Participants in the Open Web Application Security Project (OWASP) have compiled another list of the most dangerous threats for Web applications
Participants in the Open Web Application Security Project (OWASP) have compiled another list of the most dangerous threats for Web applications. The new rating is formed on the basis of data from companies responsible for the security of web applications, as well as survey results of about 500 industry participants. This is the first update of OWASP Tor 10 since 2013.
It is noteworthy that on the first line of the rating there were web-injections, and the defects of authentication again took second place. Despite this stability, several “newcomers” broke into the rating, which became extremely topical threats in four years. Also in one of the cases the authors of the study combined two categories into one.
The category “leakage of confidential data” has risen to the third place from the sixth place. In the fourth place is the newbie rating – the use of external XML entities (XXE-attacks). After analyzing a number of source codes, experts came to the conclusion that this is one of the most urgent threats in the field of web development. Disadvantages in the configuration of XML parsers create the prerequisites for a number of vulnerabilities, including the leakage of internal files, as well as the ability to scan internal ports, remote code execution or DoS.
On the fifth place in the list of the top ten most topical web threats, experts put incorrect implementation of access control policies – earlier threats of this category were spaced into two different sub-categories, which occupied the fourth and seventh place in the OWASP top.
The error positions in the security settings settings have passed: in 2017 this is the sixth most important web threat, and not the fifth, as before.
Experts also noted with satisfaction the decrease in the relevance of XSS vulnerabilities: from the third place they dropped to the seventh. Positive dynamics was also shown in the category of CSRF, which left the top ten; In 2017, such gaps have been reported in less than 5% of applications.
The eighth line in the new Thor 10 was taken by the threat that appeared after the publication of the OWASP report in 2013 – unreliable deserialization of objects. According to representatives of OWASP, it was decided to put it on the list after analyzing the results of the IT community survey. This class of vulnerabilities provides an opportunity for replay attacks, injections and privileges.
In the ninth place remained the use of deliberately vulnerable components.
Finally, the new threat closes – the inadequacy of monitoring. The authors of the study note that because of the activation of attacks on corporate networks, administrators do not have time to react to all security system events, and sometimes the time of detection of a leak or hacking is up to 200 days.
The OWASP project participants also noted changes in the development architecture that have largely influenced or will influence the landscape of threats in the near future.