1. Support Center
  2. User Guides Crashtest Security Suite

OWASP Top 10

The Open Web Application Security Project (OWASP) is a non-profit organization producing freely available articles and other information on web application security.

What is OWASP?

The Open Web Application Foundation is dedicated to creating a safer web application environment. It offers articles, tools, technologies, and forums to empower every developer to develop secure code. Amongst other projects, one of the most notable projects of OWASP is the OWASP Top 10.

What is OWASP Top 10?

OWASP Top 10 is a publicly shared list of the ten most critical web application vulnerabilities according to the Open Web Application Security Project. The list is developed by web application security experts worldwide and is regularly updated. The OWASP Top 10 aims to educate companies on vulnerabilities they need to mitigate to secure their web application.

This list is also under development for mobile applications.

Next to the Top 10 list, OWASP also publishes and maintains the following resources:

The OWASP Top 10

1. Injection Attacks

SQL Injection refers to exploiting a SQL database vulnerability caused by the lack of masking or validation of meta-characters in user input. The attacker attempts to inject his database commands through the application which has access to the database. As the request is not validated correctly, the inserted code changes the original SQL commands and therefore alters the results in favor of the attacker. With a successful attack, the attacker can spy on data, modify it or delete it altogether, and control the server. The attacker has different ways to breach the system for this to work. For example, it is possible to find a way into the system via response time or error messages.

2. Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens or exploit other implementation flaws to temporarily or permanently assume other users' identities. Abusing such vulnerability, an attacker may hijack user sessions and access or modify information he has no permission for.

3. Sensitive Data Exposure

Fuzzing is a technique where invalid, random, or unexpected data is used to produce either lucky states or gain access to hidden features. There are multiple types of fuzzing:

  • Fuzzing based on observed data
  • Fuzzing without previous knowledge

4. XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. An attacker may use an XXE vulnerability to access secret files of the machine running the XML processor.

5. Broken Access Control

Restrictions on what authenticated users can do are often not adequately enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as accessing other users' accounts, viewing sensitive files, modifying other users' data, changing access rights, etc.

6. Security Misconfiguration

Security misconfiguration is a common issue opening attack surfaces. This commonly is a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers or encryption, and verbose error messages containing sensitive information. All operating systems, frameworks, libraries, and applications must be securely configured, but they must be patched/upgraded in a timely fashion.

7. Cross-Site Scripting (XSS)

Cross-site scripting is the injection of client-side scripts into web applications, which is enabled by a lack of validating and correctly encoding user input. The malicious scripts are executed within the end-user's browser and allow various attacks, from stealing the end users' session to monitoring and altering all actions performed on the affected website. There are different types of cross-site scripting attacks, which distinguish if the malicious scripts could be injected in a non-persistent or persistent fashion. Furthermore, there is a differentiation between the vulnerability caused by an insufficient input validation on the client- or server-side.

8. Insecure Deserialization

Insecure Deserialization is an attack where a manipulated object is injected into the context of the web application. If the application is vulnerable, the object is deserialized and executed, resulting in SQL Injection, Path Traversal, Application Denial of Service, and Remote Code Execution.

9. Using Components With Known Vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges. If a vulnerable component is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using known vulnerabilities may undermine application defenses and enable various attacks and impacts.

To help you assess whether you are using components with known vulnerabilities, fingerprinting scanners try to detect any web server or web application frameworks and associated versions running on the server,

10. Insufficient Logging And Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically seen by external parties rather than internal processes or monitoring.

For more information about Crashtest Security, visit crashtest-security.com.