OWASP - User contributions [en]

Talk:CRV2 SecDepConfig

2013-06-05T21:38:32Z

Simon Whittaker: Trying to create structure of the page

I've put some notes in here for expansion, I realise I'm not down as the author but wanted to share some thoughts. These are sketchy notes atm but will expand.

The aim of the process is to ensure only users with required access have permission to push to production

* Developer pushes to version control & submits pull request
* Lead developer performs review process
* Lead Developer pulls changes to master

'''Capistrano for automated deployment'''
* Create capdeploy user on $evironment with write permissions on relevant directories
* SSH key authentication only
* Capistrano ''cap deploy $environment'' pushes to correct environment
*

OWASP Code Review V2 Table of Contents

2013-06-05T21:08:03Z

Simon Whittaker:

= '''OWASP Code Review Guide v2.0:''' =

==Forward==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Guide_History]]
# [[CRV2_Forward|Put content here]]

== Code Review Guide Introduction==
# Author - Eoin Keary
# Previous version to be updated:[[https://www.owasp.org/index.php/Code_Review_Introduction]]
# [[CRV2_Introduction|Put content here]]

=== What is source code review and Static Analysis ===
# Author - Zyad Mghazli
# New Section
# [[CRV2_WhatIsCodeReview|Put content here]]

=== Manual Review - Pros and Cons ===
# Author - Ashish Rao
# New Section
# Suggestion: Benchmark of different Stataic Analysis Tools Zyad Mghazli
# Suggestion: Highlight the advantages of code review to the department/team - Gary David Robinson
# [[CRV2_ManualReviewProsCons|Put content here]]

=== Why code review ===
==== Scope and Objective of secure code review ====
# Author - Ashish Rao
# [[CRV2_WhyCodeReview|Put content here]]

=== We can't hack ourselves secure ===
# Author - Prathamesh Mhatre
# New Section
# [[CRV2_CantHackSecure|Put content here]]

=== 360 Review: Coupling source code review and Testing / Hybrid Reviews===
# Author - Ashish Rao
# New Section
# [[CRV2_360Review|Put content here]]

=== Can static code analyzers do it all? ===
# Author - Ashish Rao
# New Section
# [[CRV2_CanStaticAnalyzersDoAll|Put content here]]

=Methodology=
===The code review approach===
#Author - Prathamesh Mhatre
# [[CRV2_CodeReviewApproach|Put content here]]

==== Preparation and context ====
# Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Preparation]]
# [[CRV2_PrepContext|Put content here]]

====Application Threat Modeling====
#Author - Andy, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/OCRG1.1:Application_Threat_Modeling]]
# [[CRV2_AppThreatModeling|Put content here]]

====Understanding Code layout/Design/Architecture====
#Author - Ashish Rao
# [[CRV2_CodeLayoutDesignArch|Put content here]]

===SDLC Integration===
#Author - Andy, Ashish Rao
# Previous version to be updated: [[https://www.owasp.org/index.php/Security_Code_Review_in_the_SDLC]]
# [[CRV2_SDLCInt|Put content here]]

====Deployment Models====
=====Secure deployment configurations=====
#Author - Ashish Rao
# [[CRV2_SecDepConfig|Put content here]]

# New Section
=====Metrics and code review=====
#Author - Andy
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Metrics]]
# [[CRV2_MetricsCodeRev|Put content here]]

=====Source and sink reviews=====
#Author - Ashish Rao
# New Section
# [[CRV2_SourceSinkRev|Put content here]]

=====Code review Coverage=====
#Author - Open
#Previous version to be updated: [[https://www.owasp.org/index.php/Code_Review_Coverage]]
# [[CRV2_CodeRevCoverage|Put content here]]

=====Design Reviews=====
#Author - Ashish Rao
*Why to review design?
**Building security in design - secure by design principle
**Design Areas to be reviewed
**Common Design Flaws
# [[CRV2_DesignRev|Put content here]]

=====A Risk based approach to code review=====
#Author - Renchie Joan
#New Section
*"Doing things right or doing the right things..."
**"Not all bugs are equal
# [[CRV2_RiskBasedApproach|Put content here]]

====Crawling code====
#Author - Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Crawling_Code]]
*API of Interest:
**Java
**.NET
**PHP
**RUBY
*Frameworks:
**Spring
**.NET MVC
**Structs
**Zend
#New Section
*Searching for code in C/C++
#Author - Gary Robinson

# [[CRV2_CrawlingCode|Put content here]]

====Code reviews and Compliance====
#Author -Manual Harti
# Previous version to be updated: [[https://www.owasp.org/index.php/Code_Reviews_and_Compliance]]
# [[CRV2_CodeRevCompliance|Put content here]]

=Reviewing by Techincal Control=
===Reviewing code for Authentication controls===
#Author - Anand Prakash, Joan Renchie
# [[CRV2_AuthControls|Put content here]]

====Forgot password====
#Author Abbas Naderi
# [[CRV2_ForgotPassword|Put content here]]

====Authentication====
#Author - Anand Prakash, Joan Renchie
# [[CRV2_Authentication|Put content here]]

====CAPTCHA====
#Author Larry Conklin, Joan Renchie
# [[CRV2_CAPTCHA|Put content here]]

====Out of Band considerations====
#Author - Open
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authentication]]
# [[CRV2_OutofBand|Put content here]]

===Reviewing code Authorization weakness===
#Author Ashish Rao
# [[CRV2_AuthorizationWeaknesses|Put content here]]

====Checking authz upon every request====
#Author - Abbas Naderi, Joan Renchie
# [[CRV2_CheckAuthzEachRequest|Put content here]]

====Reducing the attack surface====
#Author Chris Berberich
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Authorization]]
# [[CRV2_ReducingAttSurf|Put content here]]

====Reviewing code for Session handling====
#Author - Palak Gohil, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Session-Management]]
# [[CRV2_SessionHandling|Put content here]]

====Reviewing client side code====
#New Section
# [[CRV2_ClientSideCodeIntro|Put content here]]

=====Javascript=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJScript|Put content here]]

=====JSON=====
#Author - Open
# [[CRV2_ClientSideCodeJSon|Put content here]]

=====Content Security Policy=====
#Author - Open
# [[CRV2_ClientSideCodeContSecPolicy|Put content here]]

====="Jacking"/Framing=====
#Author - Abbas Naderi
# [[CRV2_ClientSideCodeJackingFraming|Put content here]]

=====HTML 5?=====
#Author - Sebastien Gioria
# [[CRV2_ClientSideCodeHTML5|Put content here]]

=====Browser Defenses policy=====
#Author - Open
# [[CRV2_ClientSideCodeBrowserDefPol|Put content here]]

=====etc...=====

====Review code for input validation====
#Author - Open
# [[CRV2_InputValIntro|Put content here]]

=====Regex Gotchas=====
#Author - Abbas Naderi
#New Section
# [[CRV2_InputValRegexGotchas|Put content here]]

=====ESAPI=====
#Author - Abbas Naderi
#New Section
# Internal Link: [[https://www.owasp.org/index.php/Codereview-Input_Validation]]
# [[CRV2_InputValESAPI|Put content here]]

====Reviewing code for contextual encoding====
=====HTML Attribute=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLAttribute|Put content here]]

=====HTML Entity=====
#Author - Shenai Silva
# [[CRV2_ContextEncHTMLEntity|Put content here]]

=====Javascript Parameters=====
#Author - Open
# [[CRV2_ContextEncJscriptParams|Put content here]]

=====JQuery=====
#Author - Abbas Naderi
# [[CRV2_ContextEncJQuery|Put content here]]

====Reviewing file and resource handling code====
#Author - Open
# [[CRV2_FileResourceHandling|Put content here]]

====Resource Exhaustion - error handling====
#Author - Abbas Naderi
# [[CRV2_ResourceExhaustionErrHandling|Put content here]]

=====native calls=====
#Author Abbas Naderi
# [[CRV2_ResourceExhaustionNativeCalls|Put content here]]

====Reviewing Logging code - Detective Security====
#Author - Palak Gohil
* Where to Log
* What to log
* What not to log
* How to log
# Internal link: [[https://www.owasp.org/index.php/Logging_Cheat_Sheet]]
# [[CRV2_LoggingCode|Put content here]]

====Reviewing Error handling and Error messages====
#Author - Gary Robinson
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Error-Handling]]
# [[CRV2_ErrorHandlingMessages|Put content here]]

====Reviewing Security alerts====
#Author - Open
# [[CRV2_SecurityAlerts|Put content here]]

====Review for active defense====
#Author - Colin Watson
# [[CRV2_ActiveDefense|Put content here]]

====Reviewing Secure Storage====
#Author - Azzeddine Ramrami
# New Section
# [[CRV2_SecureStorage|Put content here]]

====Hashing & Salting - When, How and Where====
=====Encrpyption=====
======.NET======
#Author Larry Conklin, Joan Renchie
# Previous version to be updated: [[https://www.owasp.org/index.php/Codereview-Cryptographic_Controls]]
*''Can we talk about key storage as well i.e. key management for encryption techniques used in the application? - Ashish Rao''
# [[CRV2_HashingandSaltingdotNet|Put content here]]

=Reviewing by Vulnerability=
===Review Code for XSS===
#Author Palak Gohil, Anand Prakash
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Scripting]]
# In reviewing code for XSS - we can give more patterns on "source to sink" patterns for ASP.NET wrf to difference versions and mechanisms to display data in a page - Ashish Rao
# [[CRV2_RevCodeXSS|Put content here]]

===Persistent - The Anti pattern===
#Author Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodePersistentAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodePersistentAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodePersistentAntiPatternPHP|Put content here]]

====Ruby====
#Author Chris Berberich
# [[CRV2_RevCodePersistentAntiPatternRuby|Put content here]]

===Reflected - The Anti pattern===
# [[CRV2_RevCodeReflectedAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeReflectedAntiPatterndotNet|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeReflectedAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeReflectedAntiPatternPHP|Put content here]]

====Ruby====
# Author - Open
# [[CRV2_RevCodeReflectedAntiPatternIRuby|Put content here]]

===Stored - The Anti pattern===
# Author - Open
# [[CRV2_RevCodeStoredAntiPatternIntro|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_RevCodeStoredAntiPatterndotNET|Put content here]]

====.Java====
#Author Palak Gohil
# [[CRV2_RevCodeStoredAntiPatternJava|Put content here]]

====PHP====
#Author Mohammed Damavandi, Abbas Naderi
# [[CRV2_RevCodeStoredAntiPatternPHP|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_RevCodeStoredAntiPatternRuby|Put content here]]

===DOM XSS ===
#Author Larry Conklin
# [[CRV2_DOMXSS|Put content here]]

===JQuery mistakes===
#Author Shenal Silva
# [[CRV2_JQueryMistakes|Put content here]]

===Reviewing code for SQL Injection===
#Author Palak Gohil, Renchie Joan
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection]]
# [[CRV2_RevCodeSQLInjection|Put content here]]

====PHP====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjPHP|Put content here]]

====Java====
#Author - Open
# [[CRV2_SQLInjJava|Put content here]]

====.NET====
#Author - Mennouchi Islam Azeddine
# [[CRV2_SQLInjdotNET|Put content here]]

====HQL====
#Author - Open
# [[CRV2_SQLInjHQL|Put content here]]

===The Anti pattern===
====PHP====
#Author - Mohammad Damavandi, Abbas Naderi
# [[CRV2_AntiPatternPHP|Put content here]]

====Java====
#Author - Palak Gohil
#=> Searching for traditional SQL,JPA,JPSQL,Criteria,...
# [[CRV2_AntiPatternJava|Put content here]]

====.NET====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_AntiPatterndotNet|Put content here]]

====Ruby====
#Author - Open
# [[CRV2_AntiPatternRuby|Put content here]]

====Cold Fusion====
#Author - Open
# [[CRV2_AntiPatternColdFusion|Put content here]]

===Reviewing code for CSRF Issues===
#Author Palak Gohil,Anand Prakash, Abbas Naderi
# Previous version to be updated: [[https://www.owasp.org/index.php/Reviewing_Code_for_Cross-Site_Request_Forgery]]
# [[CRV2_CSRFIssues|Put content here]]

===Transactional logic / Non idempotent functions / State Changing Functions===
#Author Abbas Naderi
# [[CRV2_TransLogic|Put content here]]

===Reviewing code for poor logic /Business logic/Complex authorization===
#Author - Sam Denard
# [[CRV2_PoorLogic|Put content here]]

===Reviewing Secure Communications===
====.NET Config====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_SecCommsdotNet|Put content here]]

====Spring Config====
#Author - Open
# [[CRV2_SecCommsSpringConfig|Put content here]]

====HTTP Headers====
#Author Gregory Disney, Abbas Naderi
# [[CRV2_SecCommsHTTPHdrs|Put content here]]

=====CSP=====
#Author Gregory Disney
# [[CRV2_SecCommsHTTPHdrsCSP|Put content here]]

=====HSTS=====
#Author Abbas Naderi
# [[CRV2_SecCommsHTTPHSTS|Put content here]]

===Tech-Stack pitfalls===
#Author Gregory Disney
# [[CRV2_TechStackPitfalls|Put content here]]

===Framework specific Issues===
====Spring====
#Author - Open
# [[CRV2_FrameworkSpecIssuesSpring|Put content here]]

====Structs====
#Author - Open
# [[CRV2_FrameworkSpecIssuesStructs|Put content here]]

====Drupal====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDurpal|Put content here]]

====Ruby on Rails====
#Author - Open
# [[CRV2_FrameworkSpecIssuesROR|Put content here]]

====Django====
#Author Gregory Disney
# [[CRV2_FrameworkSpecIssuesDjango|Put content here]]

====.NET Security / MVC====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesdotNetMVC|Put content here]]

====Security in ASP.NET applications====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNet|Put content here]]

=====Strongly Named Assemblies=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetStrongAssembiles|Put content here]]

======Round Tripping======
# Author - Open
# [[CRV2_FrameworkSpecIssuesASPNetRT|Put content here]]

======How to prevent Round tripping======
# Author - Open
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetRTPrevention|Put content here]]

=====Setting the right Configurations=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetConfigs|Put content here]]

=====Authentication Options=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetAuth|Put content here]]

=====Code Review for Managed Code - .Net 1.0 and up=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetManagedCode|Put content here]]

=====Using OWASP Top 10 as your guideline=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPTop10|Put content here]]

=====Code review for Unsafe Code (C#)=====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesASPNetUnsafeCode|Put content here]]

====PHP Specific Issues====
#Author Mohammad Damavandi, Abbas Naderi
# [[CRV2_FrameworkSpecIssuesPHP|Put content here]]

====Classic ASP====
#Author Johanna Curiel
# [[CRV2_FrameworkSpecIssuesASPClassic|Put content here]]

====C#====
#Author Johanna Curiel, Renchie Joan
# [[CRV2_FrameworkSpecIssuesCsharp|Put content here]]

====C/C++====
#Author Gary Robinson
# [[CRV2_FrameworkSpecIssuesCplusplus|Put content here]]

====Objective C====
#Author Open
# [[CRV2_FrameworkSpecIssuesObectiveC|Put content here]]

====Java====
#Author Palak Gohil
# [[CRV2_FrameworkSpecIssuesJava|Put content here]]

====Android====
#Author Open
# [[CRV2_FrameworkSpecIssuesAndroid|Put content here]]

====Coldfusion====
#Author Open
# [[CRV2_FrameworkSpecIssuesColdfusion|Put content here]]

=Security code review for Agile development=
#Author Open
# [[CRV2_CodeReviewAgile|Put content here]]

=Willing to review drafts=
#Terry Nerpester
#Larry Conklin
#Gary Robinson
#Simon Whittaker

Top 10 2013-A4-Insecure Direct Object References

2013-04-30T13:20:19Z

Simon Whittaker: fixed formatting of notmyacct

{{Top_10_2013:TopTemplate
|usenext=2013NextLink
|next={{Top_10_2010:ByTheNumbers
|5
|year=2013}}
|useprev=2013PrevLink
|prev={{Top_10_2010:ByTheNumbers
|3
|year=2013}}
}}

{{Top_10_2010:SummaryTableHeaderBeginTemplate|year=2013}}
{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY|year=2013}}
{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY|year=2013}}
{{Top_10_2010:SummaryTableValue-2-Template|Impact|MODERATE|year=2013}}
{{Top_10_2010:SummaryTableHeaderEndTemplate|year=2013}}
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the types of users of your system. Do any users have only partial access to certain types of system data?
.</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?
</td>
<td colspan=2 {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.
</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.
</td>
<td {{Template:Top 10 2010:SummaryTableRowStyleTemplate}}>Consider the business value of the exposed data.

Also consider the business impact of public exposure of the vulnerability.
</td>
{{Top_10_2010:SummaryTableEndTemplate}}

{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=vulnerableTo|position=firstLeft|risk=4|year=2013}}
The best way to find out if an application is vulnerable to insecure direct object references is to verify that all object references have appropriate defenses. To achieve this, consider:
# For direct references to restricted resources, the application needs to verify the user is authorized to access the exact resource they have requested.
# If the reference is an indirect reference, the mapping to the direct reference must be limited to values authorized for the current user.

Code review of the application can quickly verify whether either approach is implemented safely. Testing is also effective for identifying direct object references and whether they are safe. Automated tools typically do not look for such flaws because they cannot recognize what requires protection or what is safe or unsafe.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=howPrevent|position=right|risk=4|year=2013}}
Preventing insecure direct object references requires selecting an approach for protecting each user accessible object (e.g., object number, filename):

# Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource’s database key, a drop down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP’s [https://www.owasp.org/index.php/ESAPI ESAPI] includes both sequential and random access reference maps that developers can use to eliminate direct object references.
# Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=example|position=left|risk=4|year=2013}}
The application uses unverified data in a SQL call that is accessing account information:
{{Top_10_2010:ExampleBeginTemplate}}<nowiki>
String query = "SELECT * FROM accts WHERE account = ?";
PreparedStatement pstmt = connection.prepareStatement(query , … );

{{red|pstmt.setString( 1, request.getParameter("acct"));}}

ResultSet results = pstmt.executeQuery( );
</nowiki>{{Top_10_2010:ExampleEndTemplate}}

The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.
{{Top_10_2010:ExampleBeginTemplate}}
<nowiki>http://example.com/app/accountInfo?acct=</nowiki><span style="color:red;"><nowiki>notmyacct</nowiki></span>
{{Top_10_2010:ExampleEndTemplate}}
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=references|position=right|risk=4|year=2013}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
* [https://www.owasp.org/index.php/Top_10_2007-Insecure_Direct_Object_Reference OWASP Top 10-2007 on Insecure Dir Object References]
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessReferenceMap.html ESAPI Access Reference Map ]API
* [http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/org/owasp/esapi/AccessController.html ESAPI Access Control API] (See isAuthorizedForData(), isAuthorizedForFile(), isAuthorizedForFunction() )

For additional access control requirements, see the [https://www.owasp.org/index.php/ASVS ASVS requirements area for Access Control (V4)].

{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}
* [http://cwe.mitre.org/data/definitions/639.html CWE Entry 639 on Insecure Direct Object References]
* [http://cwe.mitre.org/data/definitions/22.html CWE Entry 22 on Path Traversal] (which is an example of a Direct Object Reference attack)

{{Top_10_2013:BottomAdvancedTemplate
|type={{Top_10_2010:StyleTemplate}}
|usenext=2013NextLink
|next={{Top_10_2010:ByTheNumbers
|5
|year=2013}}
|useprev=2013PrevLink
|prev={{Top_10_2010:ByTheNumbers
|3
|year=2013}}}}

[[Category:OWASP Top Ten Project]]