Difference between revisions of "Top 10 2013-Details About Risk Factors"

Latest revision as of 21:07, 4 March 2017

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

2013 Table of Contents

2013 Top 10 List

Top 10 Risk Factor Summary

The following table presents a summary of the 2013 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.

Risk	Threat Agents	Attack Vectors	Security Weakness (Prevalence)	Security Weakness (Detectability)	Technical Impacts	Business Impacts
A1-Injection	App Specific	EASY	COMMON	AVERAGE	SEVERE	App Specific
A2-Authentication	App Specific	AVERAGE	WIDESPREAD	AVERAGE	SEVERE	App Specific
A3-XSS	App Specific	AVERAGE	VERY WIDESPREAD	EASY	MODERATE	App Specific
A4-Insecure DOR	App Specific	EASY	COMMON	EASY	MODERATE	App Specific
A5-Misconfig	App Specific	EASY	COMMON	EASY	MODERATE	App Specific
A6-Sens. Data	App Specific	DIFFICULT	UNCOMMON	AVERAGE	SEVERE	App Specific
A7-Function Acc.	App Specific	EASY	COMMON	AVERAGE	MODERATE	App Specific
A8-CSRF	App Specific	AVERAGE	COMMON	EASY	MODERATE	App Specific
A9-Vulnerable Components	App Specific	AVERAGE	WIDESPREAD	DIFFICULT	MODERATE	App Specific
A10-unval. Redirects	App Specific	AVERAGE	UNCOMMON	EASY	MODERATE	App Specific

Additional Risks to Consider

The Top 10 cover a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (in alphabetical order) that you should also consider include:

Clickjacking
Concurrency Flaws
Denial of Service (Was 2004 Top 10 – Entry 2004-A9)
Expression Language Injection (CWE-917)
Information Leakage and Improper Error Handling (Was part of 2007 Top 10 – Entry 2007-A6)
Insufficient Anti-automation (CWE-799)
Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry 2007-A6)
Lack of Intrusion Detection and Response
Malicious File Execution (Was 2007 Top 10 – Entry 2007-A3)
Mass Assignment (CWE-915)
User Privacy

← Note About Risks

2013 Table of Contents

2013 Top 10 List

@@ Line 3: / Line 3: @@
      |next=
      |useprev=2013PrevLink
-     |prev=Note About Risks
+     |prev={{Top_10:LanguageFile|text=noteAboutRisks|language=en}}
+    |year=2013
+    |language=en
 }}
-{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|title=Top 10 Risk Factor Summary|number=whole|width=100%|year=2013}}
+{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title={{Top_10:LanguageFile|text=top10RiskFactorSummary|language=en}}|width=100%|year=2013|language=en}}
 The following table presents a summary of the 2013 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, <u>you must consider your own specific threat agents and business impacts</u>. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.
-TABLE GOES HERE
 <center>
-<table style="align:center; text-align:center; margin: 0px 5px 0px 5px; border: 3px solid  {{Top 10:BorderColor|year=2013 }};
+<table style="align:center; border-collapse: collapse; text-align:center; margin: 0px 5px 0px 5px; border: 3px solid #444444;
    background-color: {{Top 10:BackgroundColor|year=2013 }};
 padding=2;">
-<tr style="background-color: {{Top 10:BorderColor|year=2013 }}; height: 2em; font-size: 130%; color: #FFFFFF;  text-shadow: 2px 2px 8px #000000; ">
+<tr style="background-color: {{Top 10:BorderColor|year=2013}}; height: 2em; font-size: 130%; color: #FFFFFF;  text-shadow: 2px 2px 8px #444444; ">
-      <th>RISK</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=risk|language=en}}</th>
-      <th>Threat Agents</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=threatAgents|language=en}}</th>
-      <th>Attack Vectors</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=attackVectors|language=en}}</th>
-      <th colspan="2">Security Weakness</th>
+     <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=securityWeakness|language=en}}<div style="font-size: 60%;">({{Top_10:LanguageFile|text=prevalence|language=en}})</div></th>
-      <th>Technical Impacts</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=securityWeakness|language=en}}<div style="font-size: 60%;">({{Top_10:LanguageFile|text=detectability|language=en}})</div></th>
-      <th>Business Impacts</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=technicalImpacts|language=en}}</th>
+      <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=businessImpacts|language=en}}</th>
 </tr>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2013}}]]</td>
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=2|impact=1|language=en|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td>[https://www.owasp.org/index.php/A1 A1 Injection]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2013}}|A2-{{Top_10:LanguageFile|text=authentication|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=1|detectability=2|impact=1|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|SEVERE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A2 A2 Authentication]</td><td>&nbsp;</td>
-{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE|year=2013}}
-{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|WIDESPREAD|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE|year=2013}}
-{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|SEVERE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A3 A3 XSS]</td><td>&nbsp;</td>
-{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE|year=2013}}
-{{Top_10_2010:SummaryTableValue-0-Template|Prevalence|VERY WIDESPREAD|year=2013}}
-{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A4 A4 Insecure DOR]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2013}}|A3-{{Top_10:LanguageFile|text=xssShort|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=0|detectability=1|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A5 A5 Config]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2013}}|A4-{{Top_10:LanguageFile|text=insecureDOR|year=2013|language=en}}]]</td><td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=1|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A6 A6 Sens. Data]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2013}}|A5-{{Top_10:LanguageFile|text=misconfig|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-3-Template|Exploitability|EASY|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-3-Template|Prevalence|UNCOMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=1|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|SEVERE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A7 A7 Function Acc.]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2013}}|A6-{{Top_10:LanguageFile|text=sensData|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-1-Template|Exploitability|EASY|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=3|prevalence=3|detectability=2|impact=1|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A8 A8 CSRF]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2013}}|A7-{{Top_10:LanguageFile|text=functionAcc|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|COMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=2|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-2-Template|Detectability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A9 A9 Components]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2013}}|A8-{{Top_10:LanguageFile|text=csrfShort|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-1-Template|Prevalence|WIDESPREAD|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=2|detectability=1|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-3-Template|Detectability|Difficult|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
-<tr><td>[https://www.owasp.org/index.php/A10 A10 Redirects]</td><td>&nbsp;</td>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2013}}|A9-{{Top_10:LanguageFile|text=vulnComponents|year=2013|language=en}}]]</td>
-{{Top_10_2010:SummaryTableValue-2-Template|Exploitability|AVERAGE|year=2013}}
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
-{{Top_10_2010:SummaryTableValue-3-Template|Prevalence|UNCOMMON|year=2013}}
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=1|detectability=3|impact=2|language=en|year=2013}}
-{{Top_10_2010:SummaryTableValue-1-Template|Detectability|EASY|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-{{Top_10_2010:SummaryTableValue-2-Template|Prevalence|MODERATE|year=2013}}
-<td>&nbsp;</td></tr>
+<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2013|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2013}}|A10-{{Top_10:LanguageFile|text=unvalRedirects|year=2013|language=en}}]]</td>
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
+  {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=3|detectability=1|impact=2|language=en|year=2013}}
+<td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
 </table></center> <!-- End risk table -->
-TABLE GOES HERE
-</td></tr></table> <!-- Close big box -->
-{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|title=Additional Risks to Consider|number=whole|width=100%|year=2013}}
+{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=whole|title={{Top_10:LanguageFile|text=additionalRisksToConsider|language=en}}|width=100%|year=2013|language=en}}
-The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
+The Top 10 cover a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
-* [https://www.owasp.org/index.php/Clickjacking  Clickjacking]
+* [[Clickjacking]]
 * [https://www.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)  Concurrency Flaws]
 * [https://www.owasp.org/index.php/Application_Denial_of_Service  Denial of Service] (Was 2004 Top 10 – Entry 2004-A9)
-* [https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf  Expression Language Injection]
+* [https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf  Expression Language Injection] ([http://cwe.mitre.org/data/definitions/917.html  CWE-917])
 * [http://projects.webappsec.org/Information-Leakage  Information Leakage] and [https://www.owasp.org/index.php/Top_10_2007-A6  Improper Error Handling] (Was part of 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6  Entry 2007-A6])
-* [http://projects.webappsec.org/Insufficient+Anti-automation  Insufficient Anti-automation]
+* [http://projects.webappsec.org/Insufficient+Anti-automation  Insufficient Anti-automation] ([http://cwe.mitre.org/data/definitions/799.html  CWE-799])
 * Insufficient Logging and Accountability (Related to 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6  Entry 2007-A6])
-* [https://www.owasp.org/index.php/ApplicationLayerIntrustionDetection  Lack of Intrusion Detection and Response]
+* [https://www.owasp.org/index.php/ApplicationLayerIntrusionDetection  Lack of Intrusion Detection and Response]
 * [https://www.owasp.org/index.php/Top_10_2007-A3  Malicious File Execution] (Was 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A3  Entry 2007-A3])
-* Mass Assignment
+* [http://en.wikipedia.org/wiki/Mass_assignment_vulnerability  Mass Assignment] ([http://cwe.mitre.org/data/definitions/915.html  CWE-915])
 * [https://www.owasp.org/index.php/Privacy_Violation  User Privacy]
+{{Top_10:SubsectionTableEndTemplate}}
 {{Top_10_2013:BottomTemplate
     |usenext=Nothing
     |useprev=2013PrevLink
-    |prev=Note About Risks
+    |prev={{Top_10:LanguageFile|text=noteAboutRisks|language=en}}
     |next=
+   |year=2013
+   |language=en
 }}

Difference between revisions of "Top 10 2013-Details About Risk Factors"

Latest revision as of 21:07, 4 March 2017

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools