Top 10 2010-Details About Risk Factors - Revision history

Neil Smithline at 05:30, 23 April 2010

2010-04-23T05:30:32Z

Wichers at 17:16, 22 April 2010

2010-04-22T17:16:26Z

Show changes

Neil Smithline at 20:37, 21 April 2010

2010-04-21T20:37:42Z

Neil Smithline: moved Top 10 2010-+F to Top 10 2010-Details About Risk Factors

2010-04-20T16:11:46Z

moved Top 10 2010-+F to Top 10 2010-Details About Risk Factors

Neil Smithline: moved Top 10 2010-Risk Factors to Top 10 2010-+F

2010-04-20T16:11:17Z

moved Top 10 2010-Risk Factors to Top 10 2010-+F

Neil Smithline at 16:06, 20 April 2010

2010-04-20T16:06:25Z

Neil Smithline at 15:53, 20 April 2010

2010-04-20T15:53:52Z

Neil Smithline: Created page with '{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
2010-04-20T15:26:16Z

Created page with '{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}} <center…'

New page
{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

<center>
{| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"
|- style="background-color: #4F81Bd; color: #000000;"
! RISK !! Threat Agents !! Attack Vectors
! colspan="2" | Security Weakness
! Technical Impact
! Business Impacts
|-
| style="background-color: #D9D9D9; color: #000000;" | A1-Injection
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FF0000; color: #000000;" | Exploitability EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence COMMON
| style="background-color: #FFB200; color: #000000;" | Detectability AVERAGE
| style="background-color: #FF0000; color: #000000;" | Impact SEVERE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A2-XSS
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFB200; color: #000000;" | Exploitability AVERAGE
| style="background-color: #FF00FF; color: #000000;" | Prevalence VERY WIDESPREAD
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A3-Authentication
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFB200; color: #000000;" | Exploitability AVERAGE
| style="background-color: #FFB200; color: #000000;" | Prevalence COMMON
| style="background-color: #FFB200; color: #000000;" | Detectability AVERAGE
| style="background-color: #FF0000; color: #000000;" | Impact SEVERE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A4-DOR
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FF0000; color: #000000;" | Exploitability EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A5-CSRF
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFB200; color: #000000;" | Exploitability AVERAGE
| style="background-color: #FF0000; color: #000000;" | Prevalence WIDESPREAD
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A6-Config
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FF0000; color: #000000;" | Exploitability EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A7-Crypto
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFFF00; color: #000000;" | Exploitability DIFFICULT
| style="background-color: #FFFF00; color: #000000;" | Prevalence UNCOMMON
| style="background-color: #FFFF00; color: #000000;" | Detectability DIFFICULT
| style="background-color: #FF0000; color: #000000;" | Impact SEVERE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A8-URL Access
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FF0000; color: #000000;" | Exploitability EASY
| style="background-color: #FFFF00; color: #000000;" | Prevalence UNCOMMON
| style="background-color: #FFB200; color: #000000;" | Detectability AVERAGE
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A9-Transport
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFFF00; color: #000000;" | Exploitability DIFFICULT
| style="background-color: #FFB200; color: #000000;" | Prevalence COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|-
| style="background-color: #D9D9D9; color: #000000;" | A10-Redirects
| style="background-color: #D9D9D9; color: #000000;" |
| style="background-color: #FFB200; color: #000000;" | Exploitability AVERAGE
| style="background-color: #FFFF00; color: #000000;" | Prevalence UNCOMMON
| style="background-color: #FF0000; color: #000000;" | Detectability EASY
| style="background-color: #FFB200; color: #000000;" | Impact MODERATE
| style="background-color: #D9D9D9; color: #000000;" |
|}
</center>

{{Top_10_2010:SubsectionVulnerableTemplate|Injection|

}}

{{Top_10_2010:SubsectionPreventionTemplate|Injection|

}}

{{Top_10_2010:SubsectionExampleTemplate|Injection|}}

{{Top_10_2010:SubsectionReferencesTemplate|Injection}}
{{Top_10_2010:SubSubsectionOWASPReferencesTemplate}}
{{Top_10_2010:SubSubsectionExternalReferencesTemplate}}

 {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

@@ Line 1: / Line 1: @@
-{{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
+{{Top_10_2010:TopTemplate|useprev=2010PrevLink|usenext=Nothing|prev=Notes About Risk}}
 {{Top_10_2010:SubsectionColoredTemplate|Top 10 Risk Factor Summary|
 The following table presents a summary of the 2010 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP team. To understand these risks for a particular application or organization, <b><u>you must consider your own specific threat agents and business impacts</u></b>. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.
@@ Line 6: / Line 5: @@
 <center>
 {| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"
-|- style="background-color: #4F81Bd; color: #000000;"
+|- style="background-color: #4F81Bd; color: #FFFFFF;"
 ! RISK !! Threat Agents !! Attack Vectors
 ! colspan="2" | Security Weakness
@@ Line 106: / Line 105: @@
 * [http://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] (Was 2007 Top 10 – Entry A3)
 }}
+{{Top_10_2010:BottomTemplate|useprev=2010PrevLink|usenext=Nothing|prev=Notes About Risk}}

@@ Line 94: / Line 94: @@
 </center>
-{{Top_10_2010:SubsectionColoredTemplate|Top 10 Risk Factor Summary|
 The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (listed in alphabetical order) that you should also consider include:
 * [http://www.owasp.org/index.php/Clickjacking Clickjacking] (Newly discovered attack technique in 2008)
@@ Line 104: / Line 105: @@
 * [http://www.owasp.org/index.php/ApplicationLayerIntrustionDetection Lack of Intrusion Detection and Response]
 * [http://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] (Was 2007 Top 10 – Entry A3)
 <br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

@@ Line 1: / Line 1: @@
 {{Top_10_2010:TopTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}
 <center>
 {| style="align:center; text-align:center; border:2px solid #4F81BD; background-color:#F2F2F2; padding=2;"
@@ Line 91: / Line 94: @@
 </center>
-{{Top_10_2010:SubsectionVulnerableTemplate|Injection|
+{{Top_10_2010:SubsectionColoredTemplate|Top 10 Risk Factor Summary|
+The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (listed in alphabetical order) that you should also consider include:
-}}
+* [http://www.owasp.org/index.php/Clickjacking Clickjacking] (Newly discovered attack technique in 2008)
+* Concurrency Flaws
-{{Top_10_2010:SubsectionPreventionTemplate|Injection|
+* [http://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service] (Was 2004 Top 10 – Entry A9)
+* [http://projects.webappsec.org/Information-Leakage Information Leakage] and [http://www.owasp.org/index.php/Top_10_2007-A6 Improper Error Handling] (Was part of 2007 Top 10 – Entry A6)
-}}
+* [http://projects.webappsec.org/Insufficient+Anti-automation Insufficient Anti-automation]
+* Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry A6)
-{{Top_10_2010:SubsectionExampleTemplate|Injection|}}
+* [http://www.owasp.org/index.php/ApplicationLayerIntrustionDetection Lack of Intrusion Detection and Response]
+* [http://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] (Was 2007 Top 10 – Entry A3)
 <br> {{Top_10_2010:BottomTemplate|usenext=NextLink|next=-Broken Authentication and Session Management|useprev=PrevLink|prev=-Cross Site Request Forgery|usemain=MainLink|main=}}

← Older revision	Revision as of 16:11, 20 April 2010
(No difference)