Unofficial OWASP Top-10 2021 Proposal based on statistical data

Everybody knows the OWASP Top-10 as well as the fact that it gets updated only every other 3-4 years. With the last update published in 2017, it’s no surprise that a new version is coming this year. During my application security career, I saw OWASP Top-10 at least in 2003, 2004, 2007, 2010, 2013, and 2017. 

Since the OWASP creation process is not documented well, it seems reasonable to build an open and transparent rating for the same categories based on a large number of security reports.

The purpose of this work is to make OWASP Top-10 2021 predictions calculated by understandable metrics, present to an entire community for feedback, and make everyone able to reproduce the results. The following work is based on an analysis of 2 million security reports from 144 public sources including CVE bulletins, bug bounty reports, and vendor security bulletins.

OWASP Top-10 2017 Categories overlap

The first thing that I should mention about OWASP Top-10 is that it’s not a vulnerability classification and even not the classification at any point, since categories overlap. I am referring to the security boulevard article and our blog post that describes the interferences presented in the following diagram:

To sum up: OWASP Top-10 IS NOT a vulnerability classification, but rather the list of the risks that have been revealed during the last period of time. That’s why to predict the next OWASP Top-10 2021 list, we have to analyze threats to the targeted web assets for the last four years.

So, here we go.

Methodology

To find the statistical data, we used Vulners.com which is an aggregated database that includes more than 4 million bulletins from 144 vendors, including bug bounty programs like HackerOne. 

The total amount of bulletins used to build this list is 2 168 521 (search query: “published:[2018-01-01 TO 2020-12-31]”). 

To split data by categories, we built vulners search queries for all the ten OWASP categories. For sure, the full-text search is probably not the most accurate solution to classify data but this particular task I think I can rely on.  For almost all the OWASP categories, all the security bulletins could be found by searching for acronyms and abbreviations. 

For the category “Known Vulnerabilities”, the total number of web-related security reports were taken as a total amount of CVE numbers assigned for the last 3 years.

It’s not a joke, but according to the Vulners statistics, XSS takes 20% of ALL the security bulletins for the last three years. It’s almost 10x more than all the CVEs issued in the last three years. Since many XSS doesn’t have a CVSS score (meaning zero), the average score for many of them is still 0.1. That fact, however, doesn’t stop XSS from hitting the Top-3 in a chart. Again, because it’s as many of them as each fifth bulletin was found in the last 3 years.

You can reuse the following queries to validate, modify, or make your own analysis:

As you can see, my strong opinion is that the OWASP community will add the new category SSRF and merge “A4. XXE – XML External Entity” and “A8. Insecure Deserialization” in the upcoming OWASP Top-10 2021. Here is why.

Proposal 1: add SSRF as a new category

As an SSRF inventor and author of the “SSRF bible cheatsheet”, I definitely keep warm feelings about it. 

In addition, please, let me mention the three most powerful facts related to SSRF:

1. The SSRF attacks become #3 of the most critical vulnerabilities as of H1 2020 stats.
2. Amazon took it seriously and patched it for EC2 meta-data services at the end of 2019.
3. SSRF caused a lot of high-risk security problems, including the most famous Capital One hack with a WAF bypass, explained in detail by Krebs on Security.

According to the global stats collected by Vulners, SSRF was mentioned in 912 bulletins during the last three years, almost the same amount of times as OWASP Top-10 2017 A4 / XXE (1000 results) and 2.5x more often than A6 / security misconfiguration (481 results). 

To sum up, SSRF is a critical issue that causes cloud takeovers, remote code execution, data breaches, and other information security risks. It’s impossible to fix SSRF by input filtration and other data validation mechanisms. Amazon and other cloud providers take it seriously and apply changes to their infrastructures to mitigate these threats. SSRF issues mentioned in almost the same amount of security bulletins as XXE in the last three years. That’s why I’m sure nobody will blame me for adding it to the OWASP Top-10 2021.

Proposal 2: merge XXE and Insecure Deserialization

XML is the serialization format, according to Wikipedia. The XXE vulnerability, a.k.a. XML eXternal Entities is technically a serialization feature that allows to include local and remote files content into the XML document. Sometimes it causes SSRF, by the way. That’s why it’s absolutely true that XXE is a part of the Insecure Deserialization category anyway. I mentioned that in a bunch of articles related to the OWASP Top-10 2017 weaknesses. 

Also, there is no way to claim XXE as a separate category if gathering pretty much everything from SQL injection to Path Traversal and OS commanding in a vague group “A1. Injections”, which will lead OWASP for years, for sure. 

Because of these two facts, plus based on statistical data of the number of security reports in each of the categories, I decided to merge XXE and Insecure Deserialization to a single class.

Proposal 3: introduce Risk Score to adequately rank threats

To sort my assumptions of the OWASP Top-10 for each of the categories, I applied an average CVSS score. In fact, because a lot of the bulletins have 0 CVSS score, the resulting rating should be interpreted as an average CVSS score for the category, which just demonstrates the right proportions between them. 

Overall Risk = Avg. CVSS x Amount of Bulletins

Building the OWASP Top-10 2021 rating

As mentioned above, I used aggregated data from 144 data sources such as security bulletins that Vulners.com indexed. This approach allows to count not only CVE data but all the reports, including bug bounties, exploits, and scanner detects that rely on the real state of information security. If we will count only CVEs, the results will be dramatically different, since the category “Known vulnerabilities” will be technically equal in a count to all the other categories in a sum. 

After all, here is the fairest way of building OWASP Top-10 2021, look at that!

Results and OWASP Top-10 2017 comparison

After all, I’m pretty confident to share the following proposal of OWASP Top 10 for 2021, since it’s based on statistical data available publicly.

I hope these data will be useful for risk assessments, vulnerability management, education purposes, and just interesting reading for application security experts and enthusiasts. 

Thanks for reading!