The OWASP Top 10 is an overview of the types of vulnerabilities that security experts consider most critical of web applications. It is not a ready-made checklist and does not cover all types of vulnerabilities, but it does offer a good view of this complex matter. The Top 10 therefore forms a solid basis for the security tests we offer.

Broken Access Control (A1)

Beperkingen wat een gebruiker wel of niet mag uitvoeren binnen een applicatie worden in veel gevallen niet correct afgedwongen. Kwaadwillende kunnen deze fouten misbruiken om toegang te krijgen tot functionaliteit en/of informatie zonder dat ze hiertoe geautoriseerd zijn.

Cryptographic Failures (A2)

Many applications and API endpoints do not sufficiently protect sensitive data. Think of personal data, documents and authorization data. Malicious ones can then steal or change them for credit card fraud, identity theft or other crimes. Sensitive data must be additionally protected by encryption or other special precautions.

Example OWASP Top-10 - A2: Cryptographic Failures

Injection (A3)

Injection vulnerabilities, such as SQL, OS command, or LDAP injection, arise when unverified data is sent by a hacker as part of a command or query. This data can execute unintended commands or provide unauthorized access to data.

Example OWASP Top-10 - A3: Injection (SQL)
Example OWASP Top-10 - A3: Injection (XSS)

Insecure Design (A4)

Applications must be designed in a secure manner to avoid errors. An insecure design cannot be solved by a perfect implementation, because by definition the necessary security controls were never created to protect against specific attacks. Already during the design process, developers should make use of threat modelling, secure design patterns and principles, as well as reference architectures.

Security Misconfiguration (A5)

Good security requires a correct configuration that is tailored to the application, frameworks, application server, web server, database server and platform. Security settings must be defined, implemented, and maintained because these standards are often insecure. In addition, all software must be up-to-date.

Example OWASP Top-10 - A5: Security Misconfiguration
Example OWASP Top-10 - A5: Security Misconfiguration (XXE)

Vulnerable & Outdated Components (A6)

Components such as libraries, frameworks and other software modules often run with full authorization. Operating a vulnerable component can result in data loss or facilitate server takeover. Components with known vulnerabilities undermine the security of the application and facilitate a variety of possible attacks.

Example OWASP Top-10 - A6: Vulnerable & Outdated Components

Identification and Authentication Failures (A7)

Authenticatiecontrole- en sessiebeheermechanismes worden vaak niet correct geïmplementeerd, waardoor kwaadwillende de identiteit van andere gebruikers aan kunnen nemen.

Example OWASP Top-10 - A7: Identification & Authentication Failures

Software & Data Integrity Failures (A8)

Applications that rely on plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs) are at risk of integrity violation. An insecure CI/CD pipeline can lead to unauthorized access, malicious code or system compromise. Measures such as checking digital signatures are necessary to ensure that data comes from a trusted source and has not been modified in transit.

Security Logging & Monitoring Failures (A9)

Een tekort aan logging en monitoring kan kwaadwillende de tijd geven zich dieper in een systeem te nestelen en proberen zich permanent toegang te verschaffen. Gemiddeld wordt een lek pas na 200+ dagen gedetecteerd. Dit geeft kwaadwillende voldoende tijd om zelfs toegang te krijgen tot andere systemen en opgeslagen gegevens in te zien, wijzigen of zelfs te verwijderen.

Server-Side Request Forgery (A10)

Het ophalen van URL’s is een veelvoorkomend scenario binnen applicaties, maar dit kan tot problemen leiden wanneer de URL’s afkomstig zijn van gebruikersinvoer. Zonder enige validatie stelt het een kwaadwillende in staat om de applicatie een verzoek te laten doen naar een onverwachte bestemming, zelfs wanneer deze wordt beschermd door een firewall, VPN of andere netwerktoegangscontroles (ACL).