Top 10-2017 Details About Risk Factors - Revision history

T.Gigler: Shortened name of A9:2017 in this list

2018-01-07T15:10:01Z

Shortened name of A9:2017 in this list

T.Gigler: Updated table, editorial changes

2018-01-01T18:14:46Z

Updated table, editorial changes

Show changes

T.Gigler: Prepare OWASP Top 10-2017 Release (Risk Table)

2017-12-13T22:38:51Z

Prepare OWASP Top 10-2017 Release (Risk Table)

Show changes

T.Gigler: Prepare OWASP Top 10-2017 Release

2017-12-12T20:06:27Z

Prepare OWASP Top 10-2017 Release

T.Gigler: T.Gigler moved page Top 10 2017-Details About Risk Factors to Top 10-2017 Details About Risk Factors: Prepare OWASP Top 10-2017 Release

2017-12-12T19:50:20Z

T.Gigler moved page Top 10 2017-Details About Risk Factors to Top 10-2017 Details About Risk Factors: Prepare OWASP Top 10-2017 Release

T.Gigler: editorial changes (deleted extra ']')

2017-04-23T15:25:24Z

editorial changes (deleted extra ']')

T.Gigler: Added: OWASP Top 10 Privacy Risks Project (not yet part of RC1, see comment in source)

2017-04-23T15:21:58Z

Added: OWASP Top 10 Privacy Risks Project (not yet part of RC1, see comment in source)

T.Gigler: underlined all links, redefined links to OWASP as internal links, repaired some links

2017-04-23T15:11:38Z

underlined all links, redefined links to OWASP as internal links, repaired some links

Show changes

T.Gigler: updated risks

2017-04-23T14:37:35Z

updated risks

Neil Smithline at 01:41, 22 April 2017

2017-04-22T01:41:16Z

@@ Line 72: / Line 72: @@
 <td style="border: 3px solid #444444"><b>5.0</b></td></tr>
-<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_A9-{{Top_10_2010:ByTheNumbers|9|year=2017|language=en}} | A9:2017-{{Top_10_2010:ByTheNumbers|9|year=2017|language=en}}]]</u></b></td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10New|language=en|year=2017 }}_A9-{{Top_10_2010:ByTheNumbers|9|year=2017|language=en}} | A9:2017-{{Top_10_2010:ByTheNumbers|9|year=2017|language=en|type=short}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10-2017:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=3|detectability=2|impact=2|language=en|year=2017}}

@@ Line 1: / Line 1: @@
 {{Top_10_2013:TopTemplate
-    |usenext=Nothing
+     |useprev=2017PrevLink
      |prev={{Top_10:LanguageFile|text=noteAboutRisks|language=en}}
      |year=2017
      |language=en
@@ Line 97: / Line 97: @@
 {{Top_10:SubsectionTableEndTemplate}}
 {{Top_10_2013:BottomTemplate
-   |usenext=Nothing
+    |useprev=2017PrevLink
-   |useprev=2013PrevLink
+    |prev={{Top_10:LanguageFile|text=noteAboutRisks|language=en}}
-   |prev={{Top_10:LanguageFile|text=noteAboutRisks|language=en}}
+    |usenext=2017NextLink
-   |next=
+    |next={{Top_10:LanguageFile|text=methodologyAndData|language=en}}
-   |year=2017
+    |year=2017
-   |language=en
+    |language=en
 }}

@@ Line 89: / Line 89: @@
 * <u>[http://projects.webappsec.org/Information-Leakage Information Leakage]</u> (<u>[https://cwe.mitre.org/data/definitions/209.html CWE-209]</u>) and <u>[[Top_10_2007-A6|Improper Error Handling]]</u> (<u>[https://cwe.mitre.org/data/definitions/388.html CWE-388]</u>) (was part of 2007 Top 10 – <u>[[Top_10_2007-A6|Entry 2007-A6]]</u>)
 * <u>[https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf Hotlinking Third Party Content]</u> (<u>[https://cwe.mitre.org/data/definitions/829.html CWE-829]</u>)
-* <u>[[Top_10_2007-A3|Malicious File Execution]]</u> (<u>[https://cwe.mitre.org/data/definitions/434.html CWE-434]]</u>) (Was 2007 Top 10 – <u>[[Top_10_2007-A3|Entry 2007-A3]]</u>)
+* <u>[[Top_10_2007-A3|Malicious File Execution]]</u> (<u>[https://cwe.mitre.org/data/definitions/434.html CWE-434]</u>) (Was 2007 Top 10 – <u>[[Top_10_2007-A3|Entry 2007-A3]]</u>)
 * <u>[http://en.wikipedia.org/wiki/Mass_assignment_vulnerability Mass Assignment]</u> (<u>[http://cwe.mitre.org/data/definitions/915.html CWE-915]</u>)
 * <u>[https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery (SSRF) (CWE-918)]</u>

@@ Line 93: / Line 93: @@
 * <u>[https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery (SSRF) (CWE-918)]</u>
 * <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Unvalidated Redirects and Forwards]]</u> (<u>[https://cwe.mitre.org/data/definitions/601.html CWE-601]</u>) (Was 2013 Top 10 – <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Entry 2013-A10]]</u>)
-* <u>[[Privacy_Violation|User Privacy]]</u> (<u>[https://cwe.mitre.org/data/definitions/359.html CWE-359]</u>)
+* <u>[[Privacy_Violation|User Privacy]]</u> (<u>[https://cwe.mitre.org/data/definitions/359.html CWE-359]</u>) <!--- not yet part of RC1 -->For defenses, see: <u>[[OWASP_Top_10_Privacy_Risks_Project|OWASP Top 10 Privacy Risks Project]]</u><!--- END: not yet part of RC1 -->
 {{Top_10:SubsectionTableEndTemplate}}

@@ Line 43: / Line 43: @@
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10:LanguageFile|text=insecureDOR|year=2017|language=en}}]]</td><td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10:LanguageFile|text=accessCtrl|year=2017|language=en}}]]</td><td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=1|detectability=1|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
@@ Line 57: / Line 57: @@
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10:LanguageFile|text=functionAcc|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10:LanguageFile|text=attackProt|year=2017|language=en}}]]</td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=2|impact=2|language=en|year=2017}}
@@ Line 72: / Line 72: @@
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10:LanguageFile|text=unvalRedirects|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10:LanguageFile|text=ApiProt|year=2017|language=en}}]]</td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=2|detectability=3|impact=2|language=en|year=2017}}

← Older revision	Revision as of 19:50, 12 December 2017
(No difference)

@@ Line 83: / Line 83: @@
 The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
 * [[Clickjacking]] ([https://capec.mitre.org/data/definitions/103.html CAPEC-103])
+* [https://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service] ([http://cwe.mitre.org/data/definitions/400.html CWE-400]) (Was 2004 Top 10 – [https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service Entry 2004-A9])
-The following text is from 2013 and needs to be updated!!
+* [https://www.owasp.org/index.php/Deserialization_of_untrusted_data Deserialization of Untrusted Data] ([http://cwe.mitre.org/data/definitions/502.htmlCWE-502]) For defenses, see: [https://www.owasp.org/index.php/Deserialization_Cheat_Sheet OWASP Deserialization Cheat Sheet]
+* [https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf xpression Language Injection] ([http://cwe.mitre.org/data/definitions/917.html CWE-917])
-* [https://www.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)  Concurrency Flaws]
+* [http://projects.weba'psec.org/Information-Leakage Information Leakage] ([https://cwe.mitre.org/data/definitions/209.html CWE-209]) and [https://www.owasp.org/index.php/Top_10_2007-A6 Improper Error Handling] ([https://cwe.mitre.org/data/definitions/388.html CWE-388]) (was part of 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6 Entry 2007-A6])
-* [https://www.owasp.org/index.php/Application_Denial_of_Service  Denial of Service] (Was 2004 Top 10 – Entry 2004-A9)
+* [https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf Hotlinking Third Party Content] ([https://cwe.mitre.org/data/definitions/829.htmlCWE-829])
-* [https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf  Expression Language Injection] ([http://cwe.mitre.org/data/definitions/917.html  CWE-917])
+* [https://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] ([https://cwe.mitre.org/data/definitions/434.html CWE-434]) ([Was 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A3 Entry 2007-A3])
-* [http://projects.webappsec.org/Information-Leakage  Information Leakage] and [https://www.owasp.org/index.php/Top_10_2007-A6  Improper Error Handling] (Was part of 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6  Entry 2007-A6])
+* [http://en.wikipedia.org/wiki/Mass_assignment_vulnerability Mass Assignment] ([http://cwe.mitre.org/data/definitions/915.html CWE-915])
-* [http://projects.webappsec.org/Insufficient+Anti-automation  Insufficient Anti-automation] ([http://cwe.mitre.org/data/definitions/799.html  CWE-799])
+* [https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery] (SSRF) (CWE-918)
-* Insufficient Logging and Accountability (Related to 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6  Entry 2007-A6])
+* [https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards Unvalidated Redirects and Forwards] ([https://cwe.mitre.org/data/definitions/601.html CWE-601]) (Was 2013 Top 10 – [https://cwe.mitre.org/data/definitions/601.html Entry 2013-A10])
-* [https://www.owasp.org/index.php/ApplicationLayerIntrusionDetection  Lack of Intrusion Detection and Response]
+* [https://www.owasp.org/index.php/Privacy_Violation User Privacy] ([https://cwe.mitre.org/data/definitions/359.htmlCWE-359]])
 {{Top_10:SubsectionTableEndTemplate}}