Open-source group names 10 scariest Web vulnerabilities

The Open Web Application Security Project today released a list of the top 10 vulnerabilities in Web applications and services.

The group said it wants to focus government and private-sector attention on common weaknesses 'that require immediate remediation.'

'Also, in the longer term, this list is intended to be used by development teams and their managers during project planning,' the report noted. 'Ultimately, Web application developers must achieve a culture shift that integrates security into every aspect of their projects.'

OWASP is a volunteer open-source community project created to bring attention to security for online apps. It patterned its list on the SANS Institute and FBI top 20 list of network loopholes. Like the SANS-FBI list, the OWASP vulnerabilities are well known, but continue to represent significant risk because they are widespread. They can be exploited by code in HTTP requests that are not noted by intrusion detection systems and are passed through firewalls and into servers despite hardening.

The vulnerabilities, which focus on categories of problems rather than on specific applications, are:

  • Unvalidated parameters, which let information to be used by an app before being validated

  • Broken access control, in which restrictions on authorized users are not enforced

  • Broken account and session management, which leave inadequately protected account credentials and session tokens vulnerable to hijacking

  • Cross-site scripting flaws, which let attacks be passed by an app to a browser

  • Buffer overflows, which can crash an application and allow it to be taken over

  • Command injection flows, in which improper commands are passed by the app to another system for execution

  • Error-handling problems, which can provide an attacker with unintended information or deny service when errors occur

  • Insecure use of cryptography, which provides weak protection when cryptography code is not properly integrated

  • Remote administration flaws, in which administrative functions are not well protected

  • Web and application server misconfiguration.

  • The complete report is available on the organization's Web site,

    About the Author

    William Jackson is a Maryland-based freelance writer.


    • Records management: Look beyond the NARA mandates

      Pandemic tests electronic records management

      Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

    • boy learning at home (Travelpixs/

      Tucson’s community wireless bridges the digital divide

      The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

    Stay Connected