This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Top 10 2010-Details About Risk Factors"

From OWASP
Jump to: navigation, search
Line 8: Line 8:
 
! RISK !! Threat Agents !! Attack Vectors
 
! RISK !! Threat Agents !! Attack Vectors
 
! colspan="2" | Security Weakness
 
! colspan="2" | Security Weakness
! Technical Impact
+
! Technical Impacts
 
! Business Impacts
 
! Business Impacts
 
|-  
 
|-  
| style="background-color: #D9D9D9; color: #000000;" | A1-Injection
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A1 | A1-Injection]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Exploitability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
+
| style="background-color: #FFB200; color: #000000;" | '''Prevalence<br>COMMON
| style="background-color: #FFB200; color: #000000;" | Detectability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Detectability<br>AVERAGE
| style="background-color: #FF0000; color: #000000;" | Impact<br>SEVERE
+
| style="background-color: #FF0000; color: #000000;" | '''Impact<br>SEVERE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A2-XSS
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A2 | A2-XSS
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFB200; color: #000000;" | Exploitability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Exploitability<br>AVERAGE
| style="background-color: #FF00FF; color: #000000;" | Prevalence<br>VERY WIDESPREAD
+
| style="background-color: #FF00FF; color: #000000;" | '''Prevalence<br>VERY WIDESPREAD]]
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A3-Authentication
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A3 | A3-Authentication]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFB200; color: #000000;" | Exploitability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Exploitability<br>AVERAGE
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
+
| style="background-color: #FFB200; color: #000000;" | '''Prevalence<br>COMMON
| style="background-color: #FFB200; color: #000000;" | Detectability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Detectability<br>AVERAGE
| style="background-color: #FF0000; color: #000000;" | Impact<br>SEVERE
+
| style="background-color: #FF0000; color: #000000;" | '''Impact<br>SEVERE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A4-DOR
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A4 | A4-DOR]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Exploitability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
+
| style="background-color: #FFB200; color: #000000;" | '''Prevalence<br>COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A5-CSRF
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A5 | A5-CSRF]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFB200; color: #000000;" | Exploitability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Exploitability<br>AVERAGE
| style="background-color: #FF0000; color: #000000;" | Prevalence<br>WIDESPREAD
+
| style="background-color: #FF0000; color: #000000;" | '''Prevalence<br>WIDESPREAD
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A6-Config
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A6 | A6-Config]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Exploitability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
+
| style="background-color: #FFB200; color: #000000;" | '''Prevalence<br>COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A7-Crypto
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A7 | A7-Crypto]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFFF00; color: #000000;" | Exploitability<br>DIFFICULT
+
| style="background-color: #FFFF00; color: #000000;" | '''Exploitability<br>DIFFICULT
| style="background-color: #FFFF00; color: #000000;" | Prevalence<br>UNCOMMON
+
| style="background-color: #FFFF00; color: #000000;" | '''Prevalence<br>UNCOMMON
| style="background-color: #FFFF00; color: #000000;" | Detectability<br>DIFFICULT
+
| style="background-color: #FFFF00; color: #000000;" | '''Detectability<br>DIFFICULT
| style="background-color: #FF0000; color: #000000;" | Impact<br>SEVERE
+
| style="background-color: #FF0000; color: #000000;" | '''Impact<br>SEVERE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A8-URL Access
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A8 | A8-URL Access]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FF0000; color: #000000;" | Exploitability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Exploitability<br>EASY
| style="background-color: #FFFF00; color: #000000;" | Prevalence<br>UNCOMMON
+
| style="background-color: #FFFF00; color: #000000;" | '''Prevalence<br>UNCOMMON
| style="background-color: #FFB200; color: #000000;" | Detectability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Detectability<br>AVERAGE
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A9-Transport
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A9 | A9-Transport]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFFF00; color: #000000;" | Exploitability<br>DIFFICULT
+
| style="background-color: #FFFF00; color: #000000;" | '''Exploitability<br>DIFFICULT
| style="background-color: #FFB200; color: #000000;" | Prevalence<br>COMMON
+
| style="background-color: #FFB200; color: #000000;" | '''Prevalence<br>COMMON
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|-
 
|-
| style="background-color: #D9D9D9; color: #000000;" | A10-Redirects
+
| style="background-color: #D9D9D9; color: #000000;" | [[Top_10_2010-A10 | A10-Redirects]]
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
| style="background-color: #FFB200; color: #000000;" | Exploitability<br>AVERAGE
+
| style="background-color: #FFB200; color: #000000;" | '''Exploitability<br>AVERAGE
| style="background-color: #FFFF00; color: #000000;" | Prevalence<br>UNCOMMON
+
| style="background-color: #FFFF00; color: #000000;" | '''Prevalence<br>UNCOMMON
| style="background-color: #FF0000; color: #000000;" | Detectability<br>EASY
+
| style="background-color: #FF0000; color: #000000;" | '''Detectability<br>EASY
| style="background-color: #FFB200; color: #000000;" | Impact<br>MODERATE
+
| style="background-color: #FFB200; color: #000000;" | '''Impact<br>MODERATE
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
| style="background-color: #D9D9D9; color: #000000;" |  
 
|}
 
|}
Line 95: Line 95:
  
 
{{Top_10_2010:SubsectionColoredTemplate|Additional Risks to Consider|
 
{{Top_10_2010:SubsectionColoredTemplate|Additional Risks to Consider|
The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (listed in alphabetical order) that you should also consider include:
+
The Top 10 covers a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (listed in alphabetical order) that you should also consider include:
* [http://www.owasp.org/index.php/Clickjacking Clickjacking] (Newly discovered attack technique in 2008)
+
* [[Clickjacking]] (Newly discovered attack technique in 2008)
 
* Concurrency Flaws  
 
* Concurrency Flaws  
* [http://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service] (Was 2004 Top 10 – Entry A9)
+
* [[Application_Denial_of_Service | Denial of Service]]] (Was 2004 Top 10 – Entry A9)
* [http://projects.webappsec.org/Information-Leakage Information Leakage] and [http://www.owasp.org/index.php/Top_10_2007-A6 Improper Error Handling] (Was part of 2007 Top 10 – Entry A6)
+
* [http://projects.webappsec.org/Information-Leakage Information Leakage] and [[Top_10_2007-A6 | Improper Error Handling]] (Was part of 2007 Top 10 – Entry A6)
 
* [http://projects.webappsec.org/Insufficient+Anti-automation Insufficient Anti-automation]
 
* [http://projects.webappsec.org/Insufficient+Anti-automation Insufficient Anti-automation]
 
* Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry A6)
 
* Insufficient Logging and Accountability (Related to 2007 Top 10 – Entry A6)
* [http://www.owasp.org/index.php/ApplicationLayerIntrustionDetection Lack of Intrusion Detection and Response]
+
* [[ApplicationLayerIntrustionDetection | Lack of Intrusion Detection and Response]]
* [http://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] (Was 2007 Top 10 – Entry A3)
+
* [[Top_10_2007-A3 | Malicious File Execution]] (Was 2007 Top 10 – Entry A3)
 
}}
 
}}
 
{{Top_10_2010:BottomTemplate|useprev=2010PrevLink|usenext=Nothing|prev=Notes About Risk}}
 
{{Top_10_2010:BottomTemplate|useprev=2010PrevLink|usenext=Nothing|prev=Notes About Risk}}

Revision as of 17:16, 22 April 2010

NOTE: THIS IS NOT THE LATEST VERSION. Please visit the OWASP Top 10 project page to find the latest edition.

← Notes About Risk
Top 10 Introduction
Top 10 Risks
 
Top 10 Risk Factor Summary

The following table presents a summary of the 2010 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.

RISK Threat Agents Attack Vectors Security Weakness Technical Impacts Business Impacts
A1-Injection Exploitability
EASY
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
A2-XSS Exploitability
AVERAGE
Prevalence
VERY WIDESPREAD
Detectability
EASY
Impact
MODERATE
A3-Authentication Exploitability
AVERAGE
Prevalence
COMMON
Detectability
AVERAGE
Impact
SEVERE
A4-DOR Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
A5-CSRF Exploitability
AVERAGE
Prevalence
WIDESPREAD
Detectability
EASY
Impact
MODERATE
A6-Config Exploitability
EASY
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
A7-Crypto Exploitability
DIFFICULT
Prevalence
UNCOMMON
Detectability
DIFFICULT
Impact
SEVERE
A8-URL Access Exploitability
EASY
Prevalence
UNCOMMON
Detectability
AVERAGE
Impact
MODERATE
A9-Transport Exploitability
DIFFICULT
Prevalence
COMMON
Detectability
EASY
Impact
MODERATE
A10-Redirects Exploitability
AVERAGE
Prevalence
UNCOMMON
Detectability
EASY
Impact
MODERATE


Additional Risks to Consider

The Top 10 covers a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the OWASP Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (listed in alphabetical order) that you should also consider include:


← Notes About Risk
Top 10 Introduction
Top 10 Risks
 

© 2002-2010 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png