OWASP:-OPEN WEB APPLICATION SECURITY PROJECT is an open community dedicated to enabling the organization to develop, purchase, and maintain application and APIs that can be trusted. OWASP is not affiliated with any technology company, although we support the informed use of commercial security technology. It is a non-profit entity.
The OWASP update his checklist in the span of 4 years. Before moving to OWASP TOP 10 2017 we have to know about OWASP TOP 10 2013. So this is the list of OWASP TOP 10 2013
- OWASP TOP 10 – 2013
A1 – INJECTION
A2 – BROKEN AUTHENTICATION AND SESSION MANAGEMENT
A3 – CROSS-SITE SCRIPTING(XSS)
A4 – INSECURE DIRECT OBJECT REFERENCES
A5 – SECURITY MISCONFIGURATION
A6 – SENSITIVE DATA EXPOSURE
A7 – MISSING FUNCTION LEVEL ACCESS CONTROL
A8 – CROSS-SITE REQUEST FORGERY(CSRF)
A9 – USING COMPONENTS WITH KNOW VULNERABILITIES
A10 – UNVALIDATED REDIRECTS AND FORWARDS
The OWASP TOP 10 2017 is mainly based on 40+ data submissions from the firm that specializes in application security and industry survey that was completed by over 500 individuals. After gathering these vulnerabilities from hundreds of organizations and over 100,000 real-world application and APIs. The TOP 10 items selected and arranged according to that. In combination with consensus estimates of exploitability, detectability, and impact.
The goal of OWASP TOP 10 is to educate developers, architects, managers, organizations, and designers about the consequences of the most common and most important web application security weakness. OWASP TOP 10 provides basics techniques to protect against these high-risk problems and give guidance what to do next.
- OWASP TOP 10 – 2017
A3:2017-SENSITIVE DATA EXPOSURE
A4:2017-XML EXTERNAL ENTITIES (XXE)
A5:2017-BROKEN ACCESS CONTROL
A9:2017-USING COMPONENTS WITH KNOWN VULNERABILITIES
Let’s DISCUSS These.
Injection flaws are a set of security vulnerabilities which occur when suspicious data is inserted into an app as a command or query. Known injection attacks include SQLi, OS, XXE, and LDAP. The attacker ’s query can trick the interpreter into executing unintended commands or accessing data without proper authorization. The most common of the code injection attacks are SQL Injections, also known as SQLi. An SQLi attack is done when a malformed code is sent to the database server, thus leading to the exposure of your data
A2:2017 – BROKEN AUTHENTICATION
Incorrect implemented Application, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
A3:2017 – SENSITIVE DATA EXPOSURE
Sensitive data exposures may occur when security controls – such as HTTPS – are not implemented correctly. Most of the web applications and APIs do not properly protect. Sensitive data, such as financial, PII and healthcare. Attackers may steal or modify such weakly protected data to conduct, identity theft, credit card fraud or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires extra precautions when exchanged with the browser.
A4:2017 – XML EXTERNAL ENTITIES (XXE)
Poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
A5:2017 – BROKEN ACCESS CONTROL
A flawed access control may be caused by unenforced user restrictions and this allows attackers to exploit and access unauthorized functionality or data. Attackers can exploit these flaws to access unauthorized functionality and or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
A6:2017 – SECURITY MISCONFIGURATION
According to OWASP Security misconfiguration is the most commonly seen issue. A strong security requires secure and good configuration server, database, custom code and kept up to date. If the proper configuration is not set then the attacker can access privileged data.
A7:2017 – CROSS-SITE SCRIPTING
XSS flaws occur whenever an application includes untrusted data in a web page without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Apps that allow user input without having full control over output may be highly at risk to XSS attacks. When an XSS attack is successful, attackers are able to cause serious damage to websites and have the ability to drag users on to other websites. Other known kinds of XSS attacks are Stored XSS, DOM Based XSS, and Reflected XSS.
A8:2017 – INSECURE DESERIALIZATION
Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage or to send as part of communications. Deserialization is the reverse of that process – taking data structured from some format, and rebuilding it into an object. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
A9:2017 – USING COMPONENTS WITH KNOWN VULNERABILITIES
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
By taking using components with known vulnerabilities, attackers can take advantage of that are easily attempt an SQLi and an XSS (among other attack methods) to attempt to take over an occupy the app.
A10:2017 – INSUFFICIENT LOGGING AND MONITORING
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
So these are the OWASP TOP 10 2017 as a security person you have to know about these but remember OWASP top 10 is not the end these are just the top 10 vulnerabilities according to OWASP. There are much more left you to have to study all. But for the 10 top vulnerabilities, you can study from the OWASP.