The OWASP Top 10 List
What is OWASP?
The Open Worldwide Application Security Project is dedicated to creating a safer web application environment. It offers articles, tools, technologies, and forums to empower every developer to develop secure code. Amongst other projects, one of the most notable projects of OWASP is the OWASP Top 10.
What is OWASP Top 10?
OWASP Top 10 is a publicly shared list of the ten most critical web application vulnerabilities according to the Open Web Application Security Project. Web application security experts develop and maintain the list. The OWASP Top 10 aims to educate companies on vulnerabilities they need to mitigate to secure their web application.
This list is also under development for mobile applications.
Next to the Top 10 list, OWASP also publishes and maintains the following resources:
- OWASP Testing Guide: best practices for application testing.
- OWASP Juice Shop: an intentionally insecure web application for security training.
The OWASP Top 10
1. Broken Access Control
Access control enforces restrictions on authenticated users to perform actions outside their permission level. Broken access control occurs when such limits are not correctly implemented. This can lead to unauthorized access to sensitive information, as well as its modification or destruction.
2. Cryptographic Failures
Cryptographic failures refer to problems with cryptography or the absence of cryptography altogether. Previously this item was known as Sensitive Data Exposure, but this name was not entirely accurate as it described a symptom and effect rather than a cause. Nevertheless, cryptographic failure might lead to exposure of data.
This type of failure applies to the protection and secrecy of data in transit and at rest. Such data typically include authentication details, such as usernames and passwords, but also personally identifiable information (PII) such as personal and financial information, health records, business secrets, and more. Failures arise for various reasons, and a man-in-the-middle attack often exploits vulnerabilities.
An injection attack refers to untrusted data by an application that forces it to execute commands. Such data or malicious code is inserted by an attacker and can compromise data or the whole application. The most common injection attacks are SQL injections and cross-site scripting (XSS) attacks, such as code injections, command injections, CCS injections.
4. Insecure Design
This category of vulnerabilities is focused on the risks associated with flaws in design and architecture. As explained by OWASP, these are different from the risks associated with deficiencies in implementation. A well-implemented insecure designis still vulnerable to attacks.
Insecure design refers partly to the lack of security controls and business risk profiling in software development, and thereby the lack of proper determination of the degree of security design needed.
5. Security Misconfiguration
Security misconfiguration is a common issue opening attack surfaces. This commonly results from insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers or encryption, and verbose error messages containing sensitive information. All operating systems, frameworks, libraries, and applications must be securely configured, but they must be patched/upgraded promptly.
6. Vulnerable and Outdated Components
This category was previously known as Using Components with Known Vulnerabilities.
Components like libraries, frameworks, and other software modules run with the same privileges. Such an attack can facilitate severe data loss or server takeover if a vulnerable component is exploited. In addition, applications and APIs using known vulnerabilities might undermine application defenses and enable various attacks and impacts.
To help you assess whether you are using components with known vulnerabilities, fingerprinting scanners try to detect any web server or web application frameworks and associated versions running on the server.
7. Identification and Authentication Failures
This set of vulnerabilities was previously known as Broken Authentication.
These can arise if an application:
- It is not protected against automated attacks such as credential stuffing
- Allows for brute force attacks
- Accepts the use of default, weak, or well-known passwords
- Has soft or ineffective credential recovery and forgotten password procedures
- Employs plain text, encrypted, or weakly hashed password data stores
- Does not use or has ineffective multi-factor authentication
- Exposes the session identified in the URL
- Reuses the session identified after login
- Does not correctly invalidate user sessions and authentication tokens during logout or when inactive
8. Software and Data Integrity Failures
This new category on the OWASP list relates to vulnerabilities in software updates, critical data, and CI/CD pipelines whose integrity is not verified. For example, an application that relies on plugins, libraries, or modules from unverified and untrusted sources, repositories, or content delivery networks (CDNs) may be exposed to such a failure.
A similar source of failure may be the auto-update functionality of most applications that do not necessarily include a thorough integrity check. This opens the door for attackers to distribute their updates to create vulnerabilities. Finally, this category also includes what was previously called "Insecure Deserialization" in the 2017 list. Failures that arise here are due to objects or data encoded or serialized into a structure visible to an attacker and which they can modify.
9. Security Logging and Monitoring Failures
Previously known as Insufficient Logging & Monitoring, this category has been expanded to include more types of failures. While logging and monitoring are challenging to test, this category is essential because losses can impact accountability, visibility, incident alerting, and forensics. In addition, your application can further be exposed to information leakage if logging and alerting events are visible to users or attackers.
10. Server-Side Request Forgery (SSRF)
Server-Side Request Forgery issues arise when a web application does not validate the user-supplied URL when fetching a remote resource. This enables attackers to force the application to send a crafted request to an unexpected destination, even if protected by a firewall, VPN, or network access control list (ACL). Fetching a URL is a common feature among modern web applications, which increases in instances of SSRF. Moreover, these are also becoming more severe due to the increasing complexity of architectures and cloud services.