Do you stay safe against the OWASP Top 10?
  v1.0 Posted at 14/05/2016 4:41 AM by Tiago Araujo

The Open Web Application Security Project (OWASP) is a non-profit charity organization whose sole purpose is to enable other organizations to develop applications that can be trusted.  Their most prominent piece of literature is the OWASP Top 10​ – a list of the most critical risks found in software.  It is a “living” list, which means it is updated as vulnerabilities become known and more or less common.

OWASP Top 10 2013

The current OWASP Top 10 states the following are the top risks for web applications today. Knowing and securing against these will give the biggest bang-for-buck in securing your website.

  • Injection: Being able to execute arbitrary SQL, LDAP or other code via your application
  • Broken authentication and session management: Exploiting weak login and session management.  See our other rules to better security
  • Cross-site scripting (XSS): Executing arbitrary JavaScript on a web page, often by reflecting unescaped user input
  • Insecure direct object references: Exposing internal implementation objects without proper access control
  • Security misconfiguration
  • Sensitive data exposure: Storing sensitive data in a way that can easily be retrieved and abused
  • Missing function level access control: Only applying access control to the UI, not when the secure section is accessed
  • Cross-Site Request Forgery (CSRF): Hijacking a user’s cookies to make requests on their behalf
  • Using components with known vulnerabilities
  • Unvalidated requests and forwards: Redirecting from a current site to an untrusted 3rd party, which may allow phishing to occur

Other Resources 

Protecting against these is a large topic in their own right.  There are plenty of resources with information on protecting against these, linked below:

  • Troy Hunt – Protecting your web apps from the tyranny of evil with OWASP 
    This video goes through the OWASP Top 10 in more detail, describing each risk, how to exploit it, and how to protect against it
  • OWASP Top 10 
    The OWASP home page is a little difficult to navigate but contains fantastic information on the risks and how to protect against them. Use the link above to get details on each of the vulnerabilities, with examples on attacking, “Cheat Sheets” for prevention and risk/impact assessment.

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:


    Note: Social Media login for Yotpo is not working in IE or Safari, please use Chrome. We are waiting for Yotpo to fix it.