OWASP top 10

Open Web Application Security Project

https://owasp.org/

OWASP top 10 - 2013 (Book: release it!)

1. Injection

2. Broken Authentication and Session Management

3. Cross Site Scripting (XSS)

4. Broken Access Control

5. Security Misconfiguration

6. Sensitive Data Exposure

7. Insufficient Attack Protection

8. Cross-Site Request Forgery (CSRF)

9. Using Components with Known Vulnerabilities

10. Underprotected APIs

(src: Book: release it! - Michael Nygard)

2017 added

[x] (4) XML External Entities (XXE)

• covered in (2013.1) OWASP Injection by Book: release it!

[ ] (8) Insecure Deserialization

• maybe partially mentioned in (2013.10) OWASP Underprotected APIs by Book: release it!

[ ] (10) Insufficient Logging & Monitoring

• maybe partially mentioned in (2013.5) OWASP Security Misconfiguration by Book: release it!

• maybe partially mentioned in (2013.7) OWASP Insufficient Attack Protection by Book: release it!

2021 added

[ ] (4) Insecure Design

[ ] (8) Software And Data Integrity Failures

[ ] (10) Server-side Request Forgery (SSRF)

OWASP Top 10 - Versions

• 2010

• 2013 -> Book: release it! (second edition)

• 2017

• 2021

(src: PDF - owasp top 10 (2013))

(src: PDF - owasp top 10 (2017))

(src: OWASP Top Ten | OWASP Foundation)