OWASP stands for Open Web Application Security Project and it’s an open-source application security community with goal of improving security of the software. It’s an industry standard guideline that lists the most critical application security risks which enables developers to secure the application they develop & deploy.
OWASP Top 10 2017 Standards:
1. Injection
This happens when untrusted source inject code into the user input which tricks the query interpreter to run malicious command
Impact:
- Compromise of the application or underlying host
- Exposure of sensitive data
2. Broken Authentication
This happens when authentication & session mgmt. are not implemented correctly (unexpired session tokens), which allows attackers to compromise passwords, keys
Impact:
- User Identify theft
- Compromise of sensitive data
3. Sensitive Data Exposure
This happens when attackers steal or modify weakly protected data without extra protection, such as encryption at rest or in transit
Impact:
- Compromise of regulated data (e.g., HIPAA or GDPR)
- Non-complaint status for privacy laws and regulation
4. XML External Entities
This happens when XML input containing a reference to an external entity is processed by an older or poorly configured parser. That can result in processers exploit to extracting data, execute code remotely
Impact:
- Theft of sensitive data
- Denial of Service Attacks (DoS)
5. Broken Access Control
This happens when restrictions on what each authenticated users are allowed to do is not properly enforced resulting in attackers get access to the application & get access to sensitive files
Impact:
- Compromise of sensitive data
- Modification or Deletion of data
6. Security Misconfiguration
This happens when there are misconfiguration flaws during configuration of application (unnecessarily enabled default ports, unchanged passwords, unpatched framework or services, revealing stack trace in case of errors) will enable attackers to gain information about deployment and access the server to disrupt operations
Impact:
- Compromise of System
- Information Disclosure
7. Cross-site scripting
This happens when untrusted user input is executed as part of the HTML or when users are influenced to interact with malicious links through which attackers execute scripts in the victim’s browser which can hijack user sessions or redirect the user to malicious sites
Impact:
- Takeover victim’s account in the application
- Compromise of data
8. Insecure Deserialization
This happens when languages/frameworks allow untrusted serialized data to be expanded into an object (e.g., When developers place no restriction on method that can self-execute during deserialization process which doesn’t verify source or contents before deserialization) which allows users to do remote code execution and gain unauthorized access.
Impact:
- Remote Code Execution
9. Using components with known vulnerabilities
This happens when open source or third-party frameworks & libraries used in application run with same privileges which enables attackers to leverage vulnerable components for malicious attack
Impact:
- Remote Code Execution
- Compromise of application
10. Insufficient Logging and Monitoring
This happens when there is insufficient logging (which doesn’t provide sufficient detail for understanding what attackers did) and monitoring process (alert threshold & response processes are insufficient)
Impact:
- Gain unauthorized access
- Compromise of Data