OWASP is a non-profit organization dedicated to researching application security threats.
By surveys and analysis of over 200,000 organizations, OWASP published the report, “Top 10 Web Application Security Risks” approximately every three years, which has become a crucial reference for global enterprises in their web application security efforts.
However, a security research team from Kaspersky recently found that OWASP’s rankings differ significantly from the conclusions reached through practical black-box, gray-box, and white-box application risk assessment methods.
Organizations should more flexibly evaluate their web application security posture based on the potential impact and exploitability of threats.
In this assessment, Kaspersky’s security research team collected data from web applications launched between 2021 and 2023.
Nearly half (44%) of the applications were written in Java, followed by NodeJS (17%) and PHP (12%). Over one-third (39%) of the applications utilized a microservices architecture.
The researchers evaluated the data using black-box, gray-box, and white-box methods and summarized the top 10 most common and severe web application security threats faced by global enterprises from 2021 to 2023.
1. Broken Access Control
70% of the analyzed web applications contained security threats related to access control issues. Almost half of these threats were of medium risk, and 37% were high risk.
These vulnerabilities could cause errors in web applications and impact organizational operations.
Insufficient data validation in web applications allows attackers to illegitimately access internal services and potentially execute attacks leading to financial loss.
Security Recommendations
Organizations should implement role-based access control for authentication and authorization. Unless a web application is publicly accessible, access should be denied by default.
2. Data Leaks
This type of security threat is prevalent in web applications. Compared to broken access control, sensitive data leaks contain more low-risk vulnerabilities but also include high-risk ones. Researchers found sensitive data such as plaintext passwords and credentials, full paths to web application releases, and other information that could reveal the application architecture.
Security Recommendations
Storing files containing sensitive data (like passwords or backups) in web application directories should be strictly prohibited. Strengthen protection for sensitive data when accessing application functions unless the function itself is used to access sensitive data.
3. Server-Side Request Forgery (SSRF)
The widespread adoption of cloud computing and microservices architecture has increased the attack surface for SSRF abuse. Over half (57%) of the analyzed applications contained SSRF threats, allowing malicious attackers to bypass application logic and illegally link with internal services. Attackers can also combine SSRF with other vulnerabilities to attack web servers or read application source code.
Security Recommendations
Organizations should create a whitelist of resources that applications can request and block any requests outside this list. Do not accept requests containing full URLs and set firewall filters to prevent users from accessing unauthorized domains.
4. SQL Injection
Most high-risk vulnerabilities discovered in this assessment were related to SQL injection. However, only 43% of the analyzed applications were susceptible to this threat, placing SQL injection fourth on the list.
This type of vulnerability can lead to the theft of sensitive information or remote code execution. In some test projects, researchers successfully obtained internal system administrator credentials by executing SQL injections on applications with public user registrations.
Security Recommendations
Use parameterized SQL queries in application source code instead of combining them with SQL query templates. If parameterized SQL queries cannot be used, ensure that user inputs used to generate SQL queries do not modify the query logic.
5. Cross-Site Scripting (XSS)
61% of the analyzed web applications had XSS threats, most of which were medium risk. Despite its prevalence, XSS was ranked fifth due to its lower risk level. Over half (55%) of XSS vulnerabilities were related to applications developed by third-party tech companies, and 39% were linked to public sector applications.
XSS attacks against application clients can be used to obtain user authentication information like cookies, perform phishing, or spread malware. In some scenarios, combining XSS with other vulnerabilities allows attackers to reset user passwords to known values, gaining access to the application using those credentials.
Security Recommendations
Replace unsafe formatted characters in HTML pages with non-formatted equivalents and provide secure mechanisms for handling user inputs. This should be done for any data obtained from external sources and displayed in the browser.
6. Broken Authentication
Almost half (47%) of the threats in this category were medium risk, but high-risk vulnerabilities also existed, allowing clients to access web applications on behalf of users. For instance, if an application does not check JWT (JSON Web Token) signatures, attackers can tamper with their JWT by specifying another user’s ID, using the generated token to perform various actions within the account.
Security Recommendations
Properly validate authentication data used to access applications. If using tokens and session ID signatures, validate them. Authentication cryptograms (keys and signatures) should be unique and have high entropy. Do not store cryptograms in application code.
7. Security Misconfiguration
Nearly half of the tested applications had security misconfiguration threats. These vulnerabilities range from enabled debug modes to disabled authentication. For example, an application’s Nginx server allowing access to files in the parent directory of the Alias directive could lead to accessing files containing confidential data.
Security Recommendations
Follow security best practices when configuring systems in the IT infrastructure. Automate the setup process to eliminate errors during new system installations. Use different credentials for testing and production systems and disable unused components.
8. Insufficient Brute Force Protection
Over one-third of the analyzed applications allowed brute force attacks. One-time passwords (OTPs) and authentication for various resources (like accounts or file systems) are the most vulnerable elements in web applications.
Specifically, when an organization has insufficient brute force protection, attackers can perform OTP attacks to bypass existing authentication factors and gain unauthorized access to applications.
Security Recommendations
Use CAPTCHA to make it harder for attackers to brute force credentials. Implement preventive controls (WAF and IPS) to block brute force attempts promptly, not only for repeated failed logins on the same account but also for multiple failed logins from the same source targeting different accounts.
9. Weak User Passwords
22% of the analyzed web applications had weak passwords. This lower proportion could be explained by security analysts often using customer testing platforms rather than actual systems. Despite the small number of applications with this vulnerability, the consequences of exploiting weak credentials can be severe. Depending on the account type, attackers could access basic application functions or administrative scenarios, potentially impacting business processes.
Security Recommendations
Implement weak password check mechanisms, such as checking against a list of the 10,000 weakest passwords to discover new or changed passwords. Enforce password length, complexity, and expiration requirements, along with other evidence-based modern password policies.
10. Unpatched Known Vulnerabilities
The final security threat is the presence of numerous unpatched known vulnerabilities in web applications. Vulnerable components include frameworks and various application dependencies like libraries and modules. Some of these allowed researchers to access servers used by applications, infiltrating the internal networks of customers.
Security Recommendations
Regularly inventory the software components used and apply patches as necessary. Use only trusted components that have successfully passed security testing and disable any unused components.
This article is written by ANQUANNIU.
I'm Carrie, a cybersecurity engineer and writer, working for SafeLine Team. SafeLine is an open source web application firewall, self-hosted, very easy to use.
Top comments (0)