Code injection attacks, the infamous king of vulnerabilities, have lost the top spot to broken access control as the worst of the worst, and developers need to take notice.
In this increasingly chaotic world, there have always been a few constants that people could reliably count on: The sun will rise in the morning and set again at night, Mario will always be cooler than Sonic the Hedgehog, and code injection attacks will always occupy the top spot on the Open Web Application Security Project (OWASP) list of the top ten most common and dangerous vulnerabilities that attackers are actively exploiting.
Well, the sun will rise tomorrow, and Mario still has "one-up" on Sonic, but code injection attacks have fallen out of the number one spot on the infamous OWASP list, refreshed in 2021. One of the oldest forms of attacks, code injection vulnerabilities have been around almost as long as computer networking. The blanket vulnerability is responsible for a wide range of attacks, including everything from traditional SQL injections to exploits launched against Object Graph Navigation Libraries. It even includes direct assaults against servers using OS injection techniques. The versatility of code injection vulnerabilities for attackers - not to mention the number of places that could potentially be attacked - has kept code injection in the top spot for many years.
But the code injection king has fallen. Long live the king.
Does that mean we've finally solved the injection vulnerability problem? Not a chance. It didn't fall far from its position as security enemy number one, only down to number three on the OWASP list. It would be a mistake to underestimate the continuing dangers of code injection attacks, but the fact that another vulnerability category was able to surpass it is significant, because it shows just how widespread the new OWASP top dog actually is, and why developers need to pay close attention to it moving forward.
Perhaps the most interesting thing, however, is that the OWASP Top 10 2021 reflects a significant overhaul, with brand new categories making their debut: Insecure Design, Software and Data Integrity Failures, and an entry based on community survey results: Server-Side Request Forgery. These point to an increasing focus on architectural vulnerabilities, and going beyond surface-level bugs for the benchmark in software security.
Broken Access Control Takes the Crown (and Reveals a Trend)
Broken access control rocketed from the fifth spot on the OWASP top ten vulnerabilities list all the way up to the current number one position. Like with code injection and new entries like insecure design, the broken access vulnerability encompasses a wide range of coding flaws, which adds to its dubious popularity as they collectively allow damage on multiple fronts. The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
Some examples of broken access control cited by OWASP in elevating the family of vulnerabilities to the top spot include ones that enable attackers to modify a URL, internal application state, or part of an HTML page. They might also allow users to change their primary access key so that an application, site, or API believes they are someone else, like an administrator with higher privileges. It even includes vulnerabilities where attackers are not restricted from modifying metadata, letting them change things like JSON web tokens, cookies, or access control tokens.
Once exploited, this family of vulnerabilities can be used by attackers to bypass file or object authorizations, enables them to steal data, or even perform destructive administrator-level functions like deleting databases. This makes broken access control critically dangerous in addition to being increasingly common.
It's quite compelling - yet not surprising - that authentication and access control vulnerabilities are becoming the most fertile ground for attackers to exploit. Verizon's latest Data Breach Investigations Report reveals that access control issues are prevalent in almost every industry, especially IT and healthcare, and a whopping 85% of all breaches involved a human element. Now, "human element" covers incidents like phishing attacks, which are not an engineering problem, but 3% of breaches did involve exploitable vulnerabilities, and according to the report, were predominantly older vulnerabilities and human error-led, like security misconfiguration.
While those decrepit security bugs like XSS and SQL injection continue to trip up developers, increasingly, it has become apparent that core security design is failing, giving way to architectural vulnerabilities that can be very advantageous to a threat actor, especially if they go unpatched after the security flaw in a particular version of an application is made public.
The trouble is, few engineers are given training and skills development that goes beyond the basics, and fewer still are truly having their knowledge and practical application expanded beyond localized, code-level bugs that are typically developer-introduced in the first place.
Preventing the bugs that robots rarely find
The newly grouped family of broken access control vulnerabilities is fairly diverse. You can find some specific examples of broken access controls and how to stop them on our YouTube channel and our blog. Or better yet, try for yourself.
However, I think it's important to celebrate this new OWASP Top 10; indeed, it is more varied, encompassing a wider range of attack vectors that include those that scanners won't necessarily pick up. For every code-level weakness found, more complex architectural flaws will go unnoticed by most of the security tech stack, no matter how many automated shields and weapons are in the arsenal. While the lion's share of the OWASP Top 10 list is still compiled based on scanning data, new entries covering insecure design and data integrity failures - among others - show that training horizons for developers need to expand rapidly to achieve what robots cannot.
Put simply, security scanners don't make great threat modelers, but a team of security-skilled developers can help the AppSec team immeasurably by growing their security IQ in-line with best practices, as well as the needs of the business. This needs to be factored into a good security program, with the understanding that while the OWASP Top 10 is an excellent baseline, the threat landscape is so fast-paced (not to mention the demands of internal development goals) that there must be a plan to go deeper and more specific with developer upskilling in security. Failure to do so will inevitably lead to missed opportunities to remediate early, and hinder a successful holistic approach to preventative, human-led cybersecurity.
About the Author: Matias Madou is the co-founder and CTO of Secure Code Warrior. He has over a decade of hands-on software security experience, holding a Ph.D. in computer engineering from Ghent University.