Big changes are imminent at the top of OWASP

Big changes are imminent at the top of OWASP

The Open Web Application Security Project (OWASP) has been deployed since 2003 Top ten list It contains the most common categories of vulnerabilities that you should avoid when building secure web applications. The ranked list has not changed since 2017, but it came recently updated draft Which contains major changes. What remains before the list becomes official is peer review. This means that the order can be changed and individual categories replaced by others.

At least since 2017, the list has topped the vulnerabilities category injection failedThat is, the implementation does not sufficiently prevent the interpretation of data in queries as commands. This vulnerability can be exploited by attackers to gain unauthorized access to read or modify data stored in a database. Many username and password hash leaks happen this way.

New 1st place

In the new draft, injection errors as a category were pushed to third place. Instead, the lack of access control led to a move from fifth to first place. It’s about putting restrictions on the different types of users they should be able to access in the app. A typical example of such a vulnerability is that by increasing or decreasing the value of the parameter number in a URL, data that belongs to another user can be accessed.

In the new draft Encoding errors Come in second place. This category replaces the current Sensitive Data Exposure, which is Sensitive Data exposure. This is done so that the name largely reflects the cause of the weakness rather than its symptoms. Using unencrypted protocols like HTTP, SMTP, and FTP to transfer sensitive data is one of the things that belongs here.



big changes

Changes have also occurred in many other places on the list. In total, there are three categories in the list that are brand new, while four categories have been given a new name or domain.

See also  “Imagine if the strongest brand in Norway was a fintech app that raised money instead of spending money”

In the new list, for example, the “Broken Authentication” category, Incomplete Authentication, has been replaced with “Identification and Authentication Failed”. The category has also been reduced from second to seventh.


Initial changes to the OWASP Top 10 between 2017 and 2021. Illustration: OWASP

Each category of vulnerability in the new list includes a specific description of what the main problem is. In addition, a few relatively specific attack scenarios are presented, as well as a list of actions that can be taken to prevent attacks that exploit the relevant class of vulnerabilities.

Just a place to start

OWAST’s top ten list is often considered a kind of de facto standard for web application security OASP confirm It is only intended to contribute to awareness of the topic and that it should in any case be considered a minimum and a place to start.



Hanisi Anenih

Hanisi Anenih

"Web specialist. Lifelong zombie maven. Coffee ninja. Hipster-friendly analyst."

Leave a Reply

Your email address will not be published. Required fields are marked *