The OWASP TOP 10 Vulnerabilities
What is OWASP?
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
The Open Web Application Security Project (OWASP) is a non-profit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.
- Tools and Resources
- Community and Networking
- Education & Training
Source: https://owasp.org
What is the OWASP Top 10?
The OWASP Top 10 is an awareness document for web application security. It represents a broad consensus about the most critical security risks in web applications. This list of vulnerabilities were developed by a security experts from around the world. The previous list was released in 2013, and an updated list was just released at the end of 2017.
A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The OWASP Top 10 provides basic techniques to protect against these high-risk problem areas and provides guidance on where to go from here.
OWASP urges all companies to adopt this awareness document and to start the process of ensuring that their web applications minimizes these risks. Adopting and understanding the OWASP Top 10 is an important step towards changing the software development culture within an organization into one that produces secure code and secure applications by design.
Top 10 Web Application Security Risks
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access Control
Security Misconfiguration
Cross-Site Scripting XSS.
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities.
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Insufficient Logging & Monitoring.
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
A good read.
Thank you reader, we highly appreciate your feedback.
A good one
Thank you reader, we highly appreciate your feedback.