Our take on the latest release of the OWASP 2017 checklist is that there are only minor changes made to the list. A couple of vulnerabilities have been merged into a single vulnerability. OWASP has added two more to the list with no major changes in their Top 10. Technically, they haven’t changed much. They split a single vulnerability into two categories back in 2007 and now they have combined them again. Those vulnerabilities lost the importance of being two separate entities.
OWASP has also dropped their long time vulnerability due to its lack of importance in present day application security. They probably thought that it could be replaced by a more contemporary one.
OWASP has merged 2013-A4: Insecure Direct Object References and 2013-A7: Missing Function Level Access Control back into 2017- A4: Broken Access Control.
In 2007, OWASP split Broken Access Control into these two categories to bring more attention to each half of the access control problem (data and functionality). They no longer feel that it was necessary and have decided merged them back together.
2013-A4: Insecure Direct Object References:
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
2013-A7: Missing Function Level Access Control:
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
Dropped: 2013-A10: Unvalidated Redirects and Forwards:
In 2010, OWASP added this category to raise awareness about this problem. However, data shows that this issue isn’t as prevalent as was expected. After being in the last two releases of Top 10, this time it didn’t make the cut.
2017-A7: Insufficient Attack Protection:
Detecting, responding to, and blocking attacks make applications dramatically harder to exploit yet almost no applications or APIs have such protection. Critical vulnerabilities in both custom code and components are also discovered all the time, yet organizations frequently take weeks or even months to roll out new defenses.
2017-A10: Underprotected APIs:
Testing your APIs for vulnerabilities should be similar to testing the rest of your application for vulnerabilities. Different types of injection, authentication, access control, encryption, configuration, and other issues can exist in APIs just as in a traditional application.