Changes in OWASP Top 10: 2017 vs 2021

Photo by Kevin Ku on Unsplash
https://owasp.org/www-project-top-ten/assets/images/mapping.png

A03:2021-Injections

The first change relates to injections.
Injections are attacks in which an attacker attempts to send data to a web application to execute something that the web application was not actually designed to do.
These can be injection vulnerabilities such as SQL, OS or LDAP injections. The new OWASP Top 10 Update also contains the vulnerability A07:2017-Cross Site Scripting (XSS), because this vulnerability is in principle also an injection.

A04:2021-Insecure Design

A04:2021-Insecure Design is a new category in the OWASP Top 10 and directly started on place four. It covers architectural flaws and design mistakes that result in a missing or useless control design. While an insecure implementation could be easily fixed, fixing an insecure design is more complicated or even impossible.

ldap-account-manager password recovery
https://www.ldap-account-manager.org/static/doc/manual/ch07s03.html

So even if you implement it perfectly, it is insecure.

You can’t fix this password recovery workflow by only changing the concrete implementation, even if you want to. Your only option is to completely replace it by something more secure.

A05:2021-Security Misconfiguration

Modern software gets increasingly complex. We moved from simple systems with one webserver and one database to microservice architectures, where we have several services deployed on multiple servers. These are connected to the internet by clusters of reverse proxies and load-balancers. Everything is reusable and needs configuration to fit into different environments and applications. With the increasing amount of configuration options, it’s no wonder that this category moved up in the OWASP Top 10. But since 2021 it also includes A04: 2017-XML External Entities (XXE).

A08:2021-Software and Data Integrity Failures

Another newcomer is A08:2021-Software and Data Integrity Failures. These refer to code and infrastructure that are not protected against integrity violations.
This can occur when a web application relies on plugins, libraries, or modules from sources, repositories, and content delivery networks that are not trusted. Then a CI/CD pipeline, that does not validate external resources, can provide the potential for unauthorized access, malicious code, or system compromise.
Another example would be an update without signing. This is currently the case with many home routers, set-top boxes, device firmware and other devices because updates are not checked for a valid signature. If the device now performs an auto-update the attacker can upload, distribute, and execute his own update.
Also included in this category is the former vulnerability A08:2017-Insecure Deserialization. The vulnerability here is that a serialized object can be manipulated. If malicious code or data was introduced into the serialized data, it is later executed during the deserialization with the rights of the application. This can happen if the integrity check for deserialized data and objects is not hardened against attacks (assuming there is an integrity check at all).

A10:2021-Server-Side Request Forgery (SSRF)

Finally, the last change A10:2021-Server-Side Request Forgery (SSRF). An SSRF vulnerability can occur when an attacker has full or partial control over the requests that a web application sends. Therefore, a potential attacker could make the web application send manipulated requests to other destinations or its own resources, so everything the server has access to would be accessible. This would allow an attacker to gain access to information which is normally not accessible from the outside, because of a firewall, VPN or some kind of ACL. These security mechanisms would not work, as the server makes these requests on its behalf.
To provide more clarity, an example of a web application with three services is given, which have ACLs and authorization rules configured to establish trust between them:

GET /user-image?url=https://www.google.com HTTP/1.1
Host: example.com

Conclusion

The changes in the OWASP Top 10 are quite interesting. The new category A04:2021-Insecure Design is a clear sign that we need to focus on security even in the design phase. The next thing is that microservices bring security advantages over monoliths. But A10:2021-Server-Side Request Forgery (SSRF) shows that they are not bulletproof, and they need more configuration (A05:2021-Security Misconfiguration).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store