What is OWASP Top-10?

For web application security testing, Android security testing, iOS security testing and API security testing, Open Worldwide Application Security Project’s (OWASP) Top 10 listing of security threats is a good base and initial scope for the testing.

OWASP is a worldwide non-profit organization focused on improving security of web applications. The latest update of the list is from September 2021. The Top 10 list is a broad consensus about the most critical security risks to web applications by a community of over 30000 security experts around the world.

Collapsible content

OWASP A01: Broken Access Control

A user should have access only to the objects and actions that are permitted for that user. Access control can be related to information disclosure, modification or deleting of data, unauthorized file access or performing a function outside of the user’s limits.

OWASP A02: Cryptographic Failures

Data requires protection both in transit and in rest depending on the sensitiveness of the related data. Passwords, credit card numbers, health records, personal information and so on require extra protection especially when the data falls under privacy laws (e.g. GDPR).

OWASP A03: Injection

Hostile data from an untrusted source can end up to an interpreter, which executes the injected data. The interpreter can be for example a database (e.g. SQL injection), operating system (e.g. OS command injection) or user’s browser (Cross-site scripting).

OWASP A04: Insecure Design

The implementations that follow the design precisely are not unconditionally secure as the design may contain flaws. For example, business logic errors, bypassing client-side security and external control of file names and paths expose the system for different types of vulnerabilities.

OWASP A05: Security Misconfiguration

Security misconfigurations can be faced in many different aspects: for example, there are unnecessary features used, error handling reveals information about system’s internals, and application server, frameworks, libraries, databases etc. are not set to secure values. Although configurations cannot be reviewed directly in black-box testing, misconfigurations show up as security vulnerabilities.

OWASP A06: Vulnerable and Outdated Components

When a component’s name and version number is known, it’s known vulnerabilities can be searched from sites like https://cve.mitre.org/ and https://nvd.nist.gov/. These vulnerabilities are widely known and usually patched to the component’s newest version.

OWASP A07: Identification and Authentication Failures

Authentication-related attacks are usually related to confirmation of the user's identity, authentication and session management. Only users with correct credentials should have access to the system. For example, if authentication can be bypassed, external users can get information they are not allowed to access. Session management should always create a new authentication token whenever a user is logged in or logged out and the token should be automatically invalidated after timeout.

OWASP A08: Software and Data Integrity Failures

Applications, CD/CI pipeline and auto-updates should always have a trusted data source and have sufficient integrity verification. The data that is sent from an attacker is always untrusted and especially serialized data require some form of integrity check or digital signature to prevent insecure deserialization.

OWASP A09: Security Logging and Monitoring Failures

When a system is properly monitored and operations are logged, it is easier to detect suspicious actions. There should be logging in the application, logging should raise alerts, the alerts should be monitored and when suspicious activity is observed, there should be actions to handle the situation.

OWASP A10: Server-Side Request Forgery

The requests sent by the server should be controlled only by the server. When a web application has a feature to fetch a remote resource, for example an image, SSRF flaws may occur if the URL is not validated by the server. This allows an attacker to force the server to make requests to the addresses defined by the attacker.

On-demand presentation reveals how we served over 300 software testing projects with customer satisfaction of 4.83 / 5.

How we execute application penetration testing in 5 days based on OWASP Top-10 security threats.