Information Security Pen Testing

Updates to the OWASP Top 10 Vulnerabilities List

After 4 years, the Open Web Application Security Project Top 10 document has been updated to account for the latest and most critical cyber security risks.

What is OWASP Top 10?

The OWASP (Open Web Application Security Project) Top Ten is an internationally recognised methodology for pen testers and web developers to use when testing the security of websites and web applications.

The OWASP Top 10 is typically formulated through factual analysis and common vulnerabilities and exposures (also known as CVEs). Through these CVE’s, the OWASP team uncovers several CWEs (common weakness enumerations) that are then incorporated into their Top 10 vulnerabilities list. 

The Top 10 is just one of several different methodologies that the CyberCrowd follow when conducting pen tests, ensuring that all the critical and current cyber risks are explored, assessed and incorporated into the Web Application Pen Test Reports.

2021 OWASP Data Factors

In the case of 2021 Top 10, OWASP incorporated additional factors relating to exploitability and impact to define the latest vulnerabilities; some of which have been extracted from the OWASP Dependency-Check software.

The data factors taken into account for the latest OWASP list are:

  • The total number of CVEs (common vulnerabilities and exposures) highlighted in the National Vulnerability (NVD) Database mapped to CWEs (common weakness enumerations) and also mapped in an OWASP-defined category.
  • The count of CWEs (common weakness enumerations) mapped to OWASP-define categories.
  • The percentage of applications tested by all organisations from a given CWE (the Testing Coverage).
  • The percentage of applications vulnerable to specific CWEs from the population tested by the organisation for the year (defined as Incidence Rate).
  • Total number of applications found to have CWEs mapped to an OWASP-defined category (Total Occurrences score)
  • The Exploit sub-scores from Version 2 & Version 3 of the Common Vulnerability Scoring System (CVSS) assigned to CVEs mapped to CWEs, normalised and placed on a 10pt scale; giving a Weighted Exploit score.
  • The Impact sub-scores from Version 2 & Version 3 of the Common Vulnerability Scoring System (CVSS) assigned to CVEs mapped to CWEs, normalised and placed on a 10pt scale; giving a Weighted Impact score.

Why is this update important?

Since the last OWASP update, how both the public and cybercriminals work has changed dramatically.

With the growth in flexible and remote working, certain cyber security risks have become more prominent and equally, cybercriminals have taken new and more creative approaches to gain unauthorised access to corporate networks.

The latest OWASP changes

2017 OWASP

In 2017, the OWASP Top 10 was as follows (ordered by position within the top 10 list):

  1. Injection (A01:2017)
  2. Broken Authentication (A02:2017)
  3. Sensitive Data Exposure (A03:2017)
  4. XML External Entities – XEE (A04:2017)
  5. Broken Access Control (A05:2017)
  6. Security Misconfiguration (A06:2017)
  7. Cross-Site Scripting – XSS (A07:2017)
  8. Insecure Deserialization (A08:2017)
  9. Using Components With Known Vulnerabilities (A09:2017)
  10.  Insufficient Logging & Monitoring (A10:2017)

2021 OWASP

Following 2021’s OWASP update, 3new categories were added into the Top 10: Insecure Design, Software and Data Integrity Failures, and Server-Side Request Forgery – SSRF.

Here is the full OWASP 2021 Vulnerabilities List by position, including details about each vulnerability identified:

Broken Access Control (A01:2021)

Following the OWASP update, Broken Access Control has moved up 4 positions to number 1. This position increase was determined through testing 94% of applications that had some form of broken authentication. As a result, 34 CWEs were mapped within this category.

Cryptographic Failures (AO2:2021), formerly AO3:2017

This category has also increased from the 2017 OWASP Top 10; from position 3 to 2. The category name was adjusted in the 2021 list due to “Sensitive Data Exposure” being a result of Cryptographic Failures.

Injection (A03:2021), formerly AO1:2017

The position of the Injection category decreases in position; from 1 in 2017 down to 3 in 2021. In the most recent OWASP Top 10, 33 CWEs were mapped to Injection, including Cross-Site Scripting (XSS) that was previously included in position 7 of the 2017 OWASP Top 10.

Insecure Design (A04:2021)

This is one of the new categories that has been added to the 2021 OWASP Top 10 list and has been put into position 4. This particular category focuses on the risks associated with website and web app design flaws.

Security Misconfiguration (A05:2021), formerly A06:2017

Since 2017 OWASP, Security Misconfiguration has increased by 1 position; sitting in position 5 in the 2021 OWASP Top 10. This particular vulnerability was tested on 90% of applications and incorporates the XML External Entities (XEE) category that was previously found in the 2017 OWASP Top 10 list.

Vulnerable and Outdated Components (A06:2021), formerly A09:2017

Previously listed as “Using Components with Known Vulnerabilities” in the 2019 OWASP, this category has moved up 3 places; from position 9 to 6.

This particular category is the only one that the OWASP team have not mapped any CVEs to. Instead, they have used Exploit Weights and Impact weights to determine the category’s position.

Identification and Authentication Failures (A07:2021), formerly A02:2017

In 2017, this was listed as “Broken Authentication” and featured in position 2 on the vulnerabilities list. In 2021’s Top 10, this has moved down to position 7. Since the 2017 OWASP Top 10 list was published, the improved availability of standardised ID and authentication frameworks has made this particular category less of a concern.

Software and Data Integrity Failures (A08:2021)

This is another new category within the OWASP Top 10 list for 2021 that has been merged with the ‘Insecure Deserialization’ category that was present in the 2017 list.

This new category focuses on critical data and software updates as well as Continuous Integration/Continuous Delivery (CI/CD) pipelines which lack verifying integrity.

Security Logging and Monitoring Failures (A09:2021), formerly A10:2017

In 2017, this particular category was referenced as “Insufficient Logging & Monitoring” and featured in position 10. Since then, it has been renamed and has moved up 1 position to 9. Not fixing this specific vulnerability will impact visibility, forensics and incident alerts.

 Server-Side Request Forgery – SSRF (A10:2021)

This is the final, new category within the 2021 OWASP list, positioned at 10. The positioning of this particular item was determined with the assistance of an industry survey.

The SSRF data shows that whilst there is a relatively low incidence rate, there is above-average testing coverage as well as above-average Exploit and Impact potential ratings.

What do these changes mean?

The update to the OWASP Top 10 will now be taken into account during the creation of websites and web applications. Ethical Hackers, including the CyberCrowd Pen Testing team, will also reprioritise the Pen Testing elements within their existing Pen Testing practices to ensure that the highest industry standards are retained when it comes to discovering and resolving cybersecurity issues.

Are you concerned about your company’s cyber security? Are you looking to gain insights and actionable recommendations to minimise the likelihood of network breaches? Contact us about our Pen Testing services today.