The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
The OWASP Top Ten list is as follows:
A1 Injection :
- Injection attacks refer to supply untrusted input to a program, it is a major problem in web security. Injection is an entire class of attacks that rely on injecting data into a web application in order to facilitate the execution or interpretation of malicious data in an unexpected manner.
A2 Broken Authentication :
- Broken authentication vulnerabilities occur when developers fail to use authentication methods that have been adequately tested and rely on their own, often flawed, method for authenticating users. Authentication is a security process that ensures and confirms a user’s identity, typically in the form of Username/Password verification performed by the server.
A3 Sensitive Data Exposure :
- The first thing you have to determine is which data is sensitive enough to require extra protection. The most common flaw is simply not encrypting sensitive data so we protect sensitive information from being disclosed to attackers
A4 XML External Entities (XXE) :
- An XML External Entity attack is a type of attack against an application that parses XML input. Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.
A5 Broken Access Control :
- Access control, sometimes called authorization, is the means by which a web application grants access to specified content and functions to some users and not others. One particularly dangerous type of access control vulnerability arises from Web-accessible administrative interfaces. Such features are frequently used to allow site administrators to efficiently manage users, data, and content on their site.
A6 Security Misconfiguration :
- Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure. Security Misconfiguration causes groups or roles to access settings or records that were not intended for them. Allowing admin staff to view human resource data.
A7 Cross Site Scripting (XSS) :
- Cross-site Scripting (XSS) refers to client-side code injection attack. it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests.
A8 Insecure Deserialization :
- The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. insecure deserialization of user-supplied content by the affected software. deserializes the content, the attacker could execute arbitrary code on the system, which could be used to conduct further attacks.
A9 Using Component with Known Vulnerability :
- Vulnerabilities in third-party libraries and software are extremely common and could be used to compromise the security of systems using the software. If the components, framework, etc. of an application are not properly designed in a secure way, then the attacker takes this as an advantage to break your system.
A10 Insufficient Logging & Monitoring :
- Insufficient Logging & Monitoring this is a lack of control not a vulnerability in and of itself. It is an important lack of control for sure, but a developer is not often responsible for maintaining the logs for the apps etc. It does not create a vulnerability, it restricts and limits incident response, and investigations.
We will keep on updating on the all the topic listed . So be in touch and follow our blog for more about Application Security. Our main goal is to make awareness about Application Security in day to day life as well as Professionally.