This is an INTERNAL article that explains how our dashboards and report identify a particular Synthetic Issue as belonging to one of the OWASP Top-10 categories.
The OWASP project defines it as:
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
It’s a list of 10 categories of vulnerabilities that the OWASP considers common and critical. The implied recommendation is that any vulnerability that has the flavor of one of these top-10 categories should be considered important. The full information is available at: OWASP Top Ten Web Application Security Risks | OWASP .
The current version (" 2017 ") lists the following:
- A1 - Injection
- A2 - Broken Authentication
- A3 - Sensitive Data Exposure
- A4 - XML External Entities (XXE)
- A5 - Broken Access Control
- A6 - Security Misconfiguration
- A7 - Cross-Site Scripting (XSS)
- A8 - Insecure Deserialization
- A9 - Using Components with Known Vulnerabilities
- A10 - Insufficient Logging & Monitoring
These are rather vague labels. So again, refer to https://owasp.org/www-project-top-ten for the full definitions.
This done by mapping the CWEs associated with a Synthetic Issue to the OWASP Top-10 definitions. For example, A1:2017 has associated with it the following CWEs:
- CWE-77: Command Injection
- CWE-89: SQL Injection
- CWE-564: Hibernate Injection
- CWE-917: Expression Language Injection
So, in ZeroNorth code, a Synthetic Issue that has any one of the above CWEs will be marked as belonging to A1 category.
So, based on the 2017 standard, the CWE mappings by the Top-10 categories are:
- A1 : 77 89 564 917
- A2 : 287 384
- A3 : 202 310 311 312 319 326 327 359
- A4 : 611
- A5 : 22 284 285 639
- A6 : 2 16 388
- A7 : 79
- A8 : 502
- A9 : no CWEs
- A10 : 223 778
The above logic is found in our burlap code here:
- ZeroNorth will never identify an A9 category since A9 has no CWEs associated with it.
- The logic for associating a Synthetic Issue with an OWASP Top-10 category is in the UI, not in GAUSS. This means that examining the full details of a Synthetic Issue (even via API calls) will not provide this information.