Categories: Application Security

OWASP 2017 Top 10 Web App Security Vulnerabilities

The following is a list of web application security vulnerabilities which made into the list of OWASP 2017 top 10 security vulnerabilities.

  • Injection: Injection attack can lead to commands such as SQL, NoSQL, OS, LDAP executed by the related command interpretor resulting into execution of unintended commands thereby modifying the datasets or providing unauthorized access to the data.
  • Broken authentication: Broken authentication attacks can lead to compromising passwords, keys or session tokens etc.
  • Sensitive data exposure: Sensitive data exposure vulnerability would allow attackers to get an access to sensitive data such as identity related data (email address, mobile numbers), credit card related details etc. These data can be obtained from data at rest (database, file systems etc) or data in transit (data exchanged between browser and server).
  • XML External Entities (XXE):
  • Broken access control: Proper access control would make sure that unauthorized users are not able to access or change the data which they are not allowed to do so. With broken access control, authenticated users would be able to access or change the data whether or not he / she is authorized to do so.
  • Security misconfiguration: One of the most common instance of security misconfiguration is verbose error message or stack trace of error message. Another instance is display of server version at times when server is not accessible. These, primarily, occurs due to incomplete or adhoc configuration or usage of default configurations.
  • Cross-site scripting (XSS): Cross-site scripting attack can lead to attacker inject the script or HTML into the DOM tree which can, in turn, alter / modify the DOM tree leading to display of unwanted data on the web page. Imagine a user inserting a img tag as a comment. In case, the data is not properly escaped, the img tag when displayed as comment would result in loading the image on the webpage resulting into distortion of page or display of abusive images.
  • Insecure deserialization: Insecure deserialization can often lead to remote code execution. This attack can be used to perform attacks such as replay attacks or injection attacks.
  • Components with known vulnerabilities: Many a times, our applications end up using various open-source packages/libraries without us focusing on the security vulnerabilities found in those packages. These security vulnerabilities in external packages / libraries can be exploited by the hackers/ attackers to attack the web app. Take an example of a MEAN web app using one or more NPM packages. If these packages consist of one or more security vulnerability, these can as well be used by hackers / attackers to compromise the web application making use of these packages.
  • Insufficient logging and monitoring: This is self-explanatory.

The details can be found on this page / pdf document, OWASP 2017 Top 10.


Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Share
Published by
Ajitesh Kumar

Recent Posts

Agentic Reasoning Design Patterns in AI: Examples

In recent years, artificial intelligence (AI) has evolved to include more sophisticated and capable agents,…

1 month ago

LLMs for Adaptive Learning & Personalized Education

Adaptive learning helps in tailoring learning experiences to fit the unique needs of each student.…

1 month ago

Sparse Mixture of Experts (MoE) Models: Examples

With the increasing demand for more powerful machine learning (ML) systems that can handle diverse…

2 months ago

Anxiety Disorder Detection & Machine Learning Techniques

Anxiety is a common mental health condition that affects millions of people around the world.…

2 months ago

Confounder Features & Machine Learning Models: Examples

In machine learning, confounder features or variables can significantly affect the accuracy and validity of…

2 months ago

Credit Card Fraud Detection & Machine Learning

Last updated: 26 Sept, 2024 Credit card fraud detection is a major concern for credit…

2 months ago