Welcome to Scribd!

OWASP Top 10 Inexhaustive Edition

Uploaded by

0% found this document useful (0 votes)

17 views4 pages

The document outlines the top 10 security risks including injection flaws, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using vulnerable components, and insufficient logging and monitoring. It provides brief descriptions of each risk and recommendations to help mitigate the risks such as using parameterized queries, multi-factor authentication, encryption, access controls testing, and monitoring logs.

Original Description:

OWASP top 10 Inexhaustive edition

Original Title

OWASP top 10 Inexhaustive edition

Copyright

Available Formats

DOCX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

0% found this document useful (0 votes)

17 views4 pages

OWASP Top 10 Inexhaustive Edition

Uploaded by

Kumar Saurav

Copyright:

Available Formats

Download as DOCX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Jump to Page

You are on page 1of 4

Search inside document

OWASP Top 10 – Inexhaustive Edition

1. Injection
Injection flaws, such as SQL injection, LDAP injection, and CRLF
injection, occur when an attacker sends untrusted data to an
interpreter that is executed as a command without proper
authorization.

* Application security testing can easily detect injection flaws.

Developers should use parameterized queries when coding to prevent
injection flaws.

2. Broken Authentication and Session Management

Incorrectly configured user and session authentication could allow
attackers to compromise passwords, keys, or session tokens, or take
control of users’ accounts to assume their identities.

* Multi-factor authentication, such as FIDO or dedicated apps, reduces

the risk of compromised accounts.

3. Sensitive Data Exposure

Applications and APIs that don’t properly protect sensitive data such as
financial data, usernames and passwords, or health information, could
enable attackers to access such information to commit fraud or steal
identities.
* Encryption of data at rest and in transit can help you comply with
data protection regulations.

4. XML External Entity

Poorly configured XML processors evaluate external entity references

within XML documents. Attackers can use external entities for attacks
including remote code execution, and to disclose internal files and SMB
file shares.

* Static application security testing (SAST) can discover this issue by

inspecting dependencies and configuration.

5. Broken Access Control

Improperly configured or missing restrictions on authenticated users

allow them to access unauthorized functionality or data, such as
accessing other users’ accounts, viewing sensitive documents, and
modifying data and access rights.

* Penetration testing is essential for detecting non-functional access

controls; other testing methods only detect where access controls are
missing.

6. Security Misconfiguration
This risk refers to improper implementation of controls intended to
keep application data safe, such as misconfiguration of security
headers, error messages containing sensitive information (information
leakage), and not patching or upgrading systems, frameworks, and
components.

* Dynamic application security testing (DAST) can detect

misconfigurations, such as leaky APIs.

7. Cross-Site Scripting
Cross-site scripting (XSS) flaws give attackers the capability to inject
client-side scripts into the application, for example, to redirect users to
malicious websites.

* Developer training complements security testing to help

programmers prevent cross-site scripting with best coding best
practices, such as encoding data and input validation.

8. Insecure deserialization
Insecure deserialization flaws can enable an attacker to execute code in
the application remotely, tamper or delete serialized (written to disk)
objects, conduct injection attacks, and elevate privileges.

* Application security tools can detect deserialization flaws but

penetration testing is frequently needed to validate the problem.

9. Using Components With Known Vulnerabilities

Developers frequently don’t know which open source and third-party
components are in their applications, making it difficult to update
components when new vulnerabilities are discovered. Attackers can
exploit an insecure component to take over the server or steal sensitive
data.

* Software composition analysis conducted at the same time as static

analysis can identify insecure versions of components.

10. Insufficient Logging and Monitoring

The time to detect a breach is frequently measured in weeks or
months. Insufficient logging and ineffective integration with security
incident response systems allow attackers to pivot to other systems and
maintain persistent threats.

* Think like an attacker and use pen testing to find out if you have
sufficient monitoring; examine your logs after pen testing.

Top 10 Web Application Security Risks
Document2 pages
Top 10 Web Application Security Risks
Ayaz Alam
No ratings yet
Globally Recognized by Developers As The First Step Towards More Secure Coding
Document3 pages
Globally Recognized by Developers As The First Step Towards More Secure Coding
Ricy
No ratings yet
Vulnerabilities and Thier Controls-V1
Document4 pages
Vulnerabilities and Thier Controls-V1
B Basit
No ratings yet
Software Security
Document10 pages
Software Security
kavuru.abhijeet
No ratings yet
Assignment: 2: Programming For Security Professionals Qurat-Ul-Ain Islam (22066)
Document9 pages
Assignment: 2: Programming For Security Professionals Qurat-Ul-Ain Islam (22066)
B Basit
No ratings yet
Secure Coding Practices
Document19 pages
Secure Coding Practices
das
No ratings yet
OWASP Top 10 Exhaustive Edition
Document29 pages
OWASP Top 10 Exhaustive Edition
Kumar Saurav
No ratings yet
OWASP Top 10 Security Risk
Document9 pages
OWASP Top 10 Security Risk
Jorge Cañaveral
No ratings yet
Assignment # 1 Penetration Testing
Document4 pages
Assignment # 1 Penetration Testing
Shakeeb Shah
No ratings yet
My Intern
Document22 pages
My Intern
shiny Duddu
No ratings yet
Chapter 4
Document41 pages
Chapter 4
haile
No ratings yet
Owasp Top 10
Document4 pages
Owasp Top 10
مزمل عبدالقیوم
No ratings yet
Secure Coding Protecting Windows and C Web Applications
From Everand
Secure Coding Protecting Windows and C Web Applications
Américo Moreira
No ratings yet
OWASP Top 10 Security Risks
Document25 pages
OWASP Top 10 Security Risks
hari
No ratings yet
Application Security and Secure Programming
Document81 pages
Application Security and Secure Programming
Semi Yulianto
No ratings yet
OWASP Top 10 2021
Document18 pages
OWASP Top 10 2021
darknetbot307
No ratings yet
API Pen Testing Checklist Indusface
Document7 pages
API Pen Testing Checklist Indusface
Aldin Selić
No ratings yet
OWASP Web Security Guide
Document35 pages
OWASP Web Security Guide
kaplumb_aga
100% (9)
Unit-2 Part-1
Document23 pages
Unit-2 Part-1
sravansibis
No ratings yet
Proposal For Conducting Website Security Audit of Invest Rajasthan Website Application.
Document13 pages
Proposal For Conducting Website Security Audit of Invest Rajasthan Website Application.
Amit
No ratings yet
SCT Unit-II
Document15 pages
SCT Unit-II
Dhanush Gummidi
No ratings yet
Seminar Web Application Security
Document30 pages
Seminar Web Application Security
Gauravi
No ratings yet
10 Common Web App Security Vulnerabilities
Document11 pages
10 Common Web App Security Vulnerabilities
Joshua
No ratings yet
Owasp Top Ten Vulnerabilities Explained Easy 1694890531
Document12 pages
Owasp Top Ten Vulnerabilities Explained Easy 1694890531
raj22222
No ratings yet
Assignment On: Top 10 Owasp Vulnerability of Web
Document5 pages
Assignment On: Top 10 Owasp Vulnerability of Web
dua khan
No ratings yet
PC 3 - 4.4 Owasp
Document5 pages
PC 3 - 4.4 Owasp
Pravindra Kumar
No ratings yet
Cys 403 Systems Vulnerability Assessment and Testing
Document12 pages
Cys 403 Systems Vulnerability Assessment and Testing
classik 147
No ratings yet
02lec - 10 OWASP Vulnerabilities
Document40 pages
02lec - 10 OWASP Vulnerabilities
manju kakkar
No ratings yet
Eth Mid 2
Document14 pages
Eth Mid 2
Pushkal Ram Tej Pulaparthi
No ratings yet
Unit-6 - Web Application Security
Document32 pages
Unit-6 - Web Application Security
yototi8935
No ratings yet
Owasp - Microsoft - Threat - Modelling & Threats Models PDF
Document10 pages
Owasp - Microsoft - Threat - Modelling & Threats Models PDF
KaisSlimeni
No ratings yet
Owasp Top 10
Document9 pages
Owasp Top 10
David Owner
No ratings yet
Unit II
Document105 pages
Unit II
Yogita Tiwari
No ratings yet
02lec - 10 OWASP Vulnerabilities (1) (6 Files Merged)
Document153 pages
02lec - 10 OWASP Vulnerabilities (1) (6 Files Merged)
manju kakkar
No ratings yet
Institute of Road and Transport Technology: Erode
Document13 pages
Institute of Road and Transport Technology: Erode
Rishikaa Ram
No ratings yet
Api Owasp: 1.broken Object Authorization
Document4 pages
Api Owasp: 1.broken Object Authorization
hazel
No ratings yet
Secure Mobile Development
Document102 pages
Secure Mobile Development
Sukun2000
No ratings yet
SQL Injection
Document2 pages
SQL Injection
R x41x4a
No ratings yet
SQL Server Security Best Practices 0932719630
Document7 pages
SQL Server Security Best Practices 0932719630
DaniTesfay
No ratings yet
Validation, Deallocation and Naming
Document8 pages
Validation, Deallocation and Naming
gautampujan208
No ratings yet
Api Security Interview Questions & Answers
Document4 pages
Api Security Interview Questions & Answers
Marcia Méndez
No ratings yet
Cyber Ops Summary
Document5 pages
Cyber Ops Summary
Dominique Eijansantos
No ratings yet
Report On OWASP What Is OWASP?: Deep Nandu BED-C-48
Document4 pages
Report On OWASP What Is OWASP?: Deep Nandu BED-C-48
deep nandu
No ratings yet
Information Disclosure Vulnerability
Document8 pages
Information Disclosure Vulnerability
setyahangga3
No ratings yet
Interview Preparation Part-4
Document17 pages
Interview Preparation Part-4
Abdul Mateen Ukkund
No ratings yet
OWASP Top 10 Threats
Document35 pages
OWASP Top 10 Threats
James Pierce
100% (1)
Module 4
Document45 pages
Module 4
Ewen Benana
No ratings yet
Application Security
Document20 pages
Application Security
Awal Mamane
No ratings yet
Sample Report
Document6 pages
Sample Report
Karthik
No ratings yet
Top 10 Interview Question and Answers On All
Document20 pages
Top 10 Interview Question and Answers On All
bfsnukeehasu
No ratings yet
Web Application Security
Document9 pages
Web Application Security
tbt
No ratings yet
Document 5
Document5 pages
Document 5
Muhammad Afaq akram
No ratings yet
Source Code Review
Document37 pages
Source Code Review
cikgufatah
No ratings yet
Checklist For Api Security
Document4 pages
Checklist For Api Security
Man Modi
No ratings yet
Cys 403 Systems Vulnerability Assessment and Testing
Document13 pages
Cys 403 Systems Vulnerability Assessment and Testing
classik 147
No ratings yet
Important Web
Document39 pages
Important Web
002Aadika BhatiaIT1
No ratings yet
Top 10 OWASP PDF
Document8 pages
Top 10 OWASP PDF
loko49
No ratings yet
A Practical Guide To Web Application Security
Document10 pages
A Practical Guide To Web Application Security
Stillward Laud Mark-Mills
No ratings yet
OWASP Top Ten Vulnerabilities
Document12 pages
OWASP Top Ten Vulnerabilities
yahovi163
No ratings yet
Security Mis-Config Introduction
Document26 pages
Security Mis-Config Introduction
Meiamai Velayutham
No ratings yet
Test With Strain
Document20 pages
Test With Strain
Phạm Tiến Đạt
No ratings yet
HB Poleline
Document99 pages
HB Poleline
Charlee
100% (1)
Final Thesis On 3phase Fault Analysis
Document73 pages
Final Thesis On 3phase Fault Analysis
abel tibebu
No ratings yet
Argosy Professional Ethics Class FAQs
Document38 pages
Argosy Professional Ethics Class FAQs
David Moore, PhD CDP
100% (1)
SC - Lazada - Introduction and Background
Document9 pages
SC - Lazada - Introduction and Background
trung thành trần
No ratings yet
BestGrid EA 2.1 - (Cost $560) - For FREE - ForexCracked
Document9 pages
BestGrid EA 2.1 - (Cost $560) - For FREE - ForexCracked
Vilay
No ratings yet
1991 Johnson Evinrude EI 60 Loop V Models 150 175 Outboards Service Manual Page-3
Document1 page
1991 Johnson Evinrude EI 60 Loop V Models 150 175 Outboards Service Manual Page-3
Anthony Shawn Bate
No ratings yet
Tge463 Pnqx778ya
Document96 pages
Tge463 Pnqx778ya
Charles Lee
No ratings yet
Cloud Computing Prelim Exam 2
Document20 pages
Cloud Computing Prelim Exam 2
Gab Tanhueco
No ratings yet
Kids Art Creativity PowerPoint Templates
Document48 pages
Kids Art Creativity PowerPoint Templates
Noranisah Nakim
No ratings yet
Appx Brochure New
Document5 pages
Appx Brochure New
Barbarian King
No ratings yet
Navfac Far East Waterfrnt Sec Sept 2019 A
Document37 pages
Navfac Far East Waterfrnt Sec Sept 2019 A
MICHAEL JOHN Tolonghari
No ratings yet
En 9 8 001 BSP Hose
Document11 pages
En 9 8 001 BSP Hose
Paulo Yorgos
No ratings yet
Vmix 24 UserGuide
Document236 pages
Vmix 24 UserGuide
AstraVista
No ratings yet
Building Permit Register Jan To Dec 2015
Document462 pages
Building Permit Register Jan To Dec 2015
Oz Ree
100% (1)
The Educational Use of Calculator fx-570ES
Document64 pages
The Educational Use of Calculator fx-570ES
lboon_1
100% (2)
Operation Guide: Prismasync Remote Manager
Document70 pages
Operation Guide: Prismasync Remote Manager
JPaulo
No ratings yet
HVAC Control in The New Millennium
Document389 pages
HVAC Control in The New Millennium
nicky1213a
No ratings yet
Autodyn Users Subroutines Guide
Document120 pages
Autodyn Users Subroutines Guide
V Caf
No ratings yet
Assignment Brief BTEC Level 4-5 HNC/HND Diploma (QCF) : To Be Filled by The Student
Document101 pages
Assignment Brief BTEC Level 4-5 HNC/HND Diploma (QCF) : To Be Filled by The Student
ronica
No ratings yet
Testing and Commissioning of Fire Fighting System Hose Reel and Sprinkler System
Document3 pages
Testing and Commissioning of Fire Fighting System Hose Reel and Sprinkler System
gaineysk
No ratings yet
WING Broschuere en
Document4 pages
WING Broschuere en
T Parker
No ratings yet
Data Sheet c78-720918
Document46 pages
Data Sheet c78-720918
bluesir2000
No ratings yet
Puzzle & Seating Arrangement For Mains: Follow Us
Document3 pages
Puzzle & Seating Arrangement For Mains: Follow Us
Karthik N
No ratings yet
Using SCRT With zVSE Best Practices
Document18 pages
Using SCRT With zVSE Best Practices
Ra Skynth
No ratings yet
Overview Data Sheets: F 8653: Central Module
Document2 pages
Overview Data Sheets: F 8653: Central Module
mohamadzi
No ratings yet
PDF Basic Electronics Course Humphrey Kimathi DL
Document95 pages
PDF Basic Electronics Course Humphrey Kimathi DL
mehrab babaei
No ratings yet
Eset Internet Security 9 10 Keys 2019
Document2 pages
Eset Internet Security 9 10 Keys 2019
Bc Dušan Ďurovkin
No ratings yet
UAPSA UST - Logo Manual
Document20 pages
UAPSA UST - Logo Manual
Kelvin Magno
No ratings yet
Installation Instructions: Harley-Davidson Sportster Mini Grenades PART# 16874 / 46874
Document6 pages
Installation Instructions: Harley-Davidson Sportster Mini Grenades PART# 16874 / 46874
raymond mallet
No ratings yet