Open Web Application Security Project (OWASP)

The Open Web Application Security Project® (OWASP®) is a nonprofit foundation that works to improve software security. The OWASP Foundation is a trusted resource for software developers and technologists seeking to secure the Internet. OWASP sponsors many community-led open-source software projects with hundreds of local chapters worldwide and thousands of members.  

The activities, programs, and events of OWASP conform to policies defined within the OWASP Policies & Procedures document and the OWASP Code of Conduct. 

OWASP produces the OWASP Top 10 document, which both developers and application security professionals use. It reflects the best security professional consensus on the most critical and current security risks to web-based applications. The top ten web application security risks include:

A1:2017-Injection: Injection flaws, which we cover elsewhere in our glossary, happen when untrusted data is sent to an interpreter as part of a query or command. The threat actor’s hostile data prompt the interpreter to execute potentially malicious commands and access unauthorized confidential information.

Almost any data source can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when a threat actor sends hostile data to an interpreter. Injection flaws are widespread, especially in older code. Injection vulnerabilities can be found in SQL, LDAP, XPath, OS commands, SMTP headers, XML parsers, and other areas. Injection flaws are relatively easy to discover when conducting a code review. Pen testers will also quickly flush out most of the injection vulnerabilities on a basic engagement.

Injection can result in data corruption, theft, and loss. Injection can also support a threat scenario that results in a complete host takeover.

A2:2017-Broken Authentication: Code developed in support of authentication and session management is often done incorrectly. These errors can allow threat actors to compromise passwords, session tokens, and keys or exploit other implementation flaws to assume legitimate user identities.

Threat actors can easily acquire stolen valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools on the dark web. Session management utilizing unexpired session tokens is particularly prevalent and dangerous. 

Threat actors can detect broken authentication by various manual procedures and then exploit them using automated tools with password lists and the most basic dictionary attacks. Threat actors have to gain access to just one admin account to compromise the system. 

A3:2017-Sensitive Data Exposure: Many web applications and the APIs they use do not adequately protect sensitive data. Threat actors may steal or modify such vulnerable data to conduct credit card fraud, identity theft, and many other types of criminal activity. 

Rather than directly attacking cryptography, threat actors steal keys, execute man-in-the-middle attacks, or steal text data off the server, while in transit, or from the user’s browser.

The most common cause? Simply not encrypting sensitive data! 

The result is that sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards become compromised and exposed. Much of this data is protected by laws or regulations such as the EU GDPR, HIPAA,  or one of a multitude of other data privacy and local privacy laws.

A4:2017-XML External Entities (XXE): Many misconfigured or out-of-date XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using a variety of techniques.

Threat actors can exploit these vulnerable XML processors if they can upload XML or include malicious content in an XML document which can then exploit vulnerable code. These flaws can be used to exfiltrate data, execute a remote server request, perform a denial of service (DOS) attack, as more. 

A5:2017-Broken Access Control: Policies that restrict authenticated users are often improperly enforced. Threat actors can exploit these flaws to access users’ accounts, view sensitive files, modify data, change access rights, and more.

Threat actors may gain administrator credentials and use privileged functions to create, access, update or delete every record.

Access control weaknesses are common due to the lack of automated detection and lack of effective functional testing by application developers. Manual pen testing is the best way to detect missing or ineffective access control, including the HTTP method (GET versus PUT) and other approaches.

A6:2017-Security Misconfiguration: Security misconfiguration is the most commonly seen vulnerability. Operating systems, libraries, and applications be correctly configured and patched in a timely way. Threat actors will often successfully exploit unpatched flaws or access default accounts to gain unauthorized access to the systems targeted.

Security misconfiguration can happen at any level of an application stack. Automated scanners are often useful for detecting misconfigurations and the use of default accounts or configurations but should be supplemented by pen testing.

A7:2017-Cross-Site Scripting XSS: XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. Please refer to our other glossary entry that focuses in more detail on XSS.

XSS is the second most prevalent issue in the OWASP Top 10 and is found in over 65% of applications!

A8:2017-Insecure Deserialization: Insecure deserialization can lead to remote code execution. Insecure deserialization is a sophisticated technique used when user-controllable data is deserialized by a website. This, in turn, enables the attacker to manipulate serialized objects. 

Some tools can discover deserialization flaws, but pen testing is frequently needed to validate the problem. 

The impact of deserialization vulnerabilities is potentially quite severe. These flaws can lead to remote code execution attacks, one of the most serious and dangerous types of attacks.

A9:2017-Using Components with Known Vulnerabilities: Libraries, frameworks, and other software often execute with the same privileges as the application. If a vulnerable component is exploited this way, such an attack can result in data loss or even server takeover. Applications and application program interfaces using components with known vulnerabilities will present targets within application defenses that threat actors will seek and exploit.

A10:2017-Insufficient Logging & Monitoring: Visibility is key! Insufficient logging and monitoring allow threat actors to further attack systems and unfold other malicious behavior. Most breach studies show time to detect a breach is over 190 days and is most typically detected by external parties!

Lack of visibility and insufficient logging and monitoring is present in nearly every major incident.

Threat actors rely on the lack of visibility and monitoring to silently achieve their criminal goals.