OWASP Top 10 2017
The OWASP Top 10 is an overview of the types of vulnerabilities that security experts consider most critical of web applications. It is not a ready-made checklist and does not cover all types of vulnerabilities, but it does offer a good view of this complex matter. The Top 10 therefore forms a solid basis for the security tests we offer.
Injection vulnerabilities, such as SQL, OS command, or LDAP injection, arise when unverified data is sent by a hacker as part of a command or query. This data can execute unintended commands or provide unauthorized access to data.
Broken Authentication (A2)
Authentication control and session management mechanisms are often not properly implemented, allowing attackers to assume the identity of other users.
Sensitive Data Exposure (A3)
Many applications and API endpoints do not sufficiently protect sensitive data. Think of personal data, documents and authorization data. Malicious ones can then steal or change them for credit card fraud, identity theft or other crimes. Sensitive data must be additionally protected by encryption or other special precautions.
XML External Entities (A4)
Verouderde of slecht geconfigureerde XML-verwerkers staan vaak het laden van externe entiteiten toe. Aanvallers kunnen dit misbruiken om bijvoorbeeld toegang tot lokale bestanden te krijgen, os-commando’s uit te voeren of DoS-situaties te creëren om het systeem (tijdelijk) onbruikbaar te maken.
Broken Access Control (A5)
Restrictions on what a user can or cannot execute within an application are in many cases not correctly enforced. Attackers can exploit these errors to access functionality and / or information without being authorized to do so.
Security Misconfiguration (A6)
Good security requires a correct configuration that is tailored to the application, frameworks, application server, web server, database server and platform. Security settings must be defined, implemented, and maintained because these standards are often insecure. In addition, all software must be up-to-date.
Cross-Site Scripting (XSS) (A7)
We speak of XSS injection when an application sends data to a web browser without filtering and / or encoding. XSS Injection allows attackers to run scripts, hijack user sessions, damage websites or direct the user to other sites.
Insecure Deserialization (A8)
Applications convert objects before they are saved. Converting these objects back is often unsafe and can be exploited to execute OS commands. In some cases it even makes the application vulnerable to other injection attacks.
Using Components with Known Vulnerabilities (A9)
Components such as libraries, frameworks and other software modules often run with full authorization. Operating a vulnerable component can result in data loss or facilitate server takeover. Components with known vulnerabilities undermine the security of the application and facilitate a variety of possible attacks.
Insufficient Logging & Monitoring (A10)
A lack of logging and monitoring can give attackers time to delve deeper into a system and try to gain permanent access. On average, a leak is only detected after 200+ days. This gives attackers enough time to even access other systems and view, change or even delete stored data.