OWASP Top 10

The Open Web Application Security Project (OWASP) is a non-profit providing unbiased information on application security.

The OWASP Top 10 is a consensus-based report on the top 10 application security issues. Its goal is to raise awareness about application security issues so that organizations can implement effective programs and practices to reduce security risks.

2017 OWASP Top 10: Release Candidate

The 2017 version of the OWASP Top 10 is an update of the 2013 OWASP Top 10. It factors in security issues generated by the rapid adoption of new technologies (cloud, containers, APIs), automated software development processes, proliferation of third-party libraries and frameworks, and evolution of attack vectors.

Although the 2017 OWASP Top 10 will not be finalized until November 2017, the table below provides a summary of the draft version.

Rank Security Risk Attacker Will… Attack Impact
Injection Send untrusted, text-based data via:

  • SQL, LDAP, XPath, or NoSQL queries
  • OS commands
  • XML parsers
  • SMTP headers
  • Expression languages

to exploit syntax of a targeted interpreter

  • Corruption or loss of data
  • Access denial
  • Host takeover
Broken Authentication and Session Management Use leaks or flaws during authentication or session, such as exposed:

  • Accounts
  • Passwords
  • Session IDs
  • Hijack credentials granted to an authorized user
  • Impersonate an authorized user

Note: Privileged users are often targeted

Cross-Site Scripting Send untrusted text-based scripts, via user-supplied input, that is automatically added to HTML output and executed by the victim’s browser if the HTML use context-sensitive escaping
  • Hijack user session or browser
  • Deface websites
  • Insert malicious content
  • Redirect users to malicious sites
Broken Access Control Change a parameter value to a resource he/she is not authorized to access
  • Compromise accessed functionality or data
  • Exfiltrate data
Security Misconfiguration Access default accounts, unused pages, unpatched flaws, unprotected files and directories
  • Unauthorized access to functionality or data
  • Compromise functionality or data
  Sensitive Data Exposure 
  • Steal authorized user credentials
  • Conduct man-in-the middle attacks
  • Steal clear-text data off the server, while in transit, or from user’s browser
  • Compromise integrity and privacy of sensitive data
Insufficient Attack Protection
  • Scan and probe for detection and prevention weaknesses in applications and APIs
  • Exploit discovered weaknesses
  •  Compromise functionality and data
Cross-Site Request Forgery Create forged HTTP requests and trick user into submitting them via:

  • Image tags
  • Iframes
  • Cross-scripting
  • Other techniques
Trick user into making state changes:

  • Updating account
  • Making purchases
  • Modifying data
Using Components with Known Vulnerabilities
  • Scan and probe for weak components
  • Exploit discovered weaknesses
  • Injection
  • Broken access control
  • Cross-scripting
  • Sensitive data exposure
Underprotected APIs Reverse engineer APIs by:

  • Examining client code
  • Monitoring communications
  • Data compromise, theft, or destruction
  • Unauthorized access
  • Host takeover

Learn how Imperva solutions can help you discover and reduce OWASP-identified security issues.

You might be interested in:

Web Application Firewall (WAF)

Web Application Firewalls (WAFs) are hardware, software, virtual, and cloud-based firewall solutions. Unlike other network infrastructure security solutions,…

Learn More

DDoS Attacks

An increasingly common cyber threat is a distributed denial of service attack (DDoS) that—as its name implies—renders websites…

Learn More