Insecure software is undermining our financial, healthcare, defense,
energy, and other critical infrastructure. As our digital infrastructure
gets increasingly complex and interconnected, the difficulty of
achieving application security increases exponentially. We can no longer
afford to tolerate relatively simple security problems like those
presented in this OWASP Top 10.
The goal of the
Top 10 project is to raise awareness about
application security by identifying some of the most critical risks
facing organizations. The Top 10 project is referenced by many
standards, books, tools, and organizations, including MITRE, PCI DSS,
DISA, FTC, and
many more.
This release of the OWASP Top 10 marks this project’s eleventh year of
raising awareness of the importance of application security risks.
The
OWASP Top 10 was first released in 2003, with minor updates in 2004 and
2007. The 2010 version was revamped to prioritize by risk, not just
prevalence. This 2013 edition follows the same approach
This is a release candidate intended only for comments.
|
Injection flaws, such as SQL, OS, and LDAP injection occur when
untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing unauthorized data.
|
|
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers to
compromise passwords, keys, session tokens, or exploit other
implementation flaws to assume other users’ identities.
|
|
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping. XSS
allows attackers to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to
malicious sites.
|
|
A direct object reference occurs when a developer exposes a reference
to an internal implementation object, such as a file, directory, or
database key. Without an access control check or other protection,
attackers can manipulate these references to access unauthorized data.
|
|
Good security requires having a secure configuration defined and
deployed for the application, frameworks, application server, web
server, database server, and platform. All these settings should be
defined, implemented, and maintained as many are not shipped with secure
defaults. This includes keeping all software up to date.
|
|
Many web applications do not properly protect sensitive data, such as
credit cards, tax ids, and authentication credentials. Attackers may
steal or modify such weakly protected data to conduct identity theft,
credit card fraud, or other crimes. Sensitive data deserves extra
protection such as encryption at rest or in transit, as well as special
precautions when exchanged with the browser.
|
|
Virtually all web applications verify function level access rights
before making that functionality visible in the UI. However,
applications need to perform the same access control checks on the
server when each function is accessed. If requests are not verified,
attackers will be able to forge requests in order to access unauthorized
functionality.
|
|
A CSRF attack forces a logged-on victim’s browser to send a forged
HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to
generate requests the vulnerable application thinks are legitimate
requests from the victim.
|
|
Vulnerable components, such as libraries, frameworks, and other
software modules almost always run with full privilege. So, if
exploited, they can cause serious data loss or server takeover.
Applications using these vulnerable components may undermine their
defenses and enable a range of possible attacks and impacts.
|
|
Web applications frequently redirect and forward users to other pages
and websites, and use untrusted data to determine the destination
pages. Without proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access unauthorized pages.
|
No hay comentarios:
Publicar un comentario