Logo Logo
  • Home
  • Modshield SB
  • services
    • Application Security Testing
    • IoT Security Testing
    • Infrastructure Security Testing
    • Testing for Compliance
    • Red Team Exercise
    • Performance Testing
  • Training
    • Cybersecurity Awareness Program
    • Cybersecurity For Developers(Web Application)
    • Cybersecurity For Developers(Mobile Application)
  • Resources
    • Blog
    • CyberNews
  • About
    • Partners
    • Contact

What are the OWASP top 10 vulnerabilities?

  • Home
  • Blog Details
August 31 2021
  • Blog
OWASP Top 10 Vulnerabilitites. Based on the level of damages the vulnerabilities have caused, OWASP has derived a list of top 10 threats
OWASP top 10 vulnerabilities

OWASP

The Open Web Application Security Project (OWASP) is an online nonprofit initiative that derives a set of rules or protocols, articles, methodologies in the field of cyber security. It works on an open-source model where various users contribute tools, forums, and projects. OWASP is the repository of web application security modules.

ModSecurity

ModSecurity is an open-source, cross-platform, Web Application firewall designed primarily for Apache HTTP servers. It provides an event-based programming language that offers protection from a wide range of attacks and offers protection to web applications.

What are the OWASP top 10 vulnerabilities or threats?

Based on the level of damages the vulnerabilities have caused, OWASP has derived a list of top 10 threats. These threats are categorized from A1 to A10, A1 being the most severe and A10 being the least. 

OWASP’s top 10 vulnerabilities are as follows

  • A1:2017 Injection
  • A2:2017 Broken Authentication
  • A3:2017 Sensitive Data Exposure
  • A4:2017 XML External Entities
  • A5:2017: Broken Access Control
  • A6:2017 Security Misconfiguration
  • A7:2017 Cross Site Scripting XSS
  • A8:2017 Insecure Deserialization
  • A9:2017 Using components with known vulnerabilities
  • A10:2017 Insufficient Logging and Monitoring

A1: 2017 Injection: SQL injection attacks the database when a malefactor executes a discreet code on the host operating system through a vulnerable application. It prevents sending data to the interpreter of the query, which could lead to data loss, data corruption, and loss of credibility. It is listed as the most dangerous threat in OWASP top 10 vulnerabilities

Common types of injection are, 

  • SQL
  • NoSQL
  • Object Relational Mapping(ORM) 
  • Expression Language(EL) 
  • OS command

A2: 2017 Broken Authentication: Broken authentication is theft of user credentials, session tokens, keys, etc.. to gain unauthorized privilege. Attackers try broken authentication manually and attack them by using password lists and automated tools. Based on the domain, this may lead to money laundering, identity theft, social security fraud, and sensitive information disclosure. It is listed as the second most dangerous threat in OWASP top 10 vulnerabilities

A3: 2017 Sensitive Data Exposure: Sensitive data exposure is the exposure of sensitive data carelessly thereby leading to a breach in the entire system. The data being obtained is being sold or modified to conduct fraudulent activities. It is ranked third in OWASP top 10 vulnerabilities

A4: 2017 XML External Entities: XML External Entity injection is the type of threat that allows an attacker to access an application’s XML data processing files. It takes place on poorly configured XML processors that allow external entity references within XML documents. It may cause subjugation of important assets using the URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. It is ranked fourth in OWASP top 10 vulnerabilities

A5: 2017 Broken Access Control: The failure of the system to validate the user even after the user authentication is called Broken Access Control. This allows the user to bypass the basic access controls without proper validation. This leads to admin-level data exposure which in turn may lead to several other complications. It obtains fifth place in OWASP’s top 10 vulnerabilities.

A6: 2017 Security Misconfiguration: Misconfiguration occurs whenever the system fails to meet the security framework standards. It may occur at the application server-side, web server-side, application stack level, or even at the network side. Non-identification of these flaws may sabotage and compromise the entire system. It is listed as the sixth most serious threat OWASP top 10 vulnerabilities.

A7: 2017 Cross-Site Scripting XSS: XSS flaw occurs whenever the attacker makes use of DOM and API to retrieve data or send commands to the application. Cross-site scripting may widen the surface of the attack for the hacker by allowing him to hack user credentials, spread worms, and control browsers remotely. This can lead to credential theft and help in delivering malware to the victims.

A8: 2017 Insecure Deserialization: It is a vulnerability that occurs when malicious data is used to disturb the logic of an application. It induces denial of service attacks or misapplies the logic of an application upon deserialization.

Improper handling of this flaw may entertain remote code execution attacks.

A9:2017 Using components with known vulnerabilities: Usage of third-party software components in the development process may lead to this type of attack. Known components like third-party application frameworks, libraries, technologies that may have exposure to major vulnerabilities. These kinds of threats are often difficult to exploit and cause serious data breaches.

A10:2017 Insufficient Logging and Monitoring: Lack of logging and monitoring the threats to the application from time to time causes these types of attacks. It may lead to compromising the entire system and an untraceable attack.

Previous Post Next Post

Leave a Comment

Recent Posts

  • SOC 2 Compliance – Complete Guide
  • What is compliance and why do you need it?
  • OWASP WAF – Web Application Firewall
  • Top Cyber News April Week 3
  • Top Cyber News April Week 2

Recent Comments

  1. Vishnu on IEC 62443 – Cybersecurity for Industrial Automation and Control Systems

Archives

  • July 2022
  • June 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • June 2020

Categories

  • Blog
  • CyberNews
© Copyright 2020. Anada WordPres Theme By WordPressRiver