The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
The goal of the Top 10 project is to raise awareness about
application security by identifying some of the most critical risks facing
organizations. The Top 10 project is referenced by many standards, books,
tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.
OWASP releases a list of top ten threats concerning web
application security every three years. The list describes each vulnerability,
provides examples, and offers suggestions on how to avoid it.
The current list (2013 version) highlights the following
vulnerabilities:
1 Injection
Injection Flaws include, but are not limited to LDAP, SQL,
XPath and Operating System. Injection flaws, occur when untrusted data is sent
to an interpreter as part of a command or query. The attacker’s malicious data
can trick the interpreter into executing unintended commands resulting in
accessing of unauthorized data.
2 Broken Authentication and Session Management
If the authentication functions related to the application
are not properly implemented, the
hackers could compromise passwords or session ID's or to exploit other
implementation flaws using other users credentials.
3 Cross Site Scripting (XSS)
Cross-site Scripting (XSS) is an attack technique that
involves echoing attacker-supplied code into a user's browser instance. When an
attacker gets a user's browser to execute his/her code, the code will run
within the security context (or zone) of the hosting web site. There are three
types of Cross-site Scripting attacks: non-persistent, persistent and
DOM-based.
4 Insecure Direct Object References
A direct object reference is likely to occur when a
developer exposes a reference to an internal implementation object, such as a
file, directory, or database key without any validation mechanism which will
allow attackers to manipulate these references to access unauthorized data.
5 Security Misconfiguration
Security Misconfiguration arises when the security
configuration settings are defined or implemented as the defaults that comes
with the ported product. Good security requires a secure configuration defined
and deployed for the application, web server, database server, and platform. It
is equally important to have the software up to date.
6 Sensitive Data Exposure
Many web applications gather but do not properly protect
sensitive user data such as credit cards information, Bank account information
or authentication credentials. If the data is not properly safeguarded both at
rest and in transit, then hackers might end up stealing those weakly protected
data to conduct credit card fraud, identity theft, or other crimes.
7 Missing Function Level Access Control
Web applications typically only show functionality that a
user has the rights to use on the screen. Various access levels exist in a web
application starting from an unregistered user upto the level of the website
administrator. All the users get access to functionalities according to their
roles due to presence of proper access control. However, if the same access control checks are
NOT performed on the server, hackers will be able to penetrate into the
application without proper authorization.
8 Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) attacks occur when a
malicious web site causes a user’s web browser to perform an unwanted action on
a trusted site. These vulnerabilities allow an attacker to transfer money out
of user bank accounts, harvest user email addresses, violate user privacy and
compromise user accounts. A compromised user may never know that such an attack
has occurred. If the user does find out about an attack, it may only be after
the damage has been done and a remedy may be impossible.
9 Using Components with Known Vulnerabilities
Known vulnerabilities related to libraries, frameworks and software
are available to everyone on the Internet. If an attacker knows which
components you use, he can retrieve these vulnerabilities and find a way to
exploit them.
10 Unvalidated Redirects and Forwards
Most Web applications on frequently redirect users to other webpages
or external websites, without validating the credibility of those pages. Hackers
can redirect victims to phishing or malware sites, or use forwards to access
unauthorized pages.
This security risk can be used in combination with social
engineering for malicious purposes such as tricking the user into downloading
malware, redirecting to a phishing site, or using forwards to gain access to
unauthorized pages.