I thought this was timely given this week’s topic. OWASP recently refreshed their list of web application vulnerabilities which saw Code Injection Vulnerabilities being replaced by Broken Access Control as #1.
The article notes that this shifting in order was not due to “solving” Code Injection Vulnerabilities, but rather it illustrates how widespread Broken Access Control is in the field. Broken Access Control “encompasses a wide range of coding flaws” that could “enable attackers to modify a URL, internal application state, or part of an HTML page.” The category includes any instance where access control policies can be violated so that users can act outside of their intended permissions.
The updated OWASP list also debuted new categories on the list, including Insecure Design, Software & Data Integrity Failure, and Server-Side Request Forgery.
Author: Matias Madou
Published: October 20, 2021
It’s always interesting seeing the shifts in top most oft exploited vulnerabilities that attackers are exploiting. It really is interesting that certain items can fall down the list, like you’ve pointed out with code injection, due to just another vulnerability being more widespread at this time. At first glance at the list you would think maybe companies are starting to improve at preventing these code injection attacks. The reality is they just have a more tempting vulnerability ready to be exploited.
I’ll be using this list extensively as I transition into a new role on doing App security assessments. I agree with Ryan on the heightened interest as there are shifts in the top 10. Considering, however, the comment that Dr. Mackey talked about… The list is now “corporately” influenced. So I wonder how much this change reflects on real world vs corporate world.