Stay aware, stay secure!

Introduction to OWASP Top 10

Introduction to OWASP Top 10

Sep 6, 2013

The Open Web Application Security (OWASP) is a worldwide not-for –profit charitable organization focussed on improving the security of software.

The primary aim of the OWASP TOP TEN is to educate developers, designers, architects, managers, and organizations about the consequences of the most important web application security weaknesses.

OWASP Top Ten is organized around particular types or categories of vulnerabilities that frequently occur in web applications. It’s a list of vulnerabilities that require immediate remediation. Existing code should be checked for these vulnerabilities, as these flaws are effectively targeted by attackers. The document is not a standard or a policy. It provides a brief description of the vulnerabilities, and methods of prevention.

OWASP Top Ten Application Security risks in 2013:

  1. Injection:  Injection occurs when user-supplied data is sent to an interpreter as a part of a command or query.  All Web Application Frameworks that use interpreters or invoke other processes are vulnerable to injection attacks.
  2. Broken Authentication and Session Management:  Flaws in this area mostly involve the failure to protect credentials and session tokens through their lifecycle.
  3. Cross Site Scripting: Cross Site Scripting (XSS) vulnerabilities occur when an attacker uses a web application to send malicious code, generally in the form of a script to a different end user. Is a subset of HTML injection. XSS is the most prevalent and pernicious web application security issue.
  4. Insecure Direct Object Reference: A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record or key, as a URL or form parameter.
  5. Security Misconfiguration: Security settings should be defined, implemented and maintained as defaults or often insecure.
  6. Sensitive Data Exposure:  Many Web applications do not properly protect sensitive data. Attackers
  7. Missing Function level access control (Includes failure to restrict URL access): Most web application verifies function level access rights. However applications need to perform the same access control checks on the server otherwise the attacker will be able to forge requests.
  8. Cross-Site Request Forgery: A CSRF attack forces a logged on victim’s browser to send a request to a vulnerable web application, which then performs the chosen action on behalf of the victim. It’s a simple yet devastating attack.
  9. Using Components with Known Vulnerabilities: Applications might use components with well-known vulnerabilities. Using such components might undermine application defences and make the Application prone to a range of vulnerabilities.

Unvalidated Redirects and Forwards:  Web applications often redirect and forward users to other pages and websites and use untrusted data to determine the destination pages. Without proper validation attackers can redirect users to phishing or malware sites.

One comment

  1. Helpful information. Lucky me I found your website unintentionally, and
    I am stunned why this coincidence did not happened earlier!

    I bookmarked it.

Leave a Reply

Your email address will not be published. Required fields are marked *