22nd October 2021, Kathmandu
Code injection attacks, the infamous king of susceptibilities, have lost the top spot to broken access control as the worst of the worst, and developers need to take notice.
In this increasingly chaotic world, there have always been a few constants that people could reliably count on:
The sun will ascend in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and code injection assailments will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most prevalent and hazardous susceptibilities that assailants are actively exploiting.
Well, the sun will ascend tomorrow, and Mario still has “one-up” on Sonic, but code injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, code injection susceptibilities have been around virtually as long as computer networking.
The blanket susceptibility is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries. It even includes direct assaults against servers utilizing OS injection techniques.
The multifariousness of code injection susceptibilities for assailants – not to mention the number of places that could potentially be assailed – has kept code injection in the top spot for many years.
But the code injection king has fallen. Long live the king.
Does that designate we’ve determinately solved the injection susceptibility quandary? Not a chance. It didn’t fall far from its position as security enemy number one, only down to number three on the OWASP list.
It would be a mistake to underestimate the perpetuating hazards of code injection attacks, but the fact that another susceptibility category was able to surpass it is paramount because it shows just how widespread the incipient OWASP top canine authentically is, and why developers need to pay close attention to it moving forward.
Perhaps the most fascinating thing, however, is that the OWASP Top 10 2021 reflects a paramount overhaul, with pristinely incipient categories making their debut: Insecure Design, Software, and Data Integrity Failures, and ingression predicated on community survey results: Server-Side Request Forgery.
These points to an incrementing fixation on architectural susceptibilities and transcending surface-level bugs for the benchmark in software security.
Broken access control rocketed from the fifth spot on the OWASP top ten susceptibilities list all the way up to the current number one position.
Like with code injection and incipient ingresses like insecure design, the broken access susceptibility encompasses a wide range of coding imperfections, which integrates to its dubious popularity as they collectively sanction damage on multiple fronts.
The category includes any instance where access control policies can be infringed so that users can act outside of their intended sanctions.
Some examples of broken access control cited by OWASP in ascending the family of susceptibilities to the top spot include ones that enable assailants to modify a URL, internal application state, or part of an HTML page.
They might additionally sanction users to transmute their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges.
It even includes susceptibilities where assailers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of susceptibilities can be utilized by assailers to bypass file or object sanctions, enables them to glom data, or even perform destructive administrator-level functions like expunging databases.
This makes broken access control critically hazardous in additament to be increasingly prevalent.
It’s quite compelling – yet not surprising – that authentication and access control susceptibilities are becoming the most fertile ground for assailants to exploit.
Verizon’s latest Data Breach Investigations Report reveals that access control issues are prevalent in virtually every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element.
Now, the “human element” covers incidents like phishing attacks, which are not an engineering quandary, but 3% of breaches did involve exploitable susceptibilities, and according to the report, were predominantly older susceptibilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection perpetuate to trip up developers, increasingly, it has become ostensible that core security design is failing; giving way to architectural susceptibilities that can be very propitious to a threat actor, especially if they go unpatched after the security imperfection in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that transcends the fundamentals, and fewer still are genuinely having their erudition and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
The incipiently grouped family of broken access control susceptibilities is fairly diverse. You can find some concrete examples of broken access controls and how to stop them on our YouTube channel and our blog. Or better yet, endeavor for yourself.
However, I celebrate it’s consequential to celebrate this incipient OWASP Top 10; indeed, it is more varied, encompassing a wider range of assailment vectors that include those that scanners won’t obligatorily pick up.
For every code-level impuissance found, more involute architectural imperfections will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal.
While the lion’s portion of the OWASP Top 10 list is still compiled predicated on scanning data, incipient ingressions covering insecure design and data integrity failures – among others – show that training horizons for developers need to expand expeditiously to achieve what robots cannot.
Put simply, security scanners don’t make great threat modelers, but a team of security-adroit developers can avail the AppSec team immeasurably by growing their security IQ in line with best practices, as well as the desiderata of the business.
This needs to be factored into a good security program, with the construal that while the OWASP Top 10 is an excellent baseline, the threat landscape is so expeditious-paced (not to mention the injunctive sanctions of internal development goals) that there must be an orchestration to go deeper and more concrete with developer upskilling in security.
Failure to do so will ineluctably lead to missed opportunities to remediate early and obstruct a prosperous holistic approach to preventative, human-led cybersecurity.