2020 has not been a year that anyone will forget in a hurry, so let’s quickly look to the future. It’s December, OWASP is working on a new Top 10 – the perfect time to dust off the crystal ball and see what 2021 might have in store for web application security in general and common vulnerabilities in particular.
Evolution, Not Revolution
The pandemic seems to have toned down the usual technological hype in favor of caution, so no revolutionary changes should be expected for 2021. The move to remote-first has underlined the increasing reliance on cloud and web technologies while also confirming what the software development world has known for at least a few years: that web-only is finally a viable option.
In terms of security, transport layer protection issues seem to be a thing of the past, with HTTPS and TLS 1.2 becoming the new normal. Even though widespread adoption of the latest and most secure TLS 1.3 protocol will still need a few more years, we shouldn’t see any new POODLEs or Heartbleeds anytime soon. With providers such as Cloudflare doing a pretty good job at keeping denial-of-service attacks at bay, cybersecurity in 2021 will focus squarely on the application layer, where ever more advanced web development frameworks, data abstraction layers, and containerized deployment models will contribute to growing complexity on every level.
A Look Back at Last Year’s Predictions
Before we peer into the future, let’s check back on some of the predictions made on this very blog 12 months ago. Considering the turmoil caused by the pandemic (no, didn’t see that one coming, sorry), many of these have actually held up quite well. For example, data breaches have indeed been a major feature in cybersecurity news, though eclipsed by some high-profile ransomware attacks. As predicted, state-sponsored actors have also been active in this year of social and political unrest. The cybersecurity skills gap continues to be a highly relevant topic and with the shift to remote work, cloud security has become more important than ever.
New OWASP Top 10 Coming Soon
The Open Web Application Security Project has a new OWASP Top 10 list in the works. This will present the most dangerous and common web security vulnerabilities based on both OWASP research and industry feedback. A handful of items have consistently featured in the Top 10 for the past decade and are not going away any time soon, so here are our bets for the most common vulnerability categories of 2021.
Injections Still Going Strong, Input Validation Still Tricky
With so much web development now occurring on a higher level and frameworks taking care of fiddly technical details like data storage, there is now a back-end database behind the vast majority of websites and applications. Relational databases still lead the pack, so SQL queries and other SQL statements are the prime injection payloads, but attacks against other database technologies will intensify, from NoSQL injection to attacks involving GraphQL and other specialized data access interfaces.
The common denominator in most injection attacks is improper sanitization and validation of user inputs. Considering the growing complexity of web applications, user-controlled malicious data can come from a wide variety of sources, not just the traditional form fields and URL parameters. Server-side validation is now also a must since attacks such as DOM-based XSS can’t be detected on the client side.
Access Control Still a Mess
Ensuring proper access control will continue to be a major security headache. More and more websites and applications require authentication to access content or functionality, so broken authentication can have serious consequences, from revealing sensitive information to a major security breach that exposes entire user accounts. Closely related are session management issues, which can only become more prominent as single sign-on and third-party authentication schemes continue to gain popularity.
Interestingly, OWASP is also moving away from listing very specific vulnerabilities and towards a higher-level view of access control challenges. For example, the previous Top 10 merged insecure direct object references (IDORs) and missing function-level access control under the general heading of broken access control.
Sensitive data exposure is another cross-cutting concern that touches many areas of web application security. Whether you have an IDOR that reveals a database key, an insecure JSON Web Token implementation that reveals the session ID, or a misconfigured cloud storage bucket that reveals user data to unauthenticated hosts, you are leaking sensitive information. As application components are increasingly hidden behind APIs, such common mistakes will only become more dangerous and harder to track down.
Complexity Still Complicated
Speaking of complexity, current trends in web application development and deployments suggest that vulnerabilities related to configuration and external components will continue to grow. A framework-based web application can rely on hundreds of external components, many of them completely hidden from the developer. While this has greatly reduced the time and effort required to build and modify applications, it also means that vulnerabilities can originate not just in the application code itself but also in external dependencies that can’t be easily fixed.
Alongside using components with known vulnerabilities, all sorts of security misconfigurations will continue to be a growing concern. While running a web server with insecure default settings or leaving debugging code in a production release have always been common mistakes, the sheer scale of modern web development means that the consequences of any errors are now magnified many times. Reliance on web frameworks is also likely to bring more advanced issues to the fore, such as insecure deserialization, where application objects are persisted and then recreated in a way that leaves them open to tampering by attackers.
On the Bright Side
Luckily, it’s not all doom and gloom. For all their caveats, modern frameworks are actually improving overall web application security because many typical operations and design patterns are built into the framework itself, providing developers with secure building blocks. Taking React as an example, it is very difficult to introduce an XSS vulnerability in a React-based application because all external inputs are processed by the framework.
The availability of high-quality frameworks and libraries combined with growing awareness of security issues should decrease the number of some highly technical vulnerabilities. For example, XXE (XML External Entity) vulnerabilities, which came up in the 2017 OWASP Top 10, are easy to avoid if support for DTDs is simply disabled altogether, which can be done at the framework level. The same goes for anti-CSRF tokens which can completely eliminate CSRF attacks – but only if they are implemented correctly, preferably using a high-quality library. Many authentication and access control issues can also be prevented if developers take time to select and use secure implementations instead of rolling their own.
And on a final positive note, the capabilities and accuracy of web application security solutions will definitely continue to grow in the coming year, which can only be good news. In 2021, we can definitely expect more emphasis on machine learning to make the best use of huge data sets and help users identify and remedy vulnerabilities across large application environments. And because the focus of software security continues to move towards cloud and web technologies, more and more organizations will appreciate the importance of securing their web applications.