An explanation of OWASP top ten - security risks

What is OWASP?

The Open Web Application Security Project (OWASP) is a global non-

profit organization assigned to keep a check on the security of web
applications. Their materials are available freely on the website, making
it feasible for anyone to update their own web application security. The
materials they offer combine documentation, tools, videos, and forums.
OWASP Top 10 is one of its best-known projects.
The OWASP Top 10 is a periodically updated report drawing attention
to the security concerns for web application security, concentrating on
the 10 most critical risks. The report is settled together by a team of
security experts from all around the globe. OWASP Top 10 recommends
businesses with awareness documents to incorporate into their
operations to minimize security risks.

The web application security risks published in the OWASP Top 10

report are:
1. Injection: Injection attacks on SQL, NoSQL, OS, and LDAP can
happen when a piece of sensitive information is sent over to the
code interpreter through a command (input) or query to a web
application. The attacker's untrusted data can manipulate the
code interpreter into executing unintended commands or
accessing unauthorized data.
2. Broken Authentication: Attackers can attack the authentication or
login systems to gain access to all user accounts, passwords, keys,
and session tokens and can even take over the system as the
admin.
 3. Sensitive Data Exposure: If web applications don't provide a
strong security to sensitive data such as financial data, healthcare,
and passwords, attackers can gain access to that data and utilize it
for wicked purposes. Attackers can steal from or modify such
essential documents if not secured properly.
4. XML External Entities (XXE): An XML parser can be tricked into
transmitting data to an unauthorized external entity, which can
transfer sensitive data directly to an attacker.
5. Broken Access Control: Restrictions on user access if not properly
enforced, personal data can be exploited and modified by
unauthorized access.
6. Security Misconfiguration. This can result from unsecured or
incomplete default configurations, open cloud storage,
misconfigured HTTP headers, and error messages containing
sensitive information. All operating systems, frameworks,
libraries, and applications should update security configuration
periodically.
7. Cross-Site Scripting XSS. XSS allows attackers to execute scripts in
the victim's browser which can capture user sessions, damage
web sites, or redirect the user to malicious sites.
8. Insecure Deserialization. Insecure deserialization attacks lead to
code execution that is remote. It can be used to execute
interventions, including injection attacks, and privilege growth
attacks.
9. Using Components with Known Vulnerabilities. Applications and
APIs using elements with classified vulnerabilities will minimize
application security protection efficiency and enable attackers to
control the application data.
10. Inefficient Logging & Monitoring. Inefficient logging in and
monitoring linked with incompetent security enables attackers to
further attack the system, access all the linked systems, and
extract, modify or destroy essential pieces of information.