OWASP Top Ten

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

"Globally recognized by developers as the first step towards more secure coding."

= 11 items (filtered by ) / show notes

Top Ten

1. Injection
SQL, NoSQL, OS, and LDAP injection.

2. Broken Authentication
Allows attackers to compromise passwords, keys, or session tokens, to assume other users’ identities temporarily or permanently.

3. Sensitive Data Exposure
Financial, healthcare, and PII.

4. XML External Entities (XXE)
Poorly configured XML processors evaluate external entity references within XML documents.

5. Broken Access Control
Access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

6. Security Misconfiguration
Insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages.

7. Cross-Site Scripting XSS
Including untrusted data in a new web page without proper validation or escaping.

8. Insecure Deserialization
Often leads to remote code execution.

9. Using Components with Known Vulnerabilities
Libraries, frameworks, and other software modules, run with the same privileges as the application.

10. Insufficient Logging & Monitoring
Allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.