OWASP’s 2021 List Shuffle: A New Battle Plan and Primary Foe

Code injection attacks, the infamous king of
vulnerabilities, have lost the top spot to broken access control as
the worst of the worst, and developers need to take
notice.

In this increasingly chaotic world, there have always been a few
constants that people could reliably count on: The sun will rise in
the morning and set again at night, Mario will always be cooler
than Sonic the Hedgehog, and code injection attacks will always
occupy the top spot on the Open Web Application Security Project
(OWASP) list of the top ten most common^[1]
and dangerous vulnerabilities that attackers are actively
exploiting.

Well, the sun will rise tomorrow, and Mario still has “one-up”
on Sonic, but code injection attacks have fallen out of the number
one spot on the infamous OWASP list, refreshed in 2021. One of the
oldest forms of attacks, code injection vulnerabilities^[2] have been around almost
as long as computer networking. The blanket vulnerability is
responsible for a wide range of attacks, including everything from
traditional SQL injections^[3]
to exploits launched against Object Graph Navigation Libraries. It
even includes direct assaults against servers using OS injection
techniques^[4]. The versatility of code
injection vulnerabilities for attackers – not to mention the number
of places that could potentially be attacked – has kept code
injection in the top spot for many years.

But the code injection king has fallen. Long live the king.

Does that mean we’ve finally solved the injection vulnerability
problem? Not a chance. It didn’t fall far from its position as
security enemy number one, only down to number three on the OWASP
list. It would be a mistake to underestimate the continuing dangers
of code injection attacks, but the fact that another vulnerability
category was able to surpass it is significant, because it shows
just how widespread the new OWASP top dog actually is, and why
developers need to pay close attention to it moving forward.

Perhaps the most interesting thing, however, is that the OWASP
Top 10 2021 reflects a significant overhaul, with brand new
categories making their debut: Insecure Design, Software and Data
Integrity Failures, and an entry based on community survey results:
Server-Side Request Forgery. These point to an increasing focus on
architectural vulnerabilities, and going beyond surface-level bugs
for the benchmark in software security.

Broken Access Control Takes the Crown (and Reveals a
Trend)

Broken access control rocketed from the fifth spot on the OWASP
top ten vulnerabilities list all the way up to the current number
one position. Like with code injection and new entries like
insecure design, the broken access vulnerability encompasses a wide
range of coding flaws, which adds to its dubious popularity as they
collectively allow damage on multiple fronts. The category includes
any instance where access control policies can be violated so that
users can act outside of their intended permissions.

Some examples of broken access control cited by OWASP in
elevating the family of vulnerabilities to the top spot include
ones that enable attackers to modify a URL, internal application
state, or part of an HTML page. They might also allow users to
change their primary access key so that an application, site, or
API believes they are someone else, like an administrator with
higher privileges. It even includes vulnerabilities where attackers
are not restricted from modifying metadata, letting them change
things like JSON web tokens, cookies, or access control tokens.

Once exploited, this family of vulnerabilities can be used by
attackers to bypass file or object^[5]
authorizations, enables them to steal data, or even perform
destructive administrator-level functions like deleting databases.
This makes broken access control critically dangerous in addition
to being increasingly common.

It’s quite compelling – yet not surprising – that authentication
and access control vulnerabilities are becoming the most fertile
ground for attackers to exploit. Verizon’s latest Data Breach Investigations Report^[6] reveals that access
control issues are prevalent in almost every industry, especially
IT and healthcare, and a whopping 85% of all breaches involved a
human element. Now, “human element” covers incidents like phishing
attacks, which are not an engineering problem, but 3% of breaches
did involve exploitable vulnerabilities, and according to the
report, were predominantly older vulnerabilities and human
error-led, like security misconfiguration.

While those decrepit security bugs like XSS and SQL injection
continue to trip up developers, increasingly, it has become
apparent that core security design is failing, giving way to
architectural vulnerabilities that can be very advantageous to a
threat actor, especially if they go unpatched after the security
flaw in a particular version of an application is made public.

The trouble is, few engineers are given training and skills
development that goes beyond the basics, and fewer still are truly
having their knowledge and practical application expanded beyond
localized, code-level bugs that are typically developer-introduced
in the first place.

Preventing the bugs that robots rarely
find

The newly grouped family of broken access control
vulnerabilities is fairly diverse. You can find some specific
examples of broken access controls and how to stop them on our YouTube channel and our blog. Or better yet, try for yourself.^[7][8][9]

However, I think it’s important to celebrate this new OWASP Top
10; indeed, it is more varied, encompassing a wider range of attack
vectors that include those that scanners won’t necessarily pick up.
For every code-level weakness found, more complex architectural
flaws will go unnoticed by most of the security tech stack, no
matter how many automated shields and weapons are in the arsenal.
While the lion’s share of the OWASP Top 10 list is still compiled
based on scanning data, new entries covering insecure design and
data integrity failures – among others – show that training
horizons for developers need to expand rapidly to achieve what
robots cannot.

Put simply, security scanners don’t make great threat modelers,
but a team of security-skilled developers can help the AppSec team
immeasurably by growing their security IQ in-line with best
practices, as well as the needs of the business. This needs to be
factored into a good security program, with the understanding that
while the OWASP Top 10 is an excellent baseline, the threat
landscape is so fast-paced (not to mention the demands of internal
development goals) that there must be a plan to go deeper and more
specific with developer upskilling in security. Failure to do so
will inevitably lead to missed opportunities to remediate early,
and hinder a successful holistic approach to preventative,
human-led cybersecurity.

About the Author: Matias Madou is the co-founder and CTO
of Secure Code Warrior. He has over a decade of hands-on software
security experience, holding a Ph.D. in computer engineering from
Ghent University.