OWASP, also known as Open Web Application Security Project just released the OWASP Top 10 for 2013. The OWASP Top 10 is a list of most common web application vulnerabilities and flaws found in today's web applications. The list of security flaws is based on several datasets from different firms specializing in web application security and is aimed to help businesses who own websites and web applications simplify the process of securing web applications.
The OWASP Top 10 list has been released once every 3 years since
A1 - Injection
LDAP Query Injection, OS Command Injection and SQL Injection are
A2 - Broken Authentication and Session Management
Authentication in web applications is mostly used to grant or prohibit access to specific information to a particular user and session management is the management of already logged in users. Most common security risks related to authentication and session management are stealing
A3 - Cross-Site Scripting
A cross-site scripting (XSS) vulnerability allows a malicious hacker to inject malicious client-side script in a website or web application which is later executed by the victims. Typically, cross-site scripting attacks are used to bypass access controls and to impersonate legitimate users, such as the web application administrator. Some years ago a cross-site scripting vulnerability was used with other vulnerabilities to gain root access on the Apache Foundation servers. For more detailed information about this attack, refer to the blog post XSS to Root in Apache Jira Incident.
A4 - Insecure Direct Object References
Insecure direct object references is a flaw in the design of the web application where access to a sensitive object, such as a directory, a particular record or a database is not fully protected and the object is exposed by the application. A typical example would be when a customer accesses his bank accounts via e-banking and because of a flaw in the web
A5 - Security Misconfiguration
Web application security is not just about secure web application coding. To ensure the security of a web application it is important to also secure the configuration of the web server, secure the operating system of the web server and ensure that it is always updated with the latest security patches. The same applies for the web frameworks being used, such as
A6 - Sensitive Data Exposure
Sensitive data stored in databases or any other object should be well protected. Credit card details, social security numbers and other sensitive customer details should be encrypted when stored in a database, even if they are not directly accessible via the web application. The same applies
A7 - Missing Function Level Access Control
An attacker can exploit this type of security flaw by changing the URL in the browser when accessing a web application to try and access a function he does not have access to. If the web application fails to perform proper access control checks specifically for that particular object, the attacker is able to access the function he should not have access to.
A8 - Cross-site Request Forgery (CSRF)
A cross-site request
A9 - Using Components with Known Vulnerabilities
It is quite surprising that this class of vulnerabilities is in 9th place, considering that most of
A10 - Unvalidated Redirects and Forwards
Website visitors are frequently redirected and forwarded to different pages and even other third party websites depending on the visitor location, type of browser being used and several other factors. If the functions analysing such data does not properly validate the data,
Use the OWASP Top 10 in your Web Applications SDLC
There are several long
How to Find OWASP Top 10 Vulnerabilities in Your Web Applications
You can find most of the web application security problems and vulnerabilities listed in the OWASP Top 10 by scanning your web applications with an automated web application security scanner at any stage of the development life cycle.