The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
All the OWASP tools, documents, videos and presentations and chapters are free and open to anyone interested in improving application security. The rapid pace of modern software development processes makes risks even more critical to discover quickly and accurately.
Although the original goal of OWASP Top 10 project was simply to raise awareness amongst developers, it has become the de facto application security standard. Now OWASP just released a Release Candidate V2 Final Edition in which they’ve added 3 new vulnerabilities ref.to. A4, A8 and A10.
In OWASP Top 10 2017, this major update adds several new issues which includes:
- A4:2017 – XML External Entity (XXE) (Supported by data)
- A8:2017 – Insecure Deserialization (Supported by community)
- A10:2017 – Insufficient Logging and Monitoring (Supported by community)
Over the last decade, and in particularly these last few years, the fundamental architecture of applications has changed significantly
– JS is now the primary language of the web.
– The issues like Insecure Direct Object References and Missing Function Level Access Control merged into A5:2017 – Broken Access Control.
– The CSRF issue has been moved to A13 because less than 5% of data set supports CSRF today.
– Unvalidated Redirects and Forwards has been moved to A25 because its count reduced to 1%.
About A4:2017 – XML External Entity –
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched windows servers, internal port scanning, remote code execution, and denial of service attacks.
About A8:2017 – Insecure Deserialization –
Insecure deserialization flaws occur when an application receives hostile serialized objects. Insecure deserialization leads to RCE. Even if deserialization flaws do not result in remote code execution, serialized objects can be replayed, tampered or deleted to spoof users, conduct injection attacks, and elevate privileges.
About A10:2017 – Insufficient Logging and Monitoring –
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Although the 2007 and earlier versions of OWASP Top 10 focused on identifying the most prevalent vulnerabilities, the OWASP Top 10 has always been organized around risks.
Note: Here is the list of 65 Cheatsheets compiled by OWASP Community.