It's 2017, and command injection is still the top threat to web apps

Open Web Application Security Project updated 'top-ten risks' lands on Monday, but we found a late, late draft

The Open Web Application Security Project will on Monday, US time, reveal its annual analysis of web application risks, but The Register has sniffed out the final draft of the report and can report that it has found familiar attacks top its charts, but exotic exploits are on the rise.

A late pre-release version of the Project's report [PDF] compiled over 40 submissions from application security companies, plus results of an industry survey that queried 500 respondents.

This year's Top 10 risks in order were:

Risk 2017 Rank 2013 Rank
Injection 1 1
Broken authentication 2 2
Sensitive data exposure 3 6
New: XML external entities 4 N/A
Broken access control* 5 4 & 7
Security misconfiguration 6 5
Cross-site scripting 7 3
New: insecure deserialisation 8 N/A
Components with known vulns 9 9
New: insufficient logging/monitoring 10 N/A

*Two 2013 entries merged

The Project explained the three new entries in the list since 2013:

  • XML External Entity vulnerabilities – This was added to the list as a result of data from source code analysis tools. Poor configuration in XML parsers created a range of vulnerabilities that included internal file or shares disclosure, internal port scanning, remote code execution (RCE) or denial of service (DoS);
  • Insecure deserialisation – OWASP said this category came out of its community survey. As well as RCE, this class of vulnerability can lead to replay attacks, injection attacks, and privilege escalation.
  • Insufficient logging and monitoring – This makes it difficult for admins to detect and respond to attacks, and the Project noted it can take as long as 200 days to detect a breach.

There are some good news stories in the trends from 2013 to today. Admins are wise to cross-site request forgery (CSRF), which was reported in fewer than five per cent of all apps; while unvalidated redirects and forwards were reported in less than one per cent of the data set.

OWASP also noted architectural changes which were reflected in current risks, or were likely to emerge in the future.

The take-up of microservices often puts old code behind RESTful or other APIs, but was never intended to be exposed to the outside world. “The base assumptions behind the code, such as trusted callers, are no longer valid”, the report said.

Second, the report noted the emergence of “single page applications” written with Angular or React. While these support highly functional front-ends, moving functionality from the server side to the client “brings its own security challenges”.

Finally, by way of node.js, JavaScript has become the web's “primary language” (which could account for the rise of deserialisation risks).

The report project's leads were Andrew van der Stock, Brian Glas, Neil Smithline, and Torsten Gigler. The final release version will be announced at the organisation's wiki, and on its Twitter account, when it lands. ®

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018