OWASP Top 10

Is an Open Web Security Project by a non-profit organization. Their Top 10 are the Top 10 most common and effective attacks.

Current Top 10

1. Broken Access Control

This attack occurs if there is a direct object reference, which the attacker can change and use how they want.

Example

The site has an SQL script that uses the browsers “acct” parameter. The attacker can change the browsers parameter, to get back the results for other accounts, that he shouldn’t get.

pstmt.setString(1, request.getParameter("acct")); ResultSet
results = pstmt.executeQuery( );

Mitigation

• Proper Access Control
• Indirect reference maps
• Input validation

2. Cryptographic Failures

These are issues where you don’t properly encrypt your data to protect it against threats.

Example

Application that stores encrypted credit card numbers in a database. But when getting out the data with SQL statements, the credit card numbers are automatically decrypted, rendering the encryption useless if an attacker extracts them using SQL.

Mitigation

• Verify your architecture