The OWASP Top 10 is an overview of the types of vulnerabilities that security experts consider most critical of web applications. It is not a ready-made checklist and does not cover all types of vulnerabilities, but it does offer a good view of this complex matter. The Top 10 therefore forms a solid basis for the security tests we offer.

Injection (A1)

Injection vulnerabilities, such as SQL, OS command, or LDAP injection, arise when unverified data is sent by a hacker as part of a command or query. This data can execute unintended commands or provide unauthorized access to data.

Voorbeeld OWASP Top 10 - A1: Injection

Broken Authentication (A2)

Authentication control and session management mechanisms are often not properly implemented, allowing attackers to assume the identity of other users.

Voorbeeld OWASP TOP-10 - A2: Broken Authentication

Sensitive Data Exposure (A3)

Many applications and API endpoints do not sufficiently protect sensitive data. Think of personal data, documents and authorization data. Malicious ones can then steal or change them for credit card fraud, identity theft or other crimes. Sensitive data must be additionally protected by encryption or other special precautions.

Voorbeeld OWASP Top-10 - A3: Sensitive Data Exposure

XML External Entities (A4)

Verouderde of slecht geconfigureerde XML-verwerkers staan vaak het laden van externe entiteiten toe. Aanvallers kunnen dit misbruiken om bijvoorbeeld toegang tot lokale bestanden te krijgen, os-commando’s uit te voeren of DoS-situaties te creëren om het systeem (tijdelijk) onbruikbaar te maken.

Voorbeeld OWASP Top-10 - A4: XML External Entities

Broken Access Control (A5)

Restrictions on what a user can or cannot execute within an application are in many cases not correctly enforced. Attackers can exploit these errors to access functionality and / or information without being authorized to do so.

Security Misconfiguration (A6)

Good security requires a correct configuration that is tailored to the application, frameworks, application server, web server, database server and platform. Security settings must be defined, implemented, and maintained because these standards are often insecure. In addition, all software must be up-to-date.

Voorbeeld OWASP Top-10 - A6: Security Misconfiguration

Cross-Site Scripting (XSS) (A7)

We speak of XSS injection when an application sends data to a web browser without filtering and / or encoding. XSS Injection allows attackers to run scripts, hijack user sessions, damage websites or direct the user to other sites.

Voorbeeld OWASP Top-10: A7: Cross-Site Scripting (XSS)

Insecure Deserialization (A8)

Applications convert objects before they are saved. Converting these objects back is often unsafe and can be exploited to execute OS commands. In some cases it even makes the application vulnerable to other injection attacks.

Using Components with Known Vulnerabilities (A9)

Components such as libraries, frameworks and other software modules often run with full authorization. Operating a vulnerable component can result in data loss or facilitate server takeover. Components with known vulnerabilities undermine the security of the application and facilitate a variety of possible attacks.

Voorbeeld OWASP Top-10: A9: Using Components with Known Vulnerabilities

Insufficient Logging & Monitoring (A10)

A lack of logging and monitoring can give attackers time to delve deeper into a system and try to gain permanent access. On average, a leak is only detected after 200+ days. This gives attackers enough time to even access other systems and view, change or even delete stored data.