What you didn’t know about OWASP Top-10 2017? Part 2/3

2018-02-01T20:16:52
ID D0ZNPP:849CEDEABF394FA43023970C1332E640
Type d0znpp
Reporter Ivan Novikov
Modified 2018-02-01T20:16:52

Description

In my previous post I covered first 3 of the OWASP Top-10 2017 risks. Today I’d like to continue this and explain the next 3 risks:

  • A4. XML External Entities (XXE)
  • A5. Broken Access Control
  • A6. Security Misconfiguration

Let’s begin then!

A4. XXE.

This is my favorite one. I made some money because of it through different bug bounty programs in 2011–2015. Now it’s mentioned in OWASP for the first time. Welcome home!

Actually XXE is not a bug, but a well documented feature of any XML parser. Yes, it’s true, an XML data format allows to include the content of any external text file inside XML document. To prevent XXE you should initialize your XML parser in secure way. Mainly there are two different options that should be disabled:

  • External entities
  • External DTD schema

And the second one is really important. A lot of problems are caused by this vulnerability based on the external DTD schema even when external entities are disabled. Nevertheless, OWASP paper has no exploit examples on this matter inside. Please find it below:

<?xml version="1.0"?>  
<!DOCTYPE a SYSTEM "/dev/urandom">  
<a>wlrm</a>

The difference is we put a SYSTEM attribute to a DOCTYPE directive, not to an ENTITY itself. Please be careful and fix both!

A5. Broken Access Control.

This is a merge of the Insecure Direct Object References and Missing Function Level Access Control from the previous OWASP Top-10 2013. It means according to the whitepaper that all the issues with authorization are here and even something more. This is strange, but server-side bugs are here together with client-side bugs, like missing CORS policy.

At the same time, a lot of issues like /.git /log.txt and other classic Insecure Direct Object References should be classified as A3 (Sensitive Data Exposure) and A5 both.

Moreover, a lot of A2 (Broken Authentication) issues will be classified as A5 as well.

As a result, I’d like to say that in my opinion the set of risks identified by A5 is totally inside A2+A3 union.

A6. Security Misconfiguration.

All the default passwords, unpatched software, known issues and just mistakes are here. Technically it means that all the others OWASP Top-10 2017 risks are here. Yes, it’s true. Each time when some other OWASP risk triggered, the A6 risk is triggered as well. The reverse is not true. Just because A6 is triggered, doesn’t necessarily mean some other OWASP risk is triggered as well. Just remember this.

Uf… We are almore there. I’ll publish the last part with a final chart of all the OWASP Top-10 2017 risks intersection diagram in next couple of weeks.