OWASP Top Ten

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

Globally recognized by developers as the first step towards more secure coding.

Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

Top 10 Web Application Security Risks

A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

A3:2017-Sensitive Data Exposure: Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.

A4:2017-XML External Entities (XXE): Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

A5:2017-Broken Access Control: Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.

A6:2017-Security Misconfiguration: Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

A7:2017-Cross-Site Scripting XSS: XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A8:2017-Insecure Deserialization: Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

A9:2017-Using Components with Known Vulnerabilities: Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

A10:2017-Insufficient Logging & Monitoring: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Translation Efforts

Efforts have been made in numerous languages to translate the OWASP Top 10 - 2017. If you are interested in helping, please contact the members of the team for the language you are interested in contributing to, or if you don’t see your language listed (neither here nor at github), please email owasp-topten@lists.owasp.org to let us know that you want to help and we’ll form a volunteer group for your language. We have compiled this README.TRANSLATIONS with some hints to help you with your translation.

2017 Completed Translations:

  • Chinese: OWASP Top 10-2017 - 中文版(PDF)
    • 项目组长:王颉(wangj@owasp.org.cn)
    • 翻译人员:陈亮、王厚奎、王颉、王文君、王晓飞、吴楠、徐瑞祝、夏天泽、杨璐、张剑钟、赵学文(排名不分先后,按姓氏拼音排列)
    • 审查人员:Rip、包悦忠、李旭勤、杨天识、张家银(排名不分先后,按姓氏拼音排列)
    • 汇编人员:赵学文
  • French: OWASP Top 10 2017 in French (Git/Markdown)
  • German: OWASP Top 10 2017 in German V1.0 (Pdf) (web pages)
    compiled by Christian Dresen, Alexios Fakos, Louisa Frick, Torsten Gigler, Tobias Glemser, Dr. Frank Gut, Dr. Ingo Hanke, Dr. Thomas Herzog, Dr. Markus Koegel, Sebastian Klipper, Jens Liebau, Ralf Reinhardt, Martin Riedel, Michael Schaefer
  • Hebrew: OWASP Top 10-2017 - Hebrew (PDF)  (PPTX)
    translated by Eyal Estrin (Twitter: @eyalestrin) and Omer Levi Hevroni (Twitter: @omerlh).
  • Japanese: OWASP Top 10-2017 - 日本語版 (PDF)
    translated and reviewed by Akitsugu ITO, Albert Hsieh, Chie TAZAWA, Hideko IGARASHI, Hiroshi TOKUMARU, Naoto KATSUMI, Riotaro OKADA, Robert DRACEA, Satoru TAKAHASHI, Sen UENO, Shoichi NAKATA, Takanori NAKANOWATARI ,Takanori ANDO, Tomohiro SANAE.
  • Korean: OWASP Top 10-2017 - 한글 (PDF)  (PPTX)
    번역 프로젝트 관리 및 감수 : 박형근(Hyungkeun Park) / 감수(ㄱㄴㄷ순) : 강용석(YongSeok Kang), 박창렴(Park Changryum), 조민재(Johnny Cho) / 편집 및 감수 : 신상원(Shin Sangwon) / 번역(ㄱㄴㄷ순) : 김영하(Youngha Kim), 박상영(Sangyoung Park), 이민욱(MinWook Lee), 정초아(JUNG CHOAH), 조광렬(CHO KWANG YULL), 최한동(Handong Choi)
  • Portuguese: OWASP Top 10 2017 - Portuguese (PDF) (ODP)
    translated by Anabela Nogueira, Carlos Serrão, Guillaume Lopes, João Pinto, João Samouco, Kembolle A. Oliveira, Paulo A. Silva, Ricardo Mourato, Rui Silva, Sérgio Domingues, Tiago Reis, Vítor Magano.
  • Russian: OWASP Top 10-2017 - на русском языке (PDF)
    translated and reviewed by JZDLin (@JZDLin), Oleksii Skachkov (@hamster4n), Ivan Kochurkin (@KvanTTT) and Taras Ivashchenko
  • Spanish: OWASP Top 10-2017 - Español (PDF) (web pages)
    • Gerardo Canedo(Gerardo.Canedo@owasp.org - [Twitter: @GerardoMCanedo])
    • Cristian Borghello(Cristian.Borghello@owasp.org - [Twitter: @seguinfo])
    • Vladimir Támara Patiño (vtamara@pasosdeJesus.org - [Twitter: @VladimirTamara])

Historic:

2017 Release Candidate Translation Teams:

  • Azerbaijanian: Rashad Aliyev (rashad@aliev.info)
  • Chinese RC2:Rip、包悦忠、李旭勤、王颉、王厚奎、吴楠、徐瑞祝、夏天泽、张家银、张剑钟、赵学文(排名不分先后,按姓氏拼音排列) OWASP Top10 2017 RC2 - Chinese PDF
  • French: Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org.
  • Others to be listed.

2013 Completed Translations:

  • Arabic: OWASP Top 10 2013 - Arabic PDF
    Translated by: Mohannad Shahat: Mohannad.Shahat@owasp.org, Fahad: @SecurityArk, Abdulellah Alsaheel: cs.saheel@gmail.com, Khalifa Alshamsi: Khs1618@gmail.com and Sabri(KING SABRI): king.sabri@gmail.com, Mohammed Aldossary: mohammed.aldossary@owasp.org
  • Chinese 2013:中文版2013 OWASP Top 10 2013 - Chinese (PDF).
    项目组长: Rip、王颉, 参与人员: 陈亮、 顾庆林、 胡晓斌、 李建蒙、 王文君、 杨天识、 张在峰
  • Czech 2013: OWASP Top 10 2013 - Czech (PDF) OWASP Top 10 2013 - Czech (PPTX)
    CSIRT.CZ - CZ.NIC, z.s.p.o. (.cz domain registry): Petr Zavodsky: petr.zavodsky@owasp.org, Vaclav Klimes, Zuzana Duracinska, Michal Prokop, Edvard Rejthar, Pavel Basta
  • French 2013: OWASP Top 10 2013 - French PDF
    Ludovic Petit: Ludovic.Petit@owasp.org, Sébastien Gioria: Sebastien.Gioria@owasp.org, Erwan Abgrall: g4l4drim@gmail.com, Benjamin Avet: benjamin.avet@gmail.com, Jocelyn Aubert: jocelyn.aubert@owasp.org, Damien Azambour: damien.azambourg@owasp.org, Aline Barthelemy: aline.barthelemy@fr.abb.com, Moulay Abdsamad Belghiti: abdsamad.belghiti@gmail.com, Gregory Blanc: gregory.blanc@gmail.com, Clément Capel: clement.capel@sfr.com, Etienne Capgras: Etienne.capgras@solucom.fr, Julien Cayssol: julien@aqwz.com, Antonio Fontes: antonio.fontes@owasp.org, Ely de Travieso: Ely.detravieso@owasp.org, Nicolas Grégoire: nicolas.gregoire@agarri.fr, Valérie Lasserre: valerie.lasserre@gmx.fr, Antoine Laureau: antoine.laureau@owasp.org, Guillaume Lopes: lopes.guillaume@free.fr, Gilles Morain: gilles.morain@gmail.com, Christophe Pekar: christophe.pekar@owasp.org, Olivier Perret: perrets@free.fr, Michel Prunet: michel.prunet@owasp.org, Olivier Revollat: revollat@gmail.com, Aymeric Tabourin: aymeric.tabourin@orange.com
  • German 2013: OWASP Top 10 2013 - German PDF
    top10@owasp.de which is Frank Dölitzscher, Torsten Gigler, Tobias Glemser, Dr. Ingo Hanke, Thomas Herzog, Kai Jendrian, Ralf Reinhardt, Michael Schäfer
  • Hebrew 2013: OWASP Top 10 2013 - Hebrew PDF
    Translated by: Or Katz, Eyal Estrin, Oran Yitzhak, Dan Peled, Shay Sivan.
  • Italian 2013: OWASP Top 10 2013 - Italian PDF
    Translated by: Michele Saporito: m.saporito7@gmail.com, Paolo Perego: thesp0nge@owasp.org, Matteo Meucci: matteo.meucci@owasp.org, Sara Gallo: sara.gallo@gmail.com, Alessandro Guido: alex@securityaddicted.com, Mirko Guido Spezie: mirko@dayu.it, Giuseppe Di Cesare: giuseppe.dicesare@alice.it, Paco Schiaffella: schiaffella@gmail.com, Gianluca Grasso: giandou@gmail.com, Alessio D’Ospina: alessiodos@gmail.com, Loredana Mancini: loredana.mancini@business-e.it, Alessio Petracca: alessio.petracca@gmail.com, Giuseppe Trotta: giutrotta@gmail.com, Simone Onofri: simone.onofri@gmail.com, Francesco Cossu: hambucker@gmail.com, Marco Lancini: marco.lancini.ml@gmail.com, Stefano Zanero: zanero@elet.polimi.it, Giovanni Schmid: giovanni.schmid@na.icar.cnr.it, Igor Falcomata’: koba@sikurezza.org
  • Japanese 2013: OWASP Top 10 2013 - Japanese PDF
    Translated by: Chia-Lung Hsieh: ryusuke.tw(at)gmail.com, Reviewed by: Hiroshi Tokumaru, Takanori Nakanowatari
  • Korean 2013: OWASP Top 10 2013 - Korean PDF (이름가나다순)
    김병효:byounghyo.kim@owasp.org, 김지원:jiwon.kim@owasp.or.kr, 김효근:katuri@katuri.kr, 박정훈:xelion@gmail.com, 성영모:youngmo.seong@owasp.or.kr, 성윤기:yune.sung@owasp.org, 송보영:boyoung.song@owasp.or.kr, 송창기:factor7@naver.com, 유정호:griphis77@gmail.com, 장상민:sangmin.jang@owasp.or.kr, 전영재:youngjae.jeon@owasp.org, 정가람:tgcarrot@gmail.com, 정홍순:jhs728@gmail.com, 조민재:johnny.cho@owasp.org,허성무:issimplenet@gmail.com
  • Brazilian Portuguese 2013: OWASP Top 10 2013 - Brazilian Portuguese PDF
    Translated by: Carlos Serrão, Marcio Machry, Ícaro Evangelista de Torres, Carlo Marcelo Revoredo da Silva, Luiz Vieira, Suely Ramalho de Mello, Jorge Olímpia, Daniel Quintão, Mauro Risonho de Paula Assumpção, Marcelo Lopes, Caio Dias, Rodrigo Gularte
  • Spanish 2013: OWASP Top 10 2013 - Spanish PDF
    Gerardo Canedo: gerardo.canedo@owasp.org, Jorge Correa: jacorream@gmail.com, Fabien Spychiger: fabien.spychiger@dreamlab.net, Alberto Hill: alberto.daniel.hill@gmail.com, Johnatan Stanley: johnatanst@gmail.com, Maximiliano Alonzo: malonzo@tib.com.uy, Mateo Martinez: mateo.martinez@owasp.org, David Montero: david.montero@owasp.org, Rodrigo Martinez: rodmart@fing.edu.uy, Guillermo Skrilec: guillermo.skrilec@owasp.org, Felipe Zipitria: felipe.zipitria@owasp.org, Fabien Spychiger: fabien.spychiger@dreamlab.net, Rafael Gil: rafael.gillarios@owasp.org, Christian Lopez: christian.lopez.martin@owasp.org, jonathan fernandez jonathan.fernandez04@gmail.com, Paola Rodriguez: Paola_R1@verifone.com, Hector Aguirre: hector.antonio.aguirre@owasp.org, Roger Carhuatocto: rcarhuatocto@intix.info, Juan Carlos Calderon: johnccr@yahoo.com, Marc Rivero López: mriverolopez@gmail.com, Carlos Allendes: carlos.allendes@owasp.org, daniel@carrero.cl: daniel@carrero.cl, Manuel Ramírez: manuel.ramirez.s@gmail.com, Marco Miranda: marco.miranda@owasp.org, Mauricio D. Papaleo Mayada: mpapaleo@gmail.com, Felipe Sanchez: felipe.sanchez@peritajesinformaticos.cl, Juan Manuel Bahamonde: juanmanuel.bahamonde@gmail.com, Adrià Massanet: adriamassanet@gmail.com, Jorge Correa: jacorream@gmail.com, Ramiro Pulgar: ramiro.pulgar@owasp.org, German Alonso Suárez Guerrero: german.suarez@owasp.org, Jose A. Guasch: jaguasch@gmail.com, Edgar Salazar: edgar.salazar@owasp.org
  • Ukrainian 2013: OWASP Top 10 2013 - Ukrainian PDF
    Kateryna Ovechenko, Yuriy Fedko, Gleb Paharenko, Yevgeniya Maskayeva, Sergiy Shabashkevich, Bohdan Serednytsky

2010 Completed Translations:

Project Sponsors

The OWASP Top 10 - 2017 project was sponsored by Autodesk. Thanks to Aspect Security for sponsoring earlier versions.

Autodesk

OWASP Top 10 2020 Data Analysis Plan

Goals

To collect the most comprehensive dataset related to identified application vulnerabilities to-date to enable analysis for the Top 10 and other future research as well. This data should come from a variety of sources; security vendors and consultancies, bug bounties, along with company/organizational contributions. Data will be normalized to allow for level comparison between Human assisted Tooling and Tooling assisted Humans.


Analysis Infrastructure

Plan to leverage the OWASP Azure Cloud Infrastructure to collect, analyze, and store the data contributed.


Contributions

We plan to support both known and pseudo-anonymous contributions. The preference is for contributions to be known; this immensely helps with the validation/quality/confidence of the data submitted. If the submitter prefers to have their data stored anonymously and even go as far as submitting the data anonymously, then it will have to be classified as “unverified” vs. “verified”.

Verified Data Contribution

Scenario 1: The submitter is known and has agreed to be identified as a contributing party.
Scenario 2: The submitter is known but would rather not be publicly identified.
Scenario 3: The submitter is known but does not want it recorded in the dataset.

Unverified Data Contribution

Scenario 4: The submitter is anonymous. (Should we support?)

The analysis of the data will be conducted with a careful distinction when the unverified data is part of the dataset that was analyzed.


Contribution Process

There are a few ways that data can be contributed:

  1. Email a CSV/Excel file with the dataset(s) to brian.glas@owasp.org
  2. Upload a CSV/Excel file to a “contribution folder” (coming soon)

Template examples can be found in GitHub: https://github.com/OWASP/Top10/tree/master/2021/Data


Contribution Period

We plan to accept contributions to the new Top 10 from May to Nov 30, 2020 for data dating from 2017 to current.


Data Structure

The following data elements are required or optional.
The more information provided the more accurate our analysis can be.
At a bare minimum, we need the time period, total number of applications tested in the dataset, and the list of CWEs and counts of how many applications contained that CWE.
If at all possible, please provide the additional metadata, because that will greatly help us gain more insights into the current state of testing and vulnerabilities.

Metadata

  • Contributor Name (org or anon)
  • Contributor Contact Email
  • Time period (2019, 2018, 2017)
  • Number of applications tested
  • Type of testing (TaH, HaT, Tools)
  • Primary Language (code)
  • Geographic Region (Global, North America, EU, Asia, other)
  • Primary Industry (Multiple, Financial, Industrial, Software, ??)
  • Whether or not data contains retests or the same applications multiple times (T/F)

CWE Data

  • A list of CWEs w/ count of applications found to contain that CWE

If at all possible, please provide core CWEs in the data, not CWE categories.
This will help with the analysis, any normalization/aggregation done as a part of this analysis will be well documented.

Note:

If a contributor has two types of datasets, one from HaT and one from TaH sources, then it is recommended to submit them as two separate datasets.
HaT = Human assisted Tools (higher volume/frequency, primarily from tooling)
TaH = Tool assisted Human (lower volume/frequency, primarily from human testing)


Survey

Similarly to the Top Ten 2017, we plan to conduct a survey to identify up to two categories of the Top Ten that the community believes are important, but may not be reflected in the data yet. We plan to conduct the survey in May or June 2020, and will be utilizing Google forms in a similar manner as last time. The CWEs on the survey will come from current trending findings, CWEs that are outside the Top Ten in data, and other potential sources.


Process

At a high level, we plan to perform a level of data normalization; however, we will keep a version of the raw data contributed for future analysis. We will analyze the CWE distribution of the datasets and potentially reclassify some CWEs to consolidate them into larger buckets. We will carefully document all normalization actions taken so it is clear what has been done.

We plan to calculate likelihood following the model we developed in 2017 to determine incidence rate instead of frequency to rate how likely a given app may contain at least one instance of a CWE. This means we aren’t looking for the frequency rate (number of findings) in an app, rather, we are looking for the number of applications that had one or more instances of a CWE. We can calculate the incidence rate based on the total number of applications tested in the dataset compared to how many applications each CWE was found in.

In addition, we will be developing base CWSS scores for the top 20-30 CWEs and include potential impact into the Top 10 weighting.

Also, would like to explore additional insights that could be gleaned from the contributed dataset to see what else can be learned that could be of use to the security and development communities.

Watch Star