Do you stay safe against the OWASP Top 10?
14/05/2016 4:41 AM by
The Open Web Application Security Project (OWASP) is a non-profit charity organization whose sole purpose is to enable other organizations to develop applications that can be trusted. Their most prominent piece of literature is the OWASP Top 10 – a list of the most critical risks found in software. It is a “living” list, which means it is updated as vulnerabilities become known and more or less common.
OWASP Top 10 2013
The current OWASP Top 10 states the following are the top risks for web applications today. Knowing and securing against these will give the biggest bang-for-buck in securing your website.
- Injection: Being able to execute arbitrary SQL, LDAP or other code via your application
- Broken authentication and session management: Exploiting weak login and session management. See our other rules to better security
- Insecure direct object references: Exposing internal implementation objects without proper access control
- Security misconfiguration
- Sensitive data exposure: Storing sensitive data in a way that can easily be retrieved and abused
- Missing function level access control: Only applying access control to the UI, not when the secure section is accessed
- Cross-Site Request Forgery (CSRF): Hijacking a user’s cookies to make requests on their behalf
- Using components with known vulnerabilities
- Unvalidated requests and forwards: Redirecting from a current site to an untrusted 3rd party, which may allow phishing to occur
Protecting against these is a large topic in their own right. There are plenty of resources with information on protecting against these, linked below:
- Troy Hunt – Protecting your web apps from the tyranny of evil with OWASP
This video goes through the OWASP Top 10 in more detail, describing each risk, how to exploit it, and how to protect against it
- OWASP Top 10
The OWASP home page is a little difficult to navigate but contains fantastic information on the risks and how to protect against them. Use the link above to get details on each of the vulnerabilities, with examples on attacking, “Cheat Sheets” for prevention and risk/impact assessment.
Do you feel this rule needs an update?