2004 Updates OWASP Top Ten Project
- What's new?
- OWASP has come a long way since the last top was released in January 2003. This update incorporates all the discussion and up to date views, opinions and debate in the OWASP community over the past 12 months. Overall, there have been minor improvements to all parts of the Top Ten, and only a few major changes:
- WAS-XML Alignment
- One of the new projects initiated in 2003 is the Web Application Security Technical Committee (WAS TC) at OASIS. The purpose of the WAS TC is to produce a classification scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools. The OWASP Top Ten project has used the WAS TC as a reference for reprofiling the Top Ten to provide a standardized approach to the classification of web application security vulnerabilities. The WAS Thesaurus defines a standard language for discussing web application security, and we adopt that vocabulary here.
- Addition of Denial of Service
- The only top level category that changed was the addition of the A9 Denial of Service category to the list. Our research has shown that a broad array of organizations are susceptible to this type of attack. Based on the likelihood of a denial of service attack and the consequences if the attack succeeds, we have determined that it warrants inclusion in the Top Ten. To accommodate this new entry, we have combined last year’s A9 Remote Administration Flaws into the A2 Broken Access Control category as it is a special case of that category. We believe this is appropriate, as the types of flaws in A2 are typically the same as those in A9 and require the same types of remediation.
The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.
New Top Ten 2004
Top Ten 2003
New WAS Thesaurus
|A1 Unvalidated Input||A1 Unvalidated Parameters||Input Validation|
|A2 Broken Access Control|| A2 Broken Access Control
(A9 Remote Administration Flaws)
|A3 Broken Authentication and Session Management||A3 Broken Account and Session Management||Authentication and Session Management|
|A4 Cross Site Scripting (XSS) Flaws||A4 Cross Site Scripting (XSS) Flaws||Input Validation->Cross site scripting|
|A5 Buffer Overflows||A5 Buffer Overflows||Buffer Overflows|
|A6 Injection Flaws||A6 Command Injection Flaws||Input Validation->Injection|
|A7 Improper Error Handling||A7 Error Handling Problems||Error Handling|
|A8 Insecure Storage||A8 Insecure Use of Cryptography||Data Protection|
|A9 Denial of Service||N/A||Availability|
|A10 Insecure Configuration Management||A10 Web and Application Server Misconfiguration|| Application Configuration Management|
Infrastructure Configuration Management