OWASP Top 10 – Breakdown

This blog is a breakdown of the OWASP Top 10 application security risks. The Top 10, developed by OWASP (Open Web Application Security Project), provides an up-to-date list of the most critical web application security risks that websites and applications must address.

1. Injection: Injection flaws allow attackers to insert malicious code into a website or application via the input fields. This type of attack is one of the most common and is particularly concerning because it can bypass authentication and authorisation controls.

2. Broken Authentication: Weak or broken authentication mechanisms allow attackers to gain unauthorised access to applications. Attackers can use a variety of techniques, such as guessing passwords and exploiting configuration errors, to gain access.

3. Sensitive Data Exposure: Applications often store sensitive data in unencrypted form, making it vulnerable to attack if accessed by unauthorised people. Attackers can leverage this information to steal identities, commit fraud, or launch other malicious activities.

4. XML External Entities (XXE): XXE is an attack that allows attackers to access and manipulate data stored in an application’s XML document. By exploiting this vulnerability, attackers can gain access to the application’s internal structure, including sensitive configuration settings and user data.

5. Broken Access Control: Access control flaws allow attackers to bypass authentication and authorisation mechanisms, allowing them to access restricted data and features. Attackers can also use these flaws to modify or delete sensitive information.

6. Security Misconfiguration: Security misconfigurations are a common problem in web applications and can be exploited by attackers to gain unauthorised access to the application’s resources or functions.

7. Cross-Site Scripting (XSS): XSS is an attack that allows attackers to execute malicious JavaScript code on a website or application by injecting it into user input fields. This type of attack is particularly concerning because it can bypass authentication and authorisation controls, allowing attackers to access sensitive information or modify data.

8. Insecure Deserialisation: Insecure deserialization is a type of attack in which an attacker can gain access to objects stored in the application’s memory by manipulating the serialized data sent between different components of the application. This type of attack is particularly dangerous because it can bypass authentication and authorisation controls, allowing attackers to access sensitive data or execute arbitrary code.

9. Using Component with Known Vulnerabilities: Applications often rely on third-party components that may contain known security vulnerabilities. Attackers can exploit these vulnerabilities to gain unauthorised access to the application’s resources or functions.

10. Insufficient Logging & Monitoring: Insufficient logging and monitoring makes it difficult to detect malicious activity within an application. Without sufficient logging and monitoring, attackers can remain undetected as they gain access to the application’s resources or functions.

To read more in depth about each of the OWASP Top 10, check out our other blogs.

In this TechBite episode below, our consultants discuss the OWASP Top 10.