occupying positions A2 in 2010 and A3 in 2013. Cross-site Scripting remains a very serious problem, particularly because of the complexity of such vulnerabilities and the difficulty of finding and eliminating obfuscated JavaScript payloads in untrusted data.
In the 2020 Acunetix Web Application Vulnerability Report, we found that XSS vulnerabilities still appear in one of every four tested targets. This was also the highest percentage of vulnerabilities in the entire report. While the number was down from 33 percent in 2019, it still remains high.
The biggest problem with XSS vulnerabilities in the age of COVID-19 is that they are often used for user session hijacking in order to gain access to personal information and administrative accounts in web applications. This, in turn, can lead to the introduction of ransomware into corporate systems, which has been the plague of 2020, with more and more criminal organizations finding this an effective way to blackmail large businesses.
This is why we believe that Cross-site Scripting will make a comeback in the 2021 edition of OWASP Top 10 with a predicted A3:2021 classification.
A8:2017-Insecure Deserialization → A10
Insecure Deserialization was a new addition to the OWASP Top 10 in 2017, just like XML External Entities. This relatively new type of vulnerability can still be found in web pages, but with time, it was found to appear much less often than initially expected. Also, it has been researched thoroughly, including by our own Acunetix top security researcher Aleksei Tiurin, who has presented on the topic at several conferences.
Due to the fact that insecure deserialization happens in rather specific cases and has not been known to lead to any major security breaches in the last years, we predict that the 2021 edition of OWASP Top 10 will either classify such vulnerabilities as A10:2021 or leave them out of the report completely.
A9:2017-Using Components with Known Vulnerabilities → A7
The Using Components with Known Vulnerabilities category was introduced into OWASP Top 10 in 2013 and has stayed at the A9 position ever since. This class of vulnerabilities refers to putting too much trust in third-party code and covers all types of vulnerabilities that can be introduced by such code.
Therefore, the detectability of such cases depends on the popularity of the components and the type of vulnerability. While Software Composition Analysis (SCA) tools are only good for finding common vulnerable components, professional DAST tools not only have signature-based checks (in the case of Acunetix, more than 5000 such checks are built-in) but also let you find vulnerabilities in less popular components (with no signatures available) by performing mock attacks.
We believe that due to the increasing complexity and importance of web applications, more and more developers are simply forced to use third-party components in all their projects. Therefore, we believe that in 2021 this category will be flagged as more important than before and classified as A7:2021.
A10:2017-Insufficient Logging & Monitoring → A8
The Insufficient Logging & Monitoring category was another new addition to OWASP Top 10 in 2017. While this category does not directly apply to vulnerabilities, it is an important one because it applies to the detectability of vulnerabilities.
We believe that this category should be broadened to include insufficient security scanning. It is much more effective to take the first step to find vulnerabilities before they make it to production servers, where attacks can be discovered using logging and monitoring and require an actual incident response.
Therefore, we hope that this category in 2021 is broadened by OWASP Top 10 to include security scanning and raised in importance to position A8:2021.