OWASP Top 10 2017
The final release of the Top 10 vulnerabilities from OWASP, the most critical web application security risk, took place. Updates occur approximately every 3-4 years; this release addresses current and future web application security issues.
The OWASP Top 10 project is referenced by many standards, tools and organizations, including MITRE, PCI DSS, DISA, FTC, and many others. OWASP Top 10 is a recognized web application vulnerability assessment methodology worldwide. The OWASP Top 10 project reflects the most significant threats to a web application.
OWASP Top 10 2013
The list of the most dangerous risks (vulnerabilities) of web applications from 2013:
- A1 Code injection
- A2 Incorrect authentication and session management
- A3 Crossite Scripting
- A4 Insecure direct object references
- A5 Insecure configuration
- A6 Sensitive Data Leak
- A7 Lack of access control to the functional level
- A8 Cross-site request forgery
- A9 Using components with known vulnerabilities
- A10 Unqualified Redirects
OWASP Top 10 2017
The list of the most dangerous risks (vulnerabilities) of web applications from 2017:
- A1 Code injection
- A2 Incorrect authentication and session management
- A3 Sensitive Data Leak
- A4 Embedding External XML Entities (XXE)
- A5 Access Control Violation
- A6 Insecure configuration
- A7 Crossite Scripting
- A8 Unsafe deserialization
- A9 Using components with known vulnerabilities
- A10 Lack of logging and monitoring
Changes
The new edition differs from the 2013 edition.
XSS vulnerabilities left the top three, but the leak of critical (sensitive data) moved from the 6th place - apparently, the latest leaks and hacks were not in vain and the OWASP consortium decided to focus on this problem.
A new type of vulnerability has been added - eXternal Entity XML (XXE). XXE Injection is a type of attack on an application or preprocessor that parses XML input.
We also see the addition of an unsafe deserialization clause - such vulnerabilities can lead to remote code execution, allow elevation of privileges, and much more.
A point was added about the lack of monitoring - according to OWASP, the average incident detection time is 200 (!) Days.
Open redirects and CSRFs left the 10 most significant vulnerabilities. The general tendency for the OWASP list to change indicates a shift in the priority of vulnerabilities / attack vectors from client-side to server-side.
→ OWASP Project
→ PDF version of OWASP Top 10 2017