According to statistics maintained by theOpen Web Application Security Project (OWASP), the ten most common security errors can be distinguished. The graphic below shows how often veracode, a web application security research organization, detects these vulnerabilities during a preliminary risk assessment.
The vulnerability detection rate from the OWASP Top 10 list during veracode's initial risk assessment. Source: [Veracode]
The most common vulnerabilities cited above according to the OWASP are:
- Susceptibility of injecting untrusted data into a code interpreter as part of a command orquery (SQLi, OS, XXE, LDAP). An attacker could outsmart the interpreter to execute unscheduled commands or gain access to data without proper authorization.
- Incorrectly implemented mechanisms for authenticity and session management. This allows the attacker to compromise passwords, keys, session tokens, or hijack the identity of another application user.
- Broken access control mechanisms regarding what permissions and resources a system user has access to. An attacker could exploit this vulnerability to gain access to unauthorized functionality or sensitive data, as well as to gain access to other users' accounts.
- Incorrect security settings – to properly secure the system, the appropriate settings are defined and implemented for the application, framework, application server, database server, platform, etc. In addition, the software should be updated regularly.
- Sharing sensitive data – Many web applications and APIs do not properly protect sensitive data such as financial, medical or personal data. An attacker can steal or modify such poorly protected information and use it to fraud on a credit card, steal identity or commit other crimes. Sensitive data should be additionally protected by encryption during transmission and storage.
- Inadequate protection against attacks – many systems do not have the basic ability to detect, prevent and respond to both manual and automated attacks. You should implement mechanisms that go beyond the basic mechanisms for validating input, and include automatic detection, logging, and even blocking of attack attempts. In addition, app owners must be able to easily upload security patches.
- Cross-Site Request Forgery (CSRF)– consists in forcing the user's browser to send a query to the server in the context of that user. It thus allows the victim to perform some unauthorized action, e.g. changing the password, making a transfer.
- Using components with known vulnerabilities – components such as libraries, frameworks, and other modules used in the software operate under the same permissions as the application itself. If a vulnerable component is compromised, such an attack can pose a serious threat to the data or the system as a whole. Applications that use components with known vulnerabilities can remove the layer that protects the application by opening it to various types of attacks.
- Unsecured APIs – Today's applications often provide APIs for communicating with them in addition to basicfunctionality (SOAP/XML, REST/JSON, RPC, GWT, etc.). These interfaces are often insecure and contain many vulnerabilities.