Open Web Security Project is a non-profit charitable organization. It is a global reference for large types of vulnerabilities. OWASP Top 10 addresses the most impactful application security risks based on a larger number of data sets and opinions surveyed from a plethora of industry professionals. There have been three released in this decade — 2010, 2013, and 2017.
Let’s see the top 10 OWASP vulnerabilities
Injection vulnerabilities occur when untrusted user data is processed by the web application in an unsafe way.
A2- Broken Authentication
These vulnerabilities occur when web applications fail to implement secure authentication mechanisms like weak password policies or weak storage of Credentials.
A3- Sensitive Data Exposure
Sensitive data exposure vulnerabilities occur when security controls are not implemented properly at the time of data in transit and data in the store.
A4- XML External Entities
XXE vulnerabilities occur when untrusted XML input referencing to an external entity is accepted and parsed by vulnerable XML parsers.
A5- Broken Access Control
Broken access control vulnerabilities occur when developers fail to implement proper access control policies within the web application.
A6- Security Misconfiguration
Security flaws present in the misconfiguration of application frameworks, servers, databases, etc. allow hackers to access unauthorized privileged data.
A7- Cross-Site Scripting
A8- Insecure Deserialization
Insecure Deserialization occurs when untrusted structured data is passed to be contrasted into an object. It can be used to perform various malicious tasks like remote code execution and injection attacks.
A9- Using Components with known vulnerabilities
Web applications use various vulnerable components like libraries and frameworks. These vulnerable versions are mentioned on the internet so an attacker can easily find them and leverage them to cause damage.
A10- Insufficient Logging and Monitoring
Application logs, Trace logs should be maintained in the web application to track any malicious activity. The absence of such controls allows attackers to further attack systems, tamper, and destroy data.
Hope this was helpful.