The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted.
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more.
OWASP releases a list of top ten threats concerning web application security every three years. The list describes each vulnerability, provides examples, and offers suggestions on how to avoid it.
The current list (2013 version) highlights the following vulnerabilities:
Injection Flaws include, but are not limited to LDAP, SQL, XPath and Operating System. Injection flaws, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands resulting in accessing of unauthorized data.
2 Broken Authentication and Session Management
If the authentication functions related to the application are not properly implemented, the hackers could compromise passwords or session ID’s or to exploit other implementation flaws using other users credentials.
3 Cross Site Scripting (XSS)
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user’s browser instance. When an attacker gets a user’s browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
4 Insecure Direct Object References
A direct object reference is likely to occur when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key without any validation mechanism which will allow attackers to manipulate these references to access unauthorized data.
5 Security Misconfiguration
Security Misconfiguration arises when the security configuration settings are defined or implemented as the defaults that comes with the ported product. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date.
6 Sensitive Data Exposure
Many web applications gather but do not properly protect sensitive user data such as credit cards information, Bank account information or authentication credentials. If the data is not properly safeguarded both at rest and in transit, then hackers might end up stealing those weakly protected data to conduct credit card fraud, identity theft, or other crimes.
7 Missing Function Level Access Control
Web applications typically only show functionality that a user has the rights to use on the screen. Various access levels exist in a web application starting from an unregistered user upto the level of the website administrator. All the users get access to functionalities according to their roles due to presence of proper access control. However, if the same access control checks are NOT performed on the server, hackers will be able to penetrate into the application without proper authorization.
8 Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) attacks occur when a malicious web site causes a user’s web browser to perform an unwanted action on a trusted site. These vulnerabilities allow an attacker to transfer money out of user bank accounts, harvest user email addresses, violate user privacy and compromise user accounts. A compromised user may never know that such an attack has occurred. If the user does find out about an attack, it may only be after the damage has been done and a remedy may be impossible.
9 Using Components with Known Vulnerabilities
Known vulnerabilities related to libraries, frameworks and software are available to everyone on the Internet. If an attacker knows which components you use, he can retrieve these vulnerabilities and find a way to exploit them.
10 Unvalidated Redirects and Forwards
Most Web applications on frequently redirect users to other webpages or external websites, without validating the credibility of those pages. Hackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
This security risk can be used in combination with social engineering for malicious purposes such as tricking the user into downloading malware, redirecting to a phishing site, or using forwards to gain access to unauthorized pages.