OWASP Top 10
Top 10 Web Application Security Risks
Each year OWASP (the Open Web Application Security Project) publishes the top ten security vulnerabilities. It represents a broad consensus about the most critical security risks to web applications.
Click through on the lessons below to learn more about how to protect against each security risk.
1. Broken Access Control
Access control enforces policy such that users cannot act outside their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits.
Broken Access Control
- All resources on your site need to have access control implemented, even if they aren't intended to be discoverable by a user. Learn About This Vulnerability →
- All resources on your site need to have access control implemented, even if they aren't intended to be discoverable by a user.
Directory Traversal
- Ensure file paths are safely interpreted, or hackers can access sensitive files on your server. Learn About This Vulnerability →
- Ensure file paths are safely interpreted, or hackers can access sensitive files on your server.
Cross-Site Request Forgery
- If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions. Learn About This Vulnerability →
- If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions.
2. Cryptographic Failures
Many web applications and APIs do not properly protect sensitive data with strong encryption. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data must be encryption at rest and in transit, using a modern (and correctly configured) encryption algorithm.
3. Injection
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
SQL Injection
- If you are vulnerable to SQL Injection, attackers can run arbitrary commands against your database. Learn About This Vulnerability →
- If you are vulnerable to SQL Injection, attackers can run arbitrary commands against your database.
Command Execution
- If your application calls out to the OS, you need to be sure command strings are securely constructed. Learn About This Vulnerability →
- If your application calls out to the OS, you need to be sure command strings are securely constructed.
4. Insecure Design
Pre-coding activities are critical for the design of secure software. The design phase of you development lifecycle should gather security requirements and model threats, and development time should be budgeted to allow for these requirements to be met. As software changes, your team should test assumptions and conditions for expected and failure flows, ensuring they are still accurate and desirable. Failure to do so will let slip critical information to attackers, and fail to anticipate novel attack vectors.
Insecure Design
- Security begins before you start writing code. Learn About This Vulnerability →
- Security begins before you start writing code.
Information Leakage
- Revealing system information helps an attacker learn about your tech stack. Learn About This Vulnerability →
- Revealing system information helps an attacker learn about your tech stack.
File Upload Vulnerabilities
- File uploads are an easy way for an attacker to inject malicious code into your application. Learn About This Vulnerability →
- File uploads are an easy way for an attacker to inject malicious code into your application.
5. Security Misconfiguration
Your software is only as secure as you configure it to be. Using ad hoc configuration standards can lead to default accounts being left in place, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
6. Vulnerable and Outdated Components
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
7. Identification and Authentication Failures
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Password Mismanagement
- Safe treatment of passwords is essential to a secure authentication system - yet many websites get this wrong. Learn About This Vulnerability →
- Safe treatment of passwords is essential to a secure authentication system - yet many websites get this wrong.
Privilege Escalation
- Privilege escalation occurs when an attacker exploits a vulnerability to impersonate another user or gain extra permissions. Learn About This Vulnerability →
- Privilege escalation occurs when an attacker exploits a vulnerability to impersonate another user or gain extra permissions.
User Enumeration
- Leaking username information on your site makes things much easier for hackers. Learn About This Vulnerability →
- Leaking username information on your site makes things much easier for hackers.
Session Fixation
- Insecure treatment of session IDs can leave your users vulnerable to having their session hijacked. Learn About This Vulnerability →
- Insecure treatment of session IDs can leave your users vulnerable to having their session hijacked.
Weak Session IDs
- Guessable session IDs make your website vulnerable to session hijacking. Learn About This Vulnerability →
- Guessable session IDs make your website vulnerable to session hijacking.
8. Software and Data Integrity Failures
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure deployment pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations.
9. Security Logging and Monitoring Failures
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
10. Server-Side Request Forgery
Server-Side Request Forgery (SSRF) flaws occur whenever a web application fetches a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL).