OWASP top rated security “feature” A01:2021 – Broken Access Control
Posted by jpluimers on 2021/11/24
An important [Wayback/Archive] A01:2021 – Broken Access Control, in German, is a pre-amble for a future post about getting a feel how to counter the vulnerabilities that OWASP tracks and documents.
Basically remember that Broken Access Control is by far the most vulnerable feature in applications:
Broken Access Control war 2017 auf Platz 5 und ist jetzt Problem #1. 94 % der getesteten Anwendungen hatten irgendeine Form von defekter Zugangskontrolle. Der ehemalige #1 Dauerbrenner Injection ist nur noch auf Platz 3.
Basically the top 3 changed dramatically between 2017 and 2021. The new top-3 is below. Please get acquainted with it.
- [Wayback/Archive] A01 Broken Access Control – OWASP Top 10:2021
Moving up from the fifth position, 94% of applications were tested for some form of broken access control with the average incidence rate of 3.81%, and has the most occurrences in the contributed dataset with over 318k. Notable Common Weakness Enumerations (CWEs) included are CWE-200: Exposure of Sensitive Information to an Unauthorized Actor, CWE-201: Exposure of Sensitive Information Through Sent Data, and CWE-352: Cross-Site Request Forgery.
- [Wayback/Archive] A02 Cryptographic Failures – OWASP Top 10:2021
Shifting up one position to #2, previously known as Sensitive Data Exposure, which is more of a broad symptom rather than a root cause, the focus is on failures related to cryptography (or lack thereof). Which often lead to exposure of sensitive data. Notable Common Weakness Enumerations (CWEs) included are CWE-259: Use of Hard-coded Password, CWE-327: Broken or Risky Crypto Algorithm, and CWE-331 Insufficient Entropy . - [Wayback/Archive] A03 Injection – OWASP Top 10:2021
Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3%, and 274k occurances. Notable Common Weakness Enumerations (CWEs) included are CWE-79: Cross-site Scripting, CWE-89: SQL Injection, and CWE-73: External Control of File Name or Path.
Via; [Archive] Kristian Köhntopp on Twitter: “Vieles aus diesem Thread ist nun geordneter in … zu finden.… “
Very much related as A01 was the basic cause of GitHub’s commitment to npm ecosystem security | The GitHub Blog – no npm package can historically ben tracked to be authentic.
We determined that this vulnerability was due to inconsistent authorization checks and validation of data across several microservices that handle requests to the npm registry. In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply