From buffer overflows to SQL injection, hackers have many techniques at their disposal to attack web applications, in addition to new methods that constantly emerge. Web application attacks can cost organizations significant time and money due to expensive and embarrassing data security breaches, making thorough defense strategies and defense mechanisms imperative for every organization.
The Open Web Application Security Project Top Ten represents the most critical Web application security risks identified by a variety of Web application security experts from around the world. Listed below are brief descriptions of each of the attacks, including the damage each may cause. More resources about these attacks and more can be obtained from www.owasp.org
OWASP Top 10 Application Security Risks – 2013
A1 – Injection
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
A2 – Broken Authentication and Session Management
A3 – Cross-Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
A7 – Missing Function Level Access Control
A8 – Cross-Site Request Forgery (CSRF)
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.
A9 – Using Components with Known Vulnerabilities
A10 – Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.
Download the full Guide here: OWASP Top 10 – 2013