Open-source group names 10 scariest Web vulnerabilities

The Open Web Application Security Project today released a list of the top 10 vulnerabilities in Web applications and services.

The group said it wants to focus government and private-sector attention on common weaknesses 'that require immediate remediation.'

'Also, in the longer term, this list is intended to be used by development teams and their managers during project planning,' the report noted. 'Ultimately, Web application developers must achieve a culture shift that integrates security into every aspect of their projects.'

OWASP is a volunteer open-source community project created to bring attention to security for online apps. It patterned its list on the SANS Institute and FBI top 20 list of network loopholes. Like the SANS-FBI list, the OWASP vulnerabilities are well known, but continue to represent significant risk because they are widespread. They can be exploited by code in HTTP requests that are not noted by intrusion detection systems and are passed through firewalls and into servers despite hardening.

The vulnerabilities, which focus on categories of problems rather than on specific applications, are:

  • Unvalidated parameters, which let information to be used by an app before being validated

  • Broken access control, in which restrictions on authorized users are not enforced

  • Broken account and session management, which leave inadequately protected account credentials and session tokens vulnerable to hijacking

  • Cross-site scripting flaws, which let attacks be passed by an app to a browser

  • Buffer overflows, which can crash an application and allow it to be taken over

  • Command injection flows, in which improper commands are passed by the app to another system for execution

  • Error-handling problems, which can provide an attacker with unintended information or deny service when errors occur

  • Insecure use of cryptography, which provides weak protection when cryptography code is not properly integrated

  • Remote administration flaws, in which administrative functions are not well protected

  • Web and application server misconfiguration.

  • The complete report is available on the organization's Web site,

    About the Author

    William Jackson is a Maryland-based freelance writer.


    • business meeting (Monkey Business Images/

      Civic tech volunteers help states with legacy systems

      As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

    • data analytics (

      More visible data helps drive DOD decision-making

      CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

    Stay Connected