OWASP is a non-profit organization with the goal of improving the security of software and internet. They have put together a list of the ten most common vulnerabilities to spread awareness about web security. In this post, we have gathered all our articles related to OWASP and their Top 10 list. If you’d like to learn more about web security, this is a great place to start!
Our OWASP TOP 10 posts offer an insight into each of the 10 vulnerability types on OWASP’s list. We describe the vulnerabilities, the impact they can have, and highlight well-known examples of events involving them. Of course, we also explain how to discover these vulnerabilities, providing code examples and helpful remediation tips.
OWASP TOP 10: Injection
Injection is a category that includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.
Read full article »
OWASP TOP 10: Broken Authentication
Broken Authentication involves all kinds of flaws that are caused by error in implementations of authentication and/or session management. The category includes everything from login lacking timeout, meaning that users who forget to logout on a public computer can get hijacked, to more technical vulnerabilities such as session fixation.
Read full article »
OWASP TOP 10: Sensitive Data Exposure
Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.
Read full article »
OWASP TOP 10: XXE (XML External Entities)
XXE allows attackers to abuse external entities when an XML document is parsed. If this happens, the attacker can read local files on the server, force the parser to make network requests within the local network, or use recursive linking to perform a DoS attack.
Read full article »
OWASP TOP 10: Broken Access Control
Broken Access Control is vulnerability category that covers all access control issues that can make your website vulnerable and can often be found in web applications that have gradually grown in size without proper schemes regulating access. The category is the result of merging Insecure Direct Object References and Missing Function Level Access Control from the OWASP Top 10 2013 list.
Read full article »
OWASP TOP 10: Security Misconfiguration
Security misconfiguration is a very common vulnerability category that occurs when a component is susceptible to attack due to an insecure configuration. At worst, exploiting a security misconfiguration can lead to a full takeover.
Read full article »
OWASP TOP 10: Cross-site Scripting (XSS)
Cross-site Scripting is a type of attack that can be carried out to compromise users of a website. The exploitation of an XSS flaw enables the attacker to inject client-side scripts into web pages viewed by users. It is often assumed XSS only occurs in JavaScript, but it could also include e.g. VBScript.
Read full article »
OWASP TOP 10: Insecure Deserialization
Insecure Deserialization allows attackers to transfer a payload using serialized objects. This happens when integrity checks are not in place and deserialized data is not sanitized or validated.
Read full article »
OWASP TOP 10: Using Components with Known Vulnerabilities
It is very common for web services to include a component with a known security vulnerability. The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins, making this a very frequent finding.
Read full article »
OWASP TOP 10: Insufficient Logging and Monitoring
Insufficient Logging and Monitoring covers the lack of best practices that should be in place to prevent or damage control security breaches. The category includes everything from unlogged events, logs that are not stored properly and warnings where no action is taken within reasonable time.
Read full article »
OWASP TOP 10 on Detectify Labs
Want more advanced tech content about OWASP Top 10 vulnerabilities? Check out these posts on Detectify Labs:
The Ultimate SQL Injection Payload
Finding an XSS in an HTML-based Android application
5 contexts where the XSS Auditor won’t help you
How to: Exploit an XSS
Frans Rosén’s Bugcrowd Guest Blog: Using a Braun Shaver to Bypass XSS Audit and WAF
How Patreon got hacked: Publicly exposed Werkzeug Debugger
How Detectify can help
We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Detectify is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable »