Top 10 Most
Critical Web Application Security Flaws
The following information was drawn up by
the Open Web Application Security Project (OWASP)
of the ten most critical web application vulnerabilities in
The ten flaws
in the OWASP list are:
1. Non-validated input.
Attackers could use non-validated data
to reach backend components.
2. Broken access control.
Improper application of restrictions
on authenticated users could give attackers access to other
accounts or use unauthorized functions.
3. Broken authentication and session management.
credentials and session tokens are not properly protected,
allowing attackers to compromise passwords, keys, session
cookies or tokens, and assume the identities of other users.
4. Cross-site scripting.
This allows the web application to be
used to transport an attack on the end user's browser, leading
to the disclosure of the end user's session token or spoof
content to fool the user.
5. Buffer overflows.
Web application components written in
languages that do not properly validate input can crash and in
some cases, be used to take control of a process.
6. Injection flaws.
Web applications pass parameters when they
access external systems or the local OS. If malicious commands
are embedded in the parameters, the external system may
execute those commands on behalf of the Web application.
7. Improper error handling.
This can lead to attackers gaining
detailed system information or causing denial of service.
8. Insecure storage.
Web applications that use cryptographic
functions to protect information and credentials have proven
difficult to code properly, resulting in weak protection.
9. Denial of service.
As mentioned, attackers use up Web
application resources to the point where other legitimate
users can no longer access or use the application. Attackers
can also block user accounts or cause application failures.
10. Insecure configuration management.
Having a strong
configuration standard is critical.
Copyrights © by
Sentry Digital Information