Open Web Security Project

OWASP stands for Open Web Security Project. It is an international non profit organization which is dedicated to web application security. All the materials available here will be open to everyone through their websites which makes it possible for anybody to improve their Web Application Security. OWASP has listed down top 10 security risks which are as follows :-

1. Injection

This attack can happen when a user injects any untrusted data to an application through a form input. If this form input is not secured properly, this may result in an attack known as SQL Injection wherein the attacker might enter an SQL query instead of the expected form input in order to get hold of the data within

2. Broken Authentication

If the authentication system for login is faulty then attackers can easily get access to the entire system through its admin login. They may try with a list of available username password combinations to get a valid login.

3. Sensitive Data Exposure

Attackers are constantly on the lookout for sensitive data especially financial information and passwords. If they get access to that data then it can easily be used for monitory benefit of the attacker.

4. XML External Entities (XEE)

This attack mainly targets web applications that deal with XML input. This input may be referencing an external entity like hard disks. Thus an XML parser can be easily duped to send data to unauthorized hard disks thereby passing sensitive data directly to the attacker.

5. Broken Access Controls

In this type of attack, attackers bypass authorization and enter as privileged users into a system that control access to information.

6. Security Configuration

This mainly occurs while using default configurations/settings or when displaying overly descriptive errors which may reveal the vulnerabilities in the application to attackers.

7. Cross-site Scripting

This kind of attack occurs when a user adds custom code to a URL path. This vulnerability can be used to run malicious JavaScript code.

8. Insecure De-serialization

This attack mainly targets web applications that serialize and de-serialize data.

9. Using Components with Known Vulnerabilities

This attack takes place through components such as libraries and frameworks used in web applications. Vulnerabilities in these components are exploited by attackers.

10. Insufficient Logging and Monitoring

Many data breaches go unnoticed for a long time giving attackers sufficient time to cause enough damage before any responses. Thus developers should follow best practices to implement logging and monitoring and also incident response.