The OWASP top 10 is a list of the most common vulnerabilities in web applications. The list is periodically updated on the basis of the developments of the past year.
What is OWASP?
OWASP is an organization committed to a safer world. OWASP stands for Open Web Application Security Project.
What does the OWASP top 10 consist of?
The most common vulnerabilities according to OWASP are:
- Injection – attackers can inject malicious code
- Broken authentication – The secure environment contains vulnerabilities
- Sensitive Data Exposure – Sensitive data is available to attackers
- XML External Entities – Type of attack in XML endpoints
- Broken Access control – Logged in users have access to functionality that should be restricted
- Security Misconfiguration – The system is configured insecurely
- Insecure Deserialization – Packed objects are insecure unpacked, allowing attackers to take over the system
- Using Components with known vulnerabilities – The software uses libraries that contain known vulnerabilities
- Insufficient logging and monitoring – Attackers can go about their business undisturbed without anyone noticing
What’s new in the OWASP top 10 2021 update?
The OWASP top 10 has recently been updated. The order has changed and a number of categories have been merged, creating space for new vulnerabilities. The big newcomer (albeit in 10th place) is Server-Side Request Forgery (SSRF). Curious about what SSRF is all about? We explain it in our knowledge base article.
Am I safe if I do not have any vulnerabilities from the OWASP top 10?
Not necessarily. The top ten are the most common web application vulnerabilities. This means that the vulnerabilities for other assets such as domain controllers, printers or workplaces can be very different. In addition, they are the 10 most common, not the only 10.
Is the Website Security Check tested for the OWASP top 10?
Yes, all CyberAnt products test for the OWASP top 10. In addition, the Website security check also checks for vulnerabilities that are not in the OWASP top 10.
Does a Pentest check for the OWASP top 10?
Yes, the pentest checks for the OWASP top 10, but also for other known vulnerabilities. In addition, we look for vulnerabilities that have not yet been found by anyone, the so-called zero days.