Owasp 2010 top ten most critical web application security risks năm 2024
The Open Web Application Security Project (OWASP) is a non-profit organization that provides guidance on how to develop and maintain secure software applications. OWASP is famous for its Top 10 list of web application security vulnerabilities, which lists the most important security risks affecting web applications. Show
The OWASP Top 10 list is based on community research and provides data on common vulnerabilities and exploits. It is revised every few years to reflect changes in the industry, such as how common certain attacks are, their business impact and the ease of exploitation. Even more importantly, the OWASP Top 10 describes each category of application security risks, shows developers how to avoid them in the first place, and provides best practices for remediating them if they already exist. The first version of the OWASP Top 10 List was released in 2003. Subsequent updates were made in 2004, 2007, 2010, 2013, 2017, and 2021. In this article we cover the following OWASP web application security risks: The information below is based on the OWASP Top 10 list for 2021. Note that OWASP Top 10 security risks are listed in order of importance—so A1 is considered the most severe security issue, A2 is next, and A10 is the least severe of the top 10. A1. Broken Access ControlWhen access control is breached, an attacker can gain access to user accounts, admin panels, databases, servers, sensitive information, business-critical applications, and other sensitive assets. It can allow unauthorized users to modify privileges to their advantage, and perform destructive operations such as tampering with data or destroying it. OWASP recommends the following for mitigation:
A2. Cryptographic FailuresCryptographic failures (formerly listed in the Top 10 as “sensitive data exposure”) moved from position 3 to 2. It emphasizes encryption errors or lack of encryption that can lead to the exposure of sensitive data. OWASP recommends the following for mitigation:
A3. InjectionsInjection is an attack against a website that exploits vulnerabilities in the database or other part of the operating environment. Most injection attacks rely on a web application’s inability to distinguish user inputs from its own code. The attacker can then run malicious code in the application context, gaining access to protected areas and sensitive data. Injection attacks might use structured query language (SQL) to retrieve information or perform a database operation that the attacker should not be allowed to perform. Other types of injection include command injection, which occurs at the operating system level, carriage return line feed (CRLF) injection, and lightweight directory access protocol (LDAP) injection. OWASP recommends the following for mitigation:
A4. Insecure DesignThis is a new category introduced by OWASP in 2021. It focuses on design and architectural flaws. Avoiding them requires careful threat modeling, taking security into consideration at the software design stage, and using reference architectures. OWASP recommends the following for mitigation:
A5. Security MisconfigurationsCommon setup issues, such as incorrect access control configuration, can allow attackers to quickly and easily gain access to sensitive data and application functions. These include inappropriate permissions, unnecessary feature activation, use of default accounts and passwords, misconfigured HTTP headers, and detailed error messages. OWASP recommends the following for mitigation:
A6. Vulnerable and Outdated ComponentsMost web applications use third-party components, either open source or proprietary. These components contain code that is outside the organization’s control, which can lead to undesirable outcomes like accent control violations and injection attacks. A software component could be insecure, no longer supported by the software vendor, or in need of security updates. If the component contains vulnerabilities, this can compromise the entire application. Commonly used third-party components include application and web servers, operating systems, database management systems (DBMSs), APIs, open source libraries, and runtime environments. OWASP recommends the following for mitigation:
A7. Identification and Authentication FailuresFunctions related to user authentication and session management, if not properly implemented, can expose users to security credentials, grant excessive privileges, or enable users to impersonate other identities. OWASP recommends the following for mitigation:
A8. Software and Data Integrity FailuresData integrity is becoming a primary concern for software security. This is a new category introduced by OWASP in 2021, which focuses on the integrity of software updates, critical application data, and CI/CD pipelines. A software and data integrity failure occurs when any of these are tampered with by an attacker, and other components within the application do not verify their integrity. OWASP recommends the following for mitigation:
A9. Security Logging and Monitoring FailuresWhen suspicious behavior occurs in an application and logging and monitoring are not in place, security breaches are much more likely to be successful. This category focuses on identifying, escalating, and resolving security incidents. Detecting a breach is almost impossible without logging and monitoring. OWASP recommends the following for mitigation:
A10. Server-side Request Forgery (SSRF)This category was added to the OWASP Top 10 list in 2021 because it was the top vulnerability voted in the OWASP Top 10 Community Survey. An SSRF vulnerability allows an attacker to access data on a remote resource based on an unauthenticated, custom URL. Even servers protected by a firewall or VPN can be vulnerable to this vulnerability, if they accept unvalidated user input. OWASP recommends the following for mitigation:
Application Security with HackerOneHackerOne and the community of ethical hackers is at the forefront of using OWASP to strengten application security and make the Internet safer by referencing the OWASP Top 10 to prioritize their actions. Taking this approach one step further, the HackerOne Global Top 10 can enable application security teams to increase their effectiveness with timely insights, segmented by industry and fueled by exploitable findings submitted by ethical hackers. These findings are often new or found by innovative techniquies and are unlikely to show up in the OWASP database. Combined, OWASP and HackerOne exploit databases assure that high severety vulnerablities are found and fixed before bad actors can do their work. What are the top 10 OWASP web vulnerabilities?What is the OWASP Top 10?. Injection. ... . Broken Authentication. ... . Sensitive Data Exposure. ... . XML External Entities (XEE) ... . Broken Access Control. ... . Security Misconfiguration. ... . Cross-Site Scripting. ... . Insecure Deserialization.. What is the OWASP project identifying the ten most critical web application security risks known as?The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Globally recognized by developers as the first step towards more secure coding. What is the most critical API security risk according to OWASP?Top 10 API Security Vulnerabilities According to OWASP. Broken Object Level Authorization.. Broken User Authentication.. Broken Object Property Level Authorization.. Unrestricted Resource Consumption.. Broken Function Level Authorization.. Unrestricted Access to Sensitive Business Flows.. Server Side Request Forgery.. What is the biggest security threat to a web application?7 Common Web Application Security Threats. Injection Attacks. ... . Broken Authentication. ... . Cross Site Scripting (XSS) ... . Insecure Direct Object References (IDOR) ... . Security Misconfigurations. ... . Unvalidated Redirects and Forwards. ... . Missing Function Level Access Control.. |