shortcut to content
Minnesota State University, Mankato
Minnesota State University, Mankato

Web Application Security

Page address:

The OWASP Top Ten Vulnerabilities

What is OWASP

The Open Web Application Security Project (OWASP) is a non-profit organization dedicated to providing unbiased, practical information about application security.

What is OWASP Top 10

Periodically, OWASP releases a list of ten most critical application security risks faced by developers, security personnel and organizations with the aim of helping to map out ways of combatting these risks. Also, on a periodic basis, these risks are reviewed to reflect changes in application security threats along with the techniques and best practices for avoiding and remediating these vulnerabilities.

Why should I Care?

Reports have shown that there has been a dramatic increase in website compromise in recent time and OWASP Top 10 features many of these vulnerabilities in its list.

The Top 10 List

In the series of the OWASP top 10, 2013 edition is still the latest which is displayed below.

  • A1 – Injection

    Injection flaws, such as SQL, OS, and LDAP injec8on occur when untrusted data is sent to an interpreter as part of a command or query. For more information, visit.

  • A2 – Broken Authentication and Session Management

    Broken Authentication and Session Management vulnerabilities allow anonymous attacks aimed at attempting to steal valuable data, especially Personally Identifiable Information. If authentication or session management protocols have not been implemented properly, they may enable a hostile to steal passwords, session keys or tokens or otherwise assume or exploit a user’s identity. For more information, visit.

  • A3 – Cross-Site Scripting (XSS)

    Cross-Site Scripting, often shortened as XSS, attempts to trick a browser into accepting data that isn’t from a trusted source. Applications that allow user input but don’t have control over output are highly vulnerable to XSS. If successful, XSS allows the attacker to take over a user session, cause damage to a website or force the user to visit another site (often a website hosting further hostile code). There are three different kinds of XSS attacks, referred to as Stored XSS, DOM Based XSS, and Reflected XSS. For more information, visit.

  • A4 – Insecure Direct Object References

    Insecure Direct Object References occur when authentication isn’t properly executed. If an application is vulnerable, malicious users may be able to gain administrative access to the application. If no access control check or other protection is in place, an attacker could manipulate that type of reference to access data they’re not authorized for. For more information,visit.

  • A5 – Security Misconfiguration

    When security processes and practices aren’t correctly followed or implemented, Security Misconfigurations can easily be used by attackers to detect weak areas that would allow them to access privileged data. Configuration of the whole application environment including servers, platforms, etc. needs to be properly defined, implemented and controlled or it can lead to security holes. For more information, visit.

  • A6 – Sensitive Data Exposure

    Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. For more information, visit.

  • A7 – Missing Function Level Access Control

    This risk is posed when web applications don’t correctly verify function level access rights before making available functionality that shouldn’t be granted. For more information, visit.

  • A8 Cross-Site Request Forgery (CSRF)

    A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the vic8m’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the aIacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. For more information,visit.

  • A9 - Using Components with Known Vulnerabilities

    Components, especially libraries and frameworks derived from the open source community, should never be used when there are known vulnerabilities in the code. Doing so undermines the application and possibly the entire organization, as an attacker could easily leverage an SQL injection, XSS attack or similar to attempt an application takeover. For more information, visit.

  • A10 – Unvalidated Redirects and Forwards

    Unvalidated Redirects and Forwards can be used with a bit of social engineering to mimic an already existing site and trick visitors into downloading malware or giving up Personally Identifiable Information. For more information, visit.


  • Web application vulnerability scanners
  • Secure Coding Awareness for developers
  • Static Code Analysis tools

For more information about the OWASP top 10, visit:
Owasp page