A1 – Injection
Injection flaws, such as SQL, OS, and LDAP injection occur
when untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
A2 – Broken
Authentication and Session Management
Application functions related to authentication and session
management are often not implemented correctly, allowing attackers to
compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.
A3 – Cross-Site
Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data
and sends it to a web browser without proper validation or escaping. XSS allows
attackers to execute scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious sites
A4 – Insecure Direct
Object References
A direct object reference occurs when a developer exposes a
reference to an internal implementation object, such as a file, directory, or
database key. Without an access control check or other protection, attackers
can manipulate these references to access unauthorized data.
A5 – Security
Misconfiguration
Good security requires having a secure configuration defined
and deployed for the application, frameworks, application server, web server,
database server, and platform. Secure settings should be defined, implemented,
and maintained, as defaults are often insecure. Additionally, software should
be kept up to date.
A6 – Sensitive Data
Exposure
Many web applications do not properly protect sensitive
data, such as credit cards, tax IDs, and authentication credentials. Attackers
may steal or modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data deserves extra protection such
as encryption at rest or in transit, as well as special precautions when
exchanged with the browser.
A7 – Missing Function
Level Access Control
Most web applications verify function level access rights
before making that functionality visible in the UI. However, applications need
to perform the same access control checks on the server when each function is
accessed. If requests are not verified, attackers will be able to forge
requests in order to access functionality without proper authorization.
A8 - Cross-Site
Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the
victim.
A9 - Using Components
with Known Vulnerabilities
Components, such as libraries, frameworks, and other
software modules, almost always run with full privileges. If a vulnerable component
is exploited, such an attack can facilitate serious data loss or server
takeover. Applications using components with known vulnerabilities may
undermine application defenses and enable a range of possible attacks and
impacts.
A10 – Invalidated
Redirects and Forwards
Web applications frequently redirect and forward users to
other pages and websites, and use untrusted data to determine the destination
pages. Without proper validation, attackers can redirect victims to phishing or
malware sites, or use forwards to access unauthorized page.
