Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

OWASP Top 10 Web Application Vulnerabilities

Published on: 8/16/2014
Topic: Web Application Security
About OWASP Top 10 Project OWASP Top 10 project was launched in 2003 to understand the top security risks & vulnerabilities associated with the Web Applications. The outcome of the project is the list of top 10 Threats & Vulnerabilities as found common across the globe. The Top 10 project is now referenced by many organizations and compliance groups including MITRE, PCI DSS, DISA and FTC. The latest version was released in 2010. I assume at higher level attack pattern & associated risks would not change much but with new trends in technology there are new attack patterns that are emerging and need to be focused in specific terms. Especially the higher adoption of SaaS model, increasing trend of Cloud hosting, wider impact of any attack in Social sites and emerging Open Data protocols are going to majorly influence focus in coming years.

Table of Contents

List of OWASP Top 10 Vulnerabilities 2010

1. Injection
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards

Following 2 are dropped from 2007 list but still should be next in your priority to fix:
- Malicious File Execution
- Information Leakage and Improper Error Handling

Please note that the top 10 is just a reference and not the complete list. In my view most of mature products that are focused about security of their products would keep good control on above threats and the majority of web based products are still relaying the protection from infrastructure layer protection and the security features imposed by development platforms by default. But the attack patterns are only limited by the creativity of attacker and availability of tools. The very experienced attacker would easily measure the maturity of product and he would start focus on those loop holes that you might think as very least possibilities. Check list of common threats.

Let’s have a look on these 10 vulnerabilities now.

Continue Reading: OWASP Top 1 Threat – Injection