Thursday, June 13, 2013

OWASP Top Ten Web Application Security Risk 2013

OWASP has released an update to their Top Ten of Web Application Security Risk. The previous version was released three years ago in 2010.

Injection is still considered as the top risk for any web applications. Broken Authentication and Session Management is now on second position, followed by XSS which goes down from second position. XSRF goes down to 8th position and Security Misconfiguration has gone up to 5th position.

Here are the complete list of Top Ten:
  • A1 Injection
  • A2 Broken Authentication and Session Management
  • A3 Cross-Site Scripting (XSS)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration
  • A6 Sensitive Data Exposure (2010-A7 Insecure Cryptographic Storage and 2010-A9 Insufficient Transport Layer Protection were merged to form 2013-A6)
  • A7 Missing Function Level Access Control (renamed/broadened from 2010-A8 Failure to Restrict URL Access)
  • A8 Cross-Site Request Forgery (CSRF)
  • A9 Using Known Vulnerable Components (new but was part of 2010-A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards
Get the PDF version