security | privacy | web dev

OWASP Top 10: Intro

Wednesday 24th June 2020. By Simon Bell

Reading time: 4 minutes
Tags: security, web development

Picture of a wasp (to represent OWASP)

Photo by Svetozar Cenisev

Founded in 2001 by Mark Curphey, the Open Web Application Security Project (OWASP) is an online community of security researchers and experts that produce standards and best practices.

In 2003, OWASP published its first "Top 10" document, detailing some of the most critical web application security risks facing organisations. Since 2003, OWASP has updated its Top 10 every 3 years and has become a leading industry framework for securing web apps.

One of OWASP's core principals is that their materials are open-source and accessible to everyone. This means that anyone can learn from the OWASP Top 10 to improve their web application security knowledge and understanding.

The latest version of the OWASP Top 10 (2017) can be found on OWASP's website as a web version or a PDF version.

OWASP Top 10 examines the risk of each threat using their risk rating methodology - based on the OWASP Risk Assessment Framework.

Threat Agents
Exploitability
Weakness Prevalence
Weakness Detectability
Technical Impacts
Business Impacts
Application Specific
Easy: 3
Widespread: 3
Easy: 3
Severe: 3
Business Specific
Average: 2
Common: 2
Average: 2
Moderate: 2
Difficult: 1
Uncommon: 1
Difficult: 1
Minor: 1
OWASP's Risk Rating Methodology

In this series of articles we'll cover each of the OWASP Top 10 security risks along with examples of how these attacks might look.

The OWASP Top 10 (2017) consists of the following threats:

1. Injection

Exploitability: 3
Prevalence: 2
Detectability: 3
Technical: 3

An injection attack occurs when some untrusted data is processed which causes the program execution to change. For example: an SQL injection attack involves inserting SQL code where it is not expected, such as on a text input form. The result of this attack could expose data to the attacker, allow the attacker to alter data, etc.

2. Broken Authentication

Exploitability: 3
Prevalence: 2
Detectability: 2
Technical: 3

Authentication systems can fail for any number of reasons. If an attacker can gain access to an unauthorised account - especially an admin account - the consequences can have a significant impact. For example: attackers can use known username and password combinations - such as from a data breach - to see if any of the credentials work on a given website.

3. Sensitive Data Exposure

Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 3

Sensitive data can include usernames, passwords, credit card details, date of birth, medical records, etc. If attackers can get hold of this sensitive data then they could use it for any number of motives, such as gaining unauthorised accounts, identity fraud, or selling the data on underground markets. Attacks such as man-in-the-middle on on-path can also lead to sensitive data exposure.

4. XML External Entities (XXE)

Exploitability: 2
Prevalence: 2
Detectability: 3
Technical: 3

Any web application that parses XML data may be susceptible to this attack. The attack works by using XML code that references an external entity - such as a hard drive - in an attempt to exploit a vulnerability in the XML parser. The parser can be tricked into leaking sensitive data to an unauthorised external resource.

5. Broken Access Control

Exploitability: 2
Prevalence: 2
Detectability: 2
Technical: 3

The job of an access control system is to limit a user's (or program's) access to information or functionality. An access control system would be broken if a user were able to bypass authentication and perform admin tasks. An example of a broken access control system might be where a user can alter the URL of a web app to escalate privileges - such as accessing or changing other users' data - without authentication.

6. Security Misconfiguration

Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2

This is one of the most common causes of cyber security breaches. Security misconfiguration may occur due to any number of reasons such as using default settings or displaying excessively verbose - and therefore not user friendly - error messages.

7. Cross-Site Scripting (XSS)

Exploitability: 3
Prevalence: 3
Detectability: 3
Technical: 2

A cross-site scripting vulnerability occurs when a web app allows users to insert their own code into the URL of page that can be seen by other users. The attack happens when a malicious user is able to insert malicious code into the web app. For example: an attacker could add some malicious JavaScript code that would render on other users' browsers. The malicious code could access victims' cookies to carry out a session hijack attack.

8. Insecure Deserialization

Exploitability: 1
Prevalence: 2
Detectability: 2
Technical: 3

Many web applications serialise and deserialise data - a process that's useful for transforming data objects from the application into formats for other purposes, such as transferring over a network. It's a bit like when you move house and pack all your items into boxes (serialising), transport the boxes via a removal company (transfer over a network), then unpack everything at the other end (deserialising). An insecure deserialisation attack is like having the removal staff tamper with your contents before they arrive and get unpacked.

9. Using Components with Known Vulnerabilities

Exploitability: 2
Prevalence: 3
Detectability: 2
Technical: 2

Web applications often make use of existing libraries and frameworks. This makes development easier since common functionalities can be re-used to save time. For example: React is a popular front-end JavaScript framework/library that allows developers to create complex front-end applications more easily than using just vanilla JavaScript. If an attacker can find a vulnerability in such a library then it can have wide-spread and significant implications - since the library may be used by millions of web applications.

10. Insufficient Logging & Monitoring

Exploitability: 2
Prevalence: 3
Detectability: 1
Technical: 2

Many attacks go unnoticed for a long time. Leaving opportunities for attackers to carry out further damage - or even cover up their tracks. Insufficient logging, monitoring, and incident response plans can all contribute to the amount of damage caused by - and the time taken to recover from - an attack.

Feel free to head straight to any of the above security risks if there's something specific you want to know more about. Otherwise let's crack on with Injection.

Picture of simon bell

Simon Bell

I'm a software engineer and cyber security specialist. I recently passed my Cyber Security PhD viva (subject to amendments) and I have a BSc in Computer Science. In my spare time I enjoy running, tinkering with the Raspberry Pi, and experimenting with redstone circuits in Minecraft.

This website is where I enjoy writing about security, privacy, and web development.

Connect with me at: SJBell.com

Join the Key Threat Community

Every Wednesday I share:

  • A roundup of important cybersecurity news stories
  • Summary of popular cybersecurity content from Twitter
  • The latest security, privacy, and web info from Key Threat
Up arrow Back to top