OWASP Top 10 2017

The OWASP Top 10 is an overview of types of vulnerabilities considered by security experts to be the most critical with respect to Web applications. It is not a ready-made checklist and moreover does not cover all types of vulnerabilities, but it does provide a good overview of this complex matter. The Top 10 therefore forms a solid basis for the security tests we offer.

Injection (A1)

Injection vulnerabilities such as SQL, OS command or LDAP injection, occur when unverified data is sent by a hacker as part of a command or query. This data can execute unintended commands or provide unauthorized access to data.

Broken Authentication (A2)

Authentication control and session management mechanisms are often not implemented correctly, allowing attackers to assume the identity of other users.

Sensitive Data Exposure (A3)

Many applications and API endpoints do not sufficiently protect sensitive data. This includes personal information, documents, and authorization data. Malicious actors can then steal or modify these for credit card fraud, identity theft, or other crimes. Sensitive data must be further protected through encryption or other special precautions.

XML External Entities (A4)

Outdated or poorly configured XML processors often allow the loading of external entities. Attackers can abuse this to, for example, access local files, execute os commands or create DoS situations to make the system (temporarily) unusable.

Broken Access Control (A5)

Restrictions on what a user may or may not perform within an application are not correctly enforced in many cases. Attackers can exploit these errors to gain access to functionality and/or information without being authorized to do so.

Security Misconfiguration (A6)

Good security requires proper configuration that is matched to the application, frameworks, application server, Web server, database server and platform. Security settings must be defined, implemented and maintained because these standards are often insecure. In addition, all software must be up-to-date.

Cross-Site Scripting (XSS) (A7)

We speak of XSS injection when an application sends data to a Web browser without filtering and/or encoding. XSS injection allows attackers to execute scripts, hijack user sessions, corrupt Web sites or direct the user to other sites.

Insecure Deserialization (A8)

Applications convert objects before storing them. Converting these objects back is often done insecurely and can be abused to execute os commands. In some cases, it even leaves the application vulnerable to other injection attacks.

Using Components with Known Vulnerabilities (A9)

Components such as libraries, frameworks and other software modules often run with full authorization. If a vulnerable component is exploited, it can lead to data loss or facilitate a takeover of the server. Components with already known vulnerabilities undermine application security and facilitate a range of possible attacks.

Insufficient Logging & Monitoring (A10)

A lack of logging and monitoring can give attackers time to burrow deeper into a system and attempt to gain permanent access. On average, a leak is not detected for 200+ days. This gives attackers enough time to even gain access to other systems and view, modify or even delete stored data.