Table of Contents
2. Cross Site Scripting (XSS)
3. Broken Authentication and Session Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
Following 2 are dropped from 2007 list but still should be next in your priority to fix:
- Malicious File Execution
- Information Leakage and Improper Error Handling
Please note that the top 10 is just a reference and not the complete list. In my view most of mature products that are focused about security of their products would keep good control on above threats and the majority of web based products are still relaying the protection from infrastructure layer protection and the security features imposed by development platforms by default. But the attack patterns are only limited by the creativity of attacker and availability of tools. The very experienced attacker would easily measure the maturity of product and he would start focus on those loop holes that you might think as very least possibilities. Check list of common threats.
Let’s have a look on these 10 vulnerabilities now.