The Open Web Application Security Project will on Monday, US time, reveal its annual analysis of web application risks, but The Register has sniffed out the final draft of the report and can report that it has found familiar attacks top its charts, but exotic exploits are on the rise.
A late pre-release version of the Project's report [PDF] compiled over 40 submissions from application security companies, plus results of an industry survey that queried 500 respondents.
This year's Top 10 risks in order were:
|Risk||2017 Rank||2013 Rank|
|Sensitive data exposure||3||6|
|New: XML external entities||4||N/A|
|Broken access control*||5||4 & 7|
|New: insecure deserialisation||8||N/A|
|Components with known vulns||9||9|
|New: insufficient logging/monitoring||10||N/A|
*Two 2013 entries merged
The Project explained the three new entries in the list since 2013:
- XML External Entity vulnerabilities – This was added to the list as a result of data from source code analysis tools. Poor configuration in XML parsers created a range of vulnerabilities that included internal file or shares disclosure, internal port scanning, remote code execution (RCE) or denial of service (DoS);
- Insecure deserialisation – OWASP said this category came out of its community survey. As well as RCE, this class of vulnerability can lead to replay attacks, injection attacks, and privilege escalation.
- Insufficient logging and monitoring – This makes it difficult for admins to detect and respond to attacks, and the Project noted it can take as long as 200 days to detect a breach.
There are some good news stories in the trends from 2013 to today. Admins are wise to cross-site request forgery (CSRF), which was reported in fewer than five per cent of all apps; while unvalidated redirects and forwards were reported in less than one per cent of the data set.
OWASP also noted architectural changes which were reflected in current risks, or were likely to emerge in the future.
The take-up of microservices often puts old code behind RESTful or other APIs, but was never intended to be exposed to the outside world. “The base assumptions behind the code, such as trusted callers, are no longer valid”, the report said.
Second, the report noted the emergence of “single page applications” written with Angular or React. While these support highly functional front-ends, moving functionality from the server side to the client “brings its own security challenges”.
The report project's leads were Andrew van der Stock, Brian Glas, Neil Smithline, and Torsten Gigler. The final release version will be announced at the organisation's wiki, and on its Twitter account, when it lands. ®