Open Web Application Security Project (OWASP) is an organization consisting of security experts involved in presenting information regarding the applications and threat posed by them in an effective way.
The OWASP top 7 application security risks 2017 includes the following:
This is caused when a suspicious data is entered into an app in the form of command or query like SQL, OS, XXE, LDAP. It is possible if the application can accept the input that moves to the back-end database, command orcalls.SQL injections (SQLi) occur when a distorted code is sent to the database causing the data to be exposed.
- Broken authentication:
In case of improper implementation of application’s functions, attackers can easily access user credentials and misuse them.
- Sensitive data exposure:
It happens when there is an incorrect implementation of security controls like HTTPS, paving way for attackers to steal important user credentials. So authenticated access and data encryption is essential.
- XMLExternal Entity (XXE) attack:
It occurs in applications which parse XML using a XML parser that is weakly configured. The XML input contains external object’s reference that can leak secret information, cause a server-side request forgery, denial of service, port scanning from the machine where the parser is present, etc.
- Broken Access Control:
It occurs due to lack of restrictions on the user, letting attackers access the data. The app should perform strict authorization checks and set proper access control rules.
- Security Misconfiguration:
It occurs when there is a lack of updating and secure configuration in the apps, frameworks, servers, database, and custom code, which lets attackers access the privileged data.
- Cross-Site Scripting (XSS):
This security flaw enables attackers to insert client-side scripts into the web pages. It usually occurs when the apps let users input data without possessing any control on the output. This damages the websites by pulling off users to other websites. Stored XSS, DOM based XSS, and reflected XSS are its various types.