May 10, 20170 mins read
The OWASP Top 10 is a well known index of web app security vulnerabilities which is used every day by security professionals. But one thing is missing from the index—how often are each of these vulnerabilities used by hackers to breach organizations?
We looked at a data set of 1,792 security breaches and found that of the 10 OWASP vulnerabilities, the most severe, A1-Injection, caused only 4 of the 50 most devastating breaches (8%). OWASP’s 9th most severe vulnerability, A9-Known Vulnerable Components was the biggest with 12 breaches (24%). And 15 breaches (30%) were caused by problems not listed in the OWASP Top 10 at all. Read on to see the differences between OWASP Top 10 in theory, vs. massive security exploits in practice.
In a Bit More Detail
The OWASP Top 10 is a list of “the ten most critical web application security risks”, including SQL injection, Cross-Site Scripting, security misconfiguration and use of vulnerable components. The vulnerabilities in the list were selected based on four criteria: ease of exploitability, prevalence, detectability, and business impact.
However, one criterion is missing from the Top 10, by design. The OWASP Top 10 2013 Release document states: “This approach does not take the likelihood of the threat agent” (p. 20)—in other words, how likely it is for attackers to strike, leveraging one of these vulnerabilities.
Leaving out this criterion is reasonable in some respects—even if no burglars in our neighborhood entered a house through an open window, it’s still important for homeowners to secure their windows, as this is a common and easily preventable vulnerability.
However, in other respects, it’s a problematic omission. If no burglars entered through windows in the past year, while 90% entered through the front door, this crucial info could help you decide where to invest first to secure your home.
In the world of web app security, we can learn about virtual “burglaries” by examining publicized security breaches. In the real world, which of the OWASP Top 10 are exploited most often by hackers? Which are exploited only rarely?
We based our research on the Breach Level Index, published by Gemalto. It is a list of 1,792 data breaches (in 2016 alone) ranked by their severity, taking into account multiple factors like the amount of data taken, its sensitivity, etc.
We investigated: What was the root cause of the top 50 data breaches in 2016? Which of the OWASP Top 10 do those root causes belong to? And in turn, which of the OWASP Top 10 was responsible for the biggest data security catastrophes in 2016?
Methodological note: We surveyed the top 82 breaches in Gemalto’s Data Breach Index, and found 50 with known root causes according to publicly available sources. We will treat these as the “Top 50 Data Breaches”—in fact these are the “top 50 with known root causes”. For all 82, if there was information available about any OWASP Top 10 Vulnerabilities which contributed to the attack (even if not root causes) we noted them as well.
OWASP Top 10 Ordered by their Role in Major Data Breaches
The top 50 data breaches of 2016 included 77 million records stolen from the Philippines’ Commission on Elections, the Panama Papers scandal in which offshore accounts of several world leaders were exposed, the Adult FriendFinder breach which exposed the private information of 412 million account holders, and many more.
Let’s start with root causes. A data breach may involve several OWASP Top 10 vulnerabilities (e.g. weak passwords, classified as A2, and SQL injection, classified as A1). But which was the main one that enabled the attacker to penetrate and perform the attack? We label this the “root cause”.
Methodological note: In our research, we relied on a variety of publications to determine what happened in each data breach and what was the root cause. Some of these are primary sources or security research, while some are general press or even social media postings by knowledgeable parties. We tried to select only sources that seemed authoritative, but most sources were not in direct contact with the breached organization or the attackers and could be wrong. Even if reports are true, details may have been unreported or unknown, even by the breached organizations themselves. Our data is only as good as the information reported by these sources, cited in our data spreadsheet for your reference.
In the table below we show which of the OWASP Top 10 was the root cause for the most devastating data breaches.
Disaster Rank 1: A9-Using Components with Known Vulnerabilities, is the dubious “winner” causing 12 of the top 50 breaches (24%). Notable incidents caused by A9:
The Mossack Fonesca (Panama Papers) breach, which was caused by a vulnerability in an old, unpatched version of Drupal.
The VericalScope/Techsupportforum.com breach in which 45 million passwords and IP addresses were stolen from a network of over 1,100 websites and forums. The cause was said to be a known vulnerability in an old version of the vBulletin forum software.
The Ubuntu forums breach in which 2 million usernames, IP addresses and passwords were compromised from the official Ubuntu forums. The cause was a “known SQL injection vulnerability in the Forumrunner add-on which had not been patched”.
The usual suspect: Amazingly, of the 12 huge breaches caused by A9, a whopping 9 organizations were breached due to vulnerabilities in forum software, and 6 of those were using an old version of the vBulletin software.
Disaster Rank 2: A5-Security Misconfiguration is a close second with 10 of the top 50 breaches (20%). A common case of security misconfiguration is leaving sensitive data in a database with access to the open Internet and requiring no authentication. Notable breaches caused by A5:
The Mexican Voters Breach in which registration data of 93.4 million voters was publicly exposed, although probably not offered for sale on the dark net. The compromised database turned out to be a legitimate copy of the registration data belonging to a political party, who had uploaded it to AWS without securing it.
The US Voters / Amazon / Google breach in which 154 million profiles of US voters with rich personal details was taken by a Serbian hacker. The data was stored in a CouchDB database which required no authentication, stored on Google Cloud Services.
The Capgemini breach in which personal information of millions of job seekers was obtained by a hacker. The data was in an insecure database on the open Internet, which Capgemini said was on a development server used by their IT provider.
The usual suspect: Although there are thousands of possible security misconfigurations which could lead to a breach, 100% of the A5 breaches in our study were caused by a database opened to the Internet with no authentication. 3 of the 10 breaches involved the MongoDB database, older versions of which suffered from insecure defaults.
Disaster Rank 3: A1- Injection was the third largest cause of major incidents, responsible for four breaches:
The Philippines’ Commission on Elections breach, in which 77,736,795 records, representing the entire adult population of the Philippines (!) were stored in plaintext and easily obtained by a hacker via SQL injection.
The i-Dressup breach, in which 5.5 million accounts of teenage girls, including passwords stored in plaintext, were compromised by an SQL injection which exploited an unknown vulnerability on the website.
The Michigan State University breach, in which 400,000 names and email addresses were obtained by a 17-year-old hacker from the Netherlands who scanned the web for SQL injection vulnerabilities. Fortunately, passwords were encrypted in this case.
The Central Ohio Urology Group, in which sensitive medical treatment info for 521,659 patients was stolen via SQL injection, by a known serial hacker who said he would similarly attack other websites.
Interestingly, this vulnerability was considered the most critical security problem in OWASP Top 10 of 2013 and is also proposed as the top vulnerability in the Top 10 for 2017, but in our survey it appears only 3rd, causing 8% of the top breaches.
The usual suspect: While there are numerous types of injection attacks, all four of the major breaches in our study were caused specifically by SQL Injection.
Disaster Rank 4: A2-Weak Authentication and Session Management and A6-Sensitive Data Exposure were the next largest causes, responsible for three incidents each.
A2 was the cause for the 17 Media Breach (30 million accounts breached for a streaming app), the Aerticket breach (data for 1.5 million German airline passengers breached), and the Kroger/Equifax breach (tax and salary data for 431,000 people who filled tax forms online).
A6 was the cause for the Kerala beach (personal details breached for 34 million residents of the State of Kerala in India), the Indian Institute of Management breach (test scores of 2 million participants in the CAT psychometric exam were exposed on the Internet), and the BlueSnap/Regpack breach (324,000 payment records lost including CVV codes, allowing attackers to bypass credit card security).
The usual suspect: There was no clear pattern in these 6 breaches. They were caused by weak passwords, easy access to sensitive data via known data, credentials or URLs, and accidental exposure of decrypted data.
Disaster Ranks 5 and 6:
A7-Missing Function Level Access Control was responsible for two incidents—the ClixSense breach in which hackers obtained control over hosting servers and were able to gain access to sensitive back-end systems, and the Three breach in which physical phones were stolen by manipulating an operator’s website.
A4-Insecure Direct Object Reference was responsible for one incident—the huge Adult FriendFinder breach, which was caused by a Local File Inclusion (LFI) vulnerability.
Which OWASP Vulnerabilities are missing from the top 50 breaches?
A3-XSS and A8-CSRF—interestingly, neither of these vulnerabilities were at all present in any of the breach coverage we reviewed (neither as the root cause nor as side issues). This could be due to a bias in our data—we only surveyed breaches resulting in massive data loss to organizations. XSS and CSRF attacks are more likely to impact users and usually won’t result in data stolen from organizations. So these types of attacks could be treated as a separate category from “data breaches”, and might not be included at all in a listing like the one we surveyed.
A10-Unvalidated Redirects and Forwards—this vulnerability may be less visible to outside parties reporting on a breach. Or indeed it could be less important in the field; this vulnerability was dropped in the release candidate for the OWASP Top 10 list of 2017.
Which Data Breaches Were Caused By Non-OWASP Vulnerabilities?
Many of the breaches we surveyed—15 breaches which represent 32% of the sample—had a reported root cause, but we could not map that cause to any of the OWASP Top 10. We labeled the cause “other”. OWASP state very clearly in their methodology that the Top 10 list is, by definition, only a subset of important security issues and organizations should be aware of additional security risks.
Which other threats were a root cause of Top 50 Breaches and were outside the scope of the OWASP Top 10?
Malware and phishing: 4 breaches
RDP exploits: 3 breaches
Attacks via physical equipment (POS, ATMs): 3 breaches
Physical theft: 2 breaches
Malicious website scraping: 1 breach
Compromised passwords from other websites: 1 breach
Access via malicious insider’s credentials: 1 breach
Data leaked by third parties with access: 1 breach
It’s interesting to note, for example, that malware and phishing, often considered as an end-user security problem and not an issue for web applications, was responsible for four of the top 50 data breaches, while A1—Injection, OWASP’s #1 security vulnerability, was responsible for the same number of breaches.
OWASP Top 10 as Side Contributors to Major Data Breaches
Above we showed how many of the top breaches were caused by an OWASP Top 10 vulnerability. Let’s consider how many breaches had one of the OWASP Top 10 present, even if not as a root cause. Most data breaches involve more than one attack or security vulnerability.
A6-Sensitive Data Exposure, which was only the root cause for 3 breaches, was present in as many as 26 (52% of the sample). Every second data breach had sensitive data, mainly passwords, which was not sufficiently protected or encrypted, which dramatically increased the damage caused.
A9-Using Components with Known Vulnerabilities is interesting because, in 100% of the incidents that exhibited this problem, it was also the root cause of the breach. This teaches us that in high profile, high impact breaches, A9 is a wide open gate through which hackers will typically penetrate the system. A9 was the only OWASP vulnerability which was the root cause of the breach in 100% of cases.
Similarly, A5-Security Misconfiguration (a root cause in 9 of 10 breaches) and A7-Missing Function Level Access Control (a root cause in 3 of 4 breaches) seem more likely to be a root cause for a major data breach.
A2-Weak Authentication and Session Management and A1-Injection were a root cause in about half of the breaches in which these problems were reported. Quite surprising since both of these issues are thought to be a classic way hackers would penetrate an enterprise system. But as it turns out, large data breaches often start from a different direction—even while weak authentication or injection vulnerabilities are in place.
Takeaways for Application Security and the Validity of OWASP Top 10
It goes without saying that the small size and specific nature of this sample makes it difficult to generalize the results, even to the limited group of large data breaches, much less so to all web applications or enterprise systems. However, this anecdotal data exposes numerous cases in which OWASP Top 10 vulnerabilities played a major role in security disasters.
On the one hand, this confirms that these 10 vulnerabilities are meaningful in describing actual threats faced by organizations today. On the other hand, we saw real-life data breaches clearly do not obey OWASP 1-to-10 ranking of security problem severity.
A primary discovery of this research is that A9-Using Vulnerable Components is an extremely prevalent and dangerous problem that deserves more attention in the OWASP framework. If 12 of the world’s 50 most devastating breaches were caused by A9, more than any other OWASP vulnerability, it cannot continue to be ranked 9/10 by severity. A9 is also the vulnerability most likely to be the root cause of a major data breach.
At Snyk, our mission is protecting organizations from known vulnerabilities in their open source components. Based on our day to day experience, we had a feeling that this problem was much more severe than it would appear from the OWASP Top 10 and many other industry writings. We were surprised to see the data suggested so strongly that this might, in fact, be the #1 problem threatening online security today.
Similarly, A5-Security Misconfiguration cannot continue to be ranked 5/10 when it is the second biggest cause of mega-scale security disasters.
As you can see in the image below, the current release candidate for OWASP 2017 contains a few updates, but none of them relate to A9 and A5 vulnerabilities, which remain with the same rank and definition since 2013.
Some additional takeaways:
Additional threats which are not listed in the OWASP Top 10 were responsible for 15 of the top 50 data breaches (30%, much higher than any individual OWASP vulnerability). For example, 4 of the top 50 breaches were caused by malware or phishing (this is what opened the door for attackers and enabled the breach)—as many as OWASP’s top vulnerability, A1-Injection. 3 of 50 breaches were caused by exploits of the RDP protocol, as many as OWASP’s #2 vulnerability, A2-Broken Authentication. Both of these issues, malware and protocol exploits, and possibly others, should be considered for OWASP’s 2017 list.
Missing vulnerabilities—more data is needed about the real prevalence of OWASP A3, A4, A8 and A10 in cyber attacks. Our study showed only 2 occurrences of A4, 1 occurrence of A10 and none for A3 and A10 in the top 50 breaches. As we discussed, because our study focuses on widely publicized data breaches, it is a biased sample. A broader database of cyber attacks might shed more light on these “missing” vulnerabilities.
More research is needed to firmly conclude which threats are exploited by hackers in real world attacks. The bottom line of this exploratory study is that this data is essential for understanding the modern attack surface and prioritizing your defenses. We propose that OWASP considers changing its stance on “likelihood of threat agent”, and start treating it as an essential component for evaluating critical security issues.