Are you currently experiencing an attack?

Are you currently experiencing an attack?

What is OWASP top 10

Summary

The OWASP Top 10 is one of its most popular projects: a list of the top 10 threats that modern web applications must protect against. It is meant to raise awareness among developers and executives about the most critical security risks.

Keep reading: Related Content

More Topics

Summary

The OWASP Top 10 is one of its most popular projects: a list of the top 10 threats that modern web applications must protect against. It is meant to raise awareness among developers and executives about the most critical security risks.

What is OWASP top 10

OWASP (Open Web Application Security Project) is a non-profit organization that researches and publishes information on web application security.

The OWASP Top 10 is one of its most popular projects: a list of the top 10 threats that modern web applications must protect against. It is meant to raise awareness among developers and executives about the most critical security risks. 

The goal of the Top 10 is not merely to list ten specific threats which need to be protected against. Instead, it is meant to encourage organizations to change their software development cultures, so that they produce more secure code. In the process, these ten risks will be mitigated, along with many other potential threats.

Although all developers should strive to achieve this, web application security has become extremely difficult today. Software complexity continues to rise, and attack surfaces continue to expand. Meanwhile, threat actors grow more sophisticated and tenacious. Therefore, modern web applications require a dedicated WAF to filter hostile traffic. (In fact, even a traditional web application firewall is no longer enough. For robust protection in today’s threat environment, a next-generation WAF is required.)

However, secure coding and other best practices should still be followed. The Top 10 list is a useful tool for this.

The Top 10 Web Application Security Risks

OWASP’s Top 10 list varies in its scope. Some entries are specific risks, while others are categories of threats.

Here are the Top 10 risks, in the order published by OWASP, with a brief explanation for each.

  1. Injection. Web applications that accept user input must properly validate that input before interpreting it. When this is not done properly, attackers can inject code or commands which are then executed. A successful injection can achieve a variety of harmful outcomes: everything from attackers accessing private data all the way to losing administrative control of the server.
  2. Broken Authentication. Authentication and session management are vital parts of many web applications. Security flaws in these processes can allow attackers to compromise user accounts and identities.
  3. Sensitive Data Exposure. Web applications must protect the data that they process, both in transit and at rest, to prevent it from being exposed to outside entities. This is especially important for healthcare data, financial data, and other forms of PII (Personally Identifiable Information). The Sensitive Data Exposure risk category includes a wide variety of attacks: credit card fraud, identify theft, account hijacking, and others.
  4. XML External Entities (XXE). XML is a popular format for storing and exchanging data. It includes the ability to refer to local or external URIs which the parser will dereference. An improperly-configured parser can be exploited by an attacker in a variety of ways. Maliciously-constructed XML can refer to private local data (such as a file containing user passwords), or attempt remote code execution, or wage a DoS (Denial of Service) attack by accessing local resources, and so on.
  5. Broken Access Control. This refers to inadequately-enforced restrictions on what authenticated users are allowed to do. A system with this flaw can allow attackers to gain unauthorized access to data, and even to interfere with the access that legitimate users have.
  6. Security Misconfiguration. This is a very broad category of risks. It includes everything from open cloud storage (data stored in the cloud with unrestricted access privileges), misconfigured HTTP headers, verbose error messages (containing sensitive information which can be used to increase the effectiveness of an attack), unpatched vulnerabilities (in services, libraries, frameworks, and applications), etc.
  7. Cross-Site Scripting (XSS). Many web applications accept user inputs and incorporate them into pages. (Common examples are comments, product reviews, user profiles for membership sites, etc.) In XSS, an attacker submits inputs which includes scripts; the goal is for the scripts to be included in pages served to other users. If a web application does not properly validate its inputs, the attacker can do a variety of things, including hijacking user sessions, altering the pages served to other users, and redirecting other users to malicious sites.
  8. Insecure Deserialization. XML and JSON are commonly used to serialize data. If a web application accepts serialized data from an untrusted source, it can contain malicious payloads. This can result in a variety of exploits, including privilege escalation and remote code execution.
  9. Using Components with Known Vulnerabilities. When an application uses a library or framework, and that component has a known exploit, a successful attacker can potentially access the same internal resources that the application can. Depending on the privileges that the application has, this can result in everything from data theft up to remote code execution and server hijacking.
  10. Insufficient Logging & Monitoring. Web applications must record events in sufficient detail so that admins can see if potentially hostile activity is occurring. Further, organizational policies should require admins to regularly monitor the logs to see what is happening. A failure to do this will greatly increase the damage caused by successful attacks, and will often allow attackers to pivot to other systems and expand the scope of their activities. Of all the top 10 risks, this one might seem the easiest to mitigate, but it remains a major problem in industry. (A 2017 survey by the Pokémon Institute found that on average, organizations took 191 days to identify a data breach.) 

Along with its Top 10 list, OWASP [owasp.org] also publishes a number of other resources, including a Software Assurance Maturity Model, a Development Guide, a Testing Guide, a Code Review Guide, a penetration testing tool, a (deliberately) insecure web application project, and others.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.