The OWASP (Open Web Application Security Project) is an open community dedicated to support the development and maintenance of secure Web Applications. The tools and documents offered by OWASP are very valuable for developers, QA folks, Security professionals, and anyone who takes Web Application security seriously. In particular, the OWASP Top 10 project highlights the top vulnerabilities that are commonly found in Web Applications allowing you to pay special attention to them.
Here are the main improvements and changes that you should be aware if you use the OWASP list as part of your Web Application testing strategy:
- “Cross-Site Scripting (XSS)” moved down from the second to the third place while “Cross-Site Request Forgery” flaws have fallen from the fifth to the eighth place, potentially evidencing more mature coding practices in this area.
- XSS was replaced by “Broken Authentication and Session Management” as it has been gaining relevance in the past few years moving up from third to second place.
- One important introduction is the 2013-A9 category. Prior to this new Top 10, a vulnerable third-party component used to be considered as a “Security Misconfiguration”. From now on, buggy third-party components and add-ons have their own category known as “Using Known Vulnerable Components”.
- Also, a new category “Sensitive Data Exposure” was created as the consolidation of two old categories “Insecure Cryptographic Storage” and “Insufficient Transport Layer Protection” that are not available anymore and also covers browser-side sensitive data risks. In summary, the new category includes data-at-rest and data-in-transit vulnerabilities.
- Finally, the old “Failure to Restrict URL Access” category was not only renamed but also broadened to cover the different flaws affecting how functions are being accessed, not only URLs. The new category was named as “Missing Function Level Access Control”.
Need help with Web Application testing? Core Impact Pro offers the most comprehensive web application penetration testing capabilities available in one solution.
All in all, the new OWASP Top 10 list is as follows:
A1 – Injection
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Unvalidated Redirects and Forwards
The OWASP Top 10 project is an excellent tool that provides insight on the top-10 most critical Web Application vulnerabilities. Using these guidelines to drive Web Application security assessments has become a standard practice. For example, Core Impact has been providing OWASP Top 10 support since its version 12, which was released a few years ago: (http://http://www.coresecurity.com/core-impact-pro-v12-new-features-overview). Although the Top 10 list is a good starting point you should seriously consider going beyond it by applying a comprehensive Web Application security assessment approach.
I would encourage you to read the full document published by the OWASP folks available here owasptop10.googlecode.com/files/OWASP Top 10 - 2013.pdf.
Congratulations to all those that contributed to this updated Top 10 list.
Flavio de Cristofaro – Vice President of Engineering for Professional Products