OWASP Top 10 2017

The final release of the Top 10 vulnerabilities from OWASP - the most critical security risks of web applications. The update occurs about once every 3-4 years, this release affects current and future security problems of web applications.

The OWASP Top-10 project is referenced by many standards, tools, and organizations, including MITER, PCI DSS, DISA, FTC, and many others. The OWASP Top 10 is a recognized methodology for assessing web application vulnerabilities worldwide. The OWASP Top 10 project reflects the most significant threats to a web application.

OWASP Top 10 2013

The list of the most dangerous risks (vulnerabilities) of web applications from 2013:
')

• A1 Code Implementation
• A2 Incorrect authentication and session management
• A3 Crossite scripting
• A4 Insecure Direct Object Links
• A5 Unsafe Configuration
• A6 Leaked sensitive data
• A7 Lack of access control to the functional level
• A8 Cross-Site Request Forgery
• A9 Using components with known vulnerabilities
• A10 Unvalidated Redirects

OWASP Top 10 2017

The list of the most dangerous risks (vulnerabilities) of web applications from 2017:

• A1 Code Implementation
• A2 Incorrect authentication and session management
• A3 Sensitive Data Leak
• A4 Implementing External XML Entities (XXE)
• A5 Access Control Violation
• A6 Unsafe configuration
• A7 Crossite scripting
• A8 Unsafe deserialization
• A9 Using components with known vulnerabilities
• A10 No logging and monitoring

Changes

The new edition is different from the 2013 edition.



XSS vulnerabilities left the top three, but leakage of critical (sensitive data) moved there from place 6 - apparently the last loud leaks and hacks were not in vain and the OWASP consortium decided to focus on this issue.

Added a new type of vulnerabilities - eXternal Entity XML (XXE). XXE Injection is a type of attack on an application or preprocessor that analyzes XML input.

We also see the addition of an item about unsafe deserialization — such vulnerabilities can lead to remote code execution, allow elevation of privileges, and much more.

An item about the absence of monitoring has been added - according to OWASP, the average time to detect an incident is 200 (!) Days.

Open redirects and CSRF left 10 of the most significant vulnerabilities. The general trend in the OWASP list changes is a shift in the priorities of vulnerabilities / attack vectors from the client-side to the server-side.

→ OWASP project
→ PDF version of OWASP Top 10 2017