Injection flaws, particularly of the SQL kind, are now the most critical web application security risk for enterprises, according to a newly-updated report from the Open Web Application Security Project (OWASP).
The nonprofit open-source application security community on Monday released a new version of its Top 10 list of critical web application security risks, a ranking intended to help organizations better secure their web applications and services.
The OWASP Top 10 list, last updated in 2007, now places a greater emphasis on risks, in addition to vulnerabilities, according to the report.
Injection flaws are easily exploitable and occur when an application sends untrusted data to an interpreter as part of a command or query, the report states. The impact of this kind of flaw is severe as it can allow an attacker to execute unintended commands or access unauthorized data, resulting in data loss, corruption, lack of accountability, denial of access, or complete host takeover.
Cross-site scripting (XSS) flaws, which formerly held the top spot on the list, have dropped down to No. 2. XSS flaws occur when an application takes untrusted data and sends it to a web browser without proper validation. The impact of XSS has been classified as moderate, as it could allow an attacker to execute scripts in a victim's browser to hijack a user's session or deface websites.
OWASP Top 10 List:
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
This year's Top 10 also includes two new categories for security misconfiguration and unvalidated redirects and forwards. Security misconfiguration, No. 6 on the list, occurs when secure configuration settings are not defined and deployed for the application, frameworks, application server, web server, database server and platform.
The risk was at one time part of the Top 10 list but was dropped in 2007 because it wasn't considered to be a software issue. From an organizational risk and prevalence perspective, however, the category deserved to again be included in the list, the report states.
The other new category, unvalidated redirects and forwards, is a relatively unknown issue but is widespread and can cause significant damage, the report states. This risk, at No. 10 on the list, can occur because web applications frequently redirect and forward users to other websites and use untrusted data to determine the destination pages, the report states. Without the proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Meanwhile, two items that were previously on the list have been removed. The category for malicious file execution was removed because the issue has become less prevalent over the past three years. In addition, the category for information leakage and improper error handling was removed because its impact is typically minimal.
Members of the OWASP said they hope the report is seen by every person who writes code for the web.
The complete Top 10 report is available for download here.