This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "2004 Updates OWASP Top Ten Project"

From OWASP
Jump to: navigation, search
m
m
Line 9: Line 9:
  
 
The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.
 
The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.
 +
 +
{| width="95%" border="1" bgcolor="eeeeff" align="center" cellpadding="4" cellspacing="0"
 +
'''New Top Ten 2004'''
 +
'''Top Ten 2003'''
 +
'''New WAS Thesaurus'''
 +
|
 +
A1 Unvalidated Input
 +
|
 +
A1 Unvalidated Parameters
 +
|
 +
Input Validation
 +
|
 +
A2 Broken Access Control
 +
|
 +
A2 Broken Access Control
 +
<br>(A9 Remote Administration Flaws)
 +
|
 +
Access Control
 +
|
 +
A3 Broken Authentication and Session Management
 +
|
 +
A3 Broken Account and Session Management
 +
|
 +
Authentication and Session Management
 +
|
 +
A4 Cross Site Scripting (XSS) Flaws
 +
|
 +
A4 Cross Site Scripting (XSS) Flaws
 +
|
 +
Input Validation->Cross site scripting
 +
|
 +
A5 Buffer Overflows
 +
|
 +
A5 Buffer Overflows
 +
|
 +
Buffer Overflows
 +
|
 +
A6 Injection Flaws
 +
|
 +
A6 Command Injection Flaws
 +
|
 +
Input Validation->Injection
 +
|
 +
A7 Improper Error Handling
 +
|
 +
A7 Error Handling Problems
 +
|
 +
Error Handling
 +
|
 +
A8 Insecure Storage
 +
|
 +
A8 Insecure Use of Cryptography
 +
|
 +
Data Protection
 +
|
 +
A9 Denial of Service
 +
|
 +
N/A
 +
|
 +
Availability
 +
|
 +
A10 Insecure Configuration Management
 +
|
 +
A10 Web and Application Server Misconfiguration
 +
|
 +
Application Configuration Management
 +
<br>Infrastructure Configuration Management
 +
|}
  
 
[[Category:OWASP Top Ten Project]]
 
[[Category:OWASP Top Ten Project]]
  
 
__NOEDITSECTION__
 
__NOEDITSECTION__

Revision as of 18:19, 19 May 2006

What's new?
OWASP has come a long way since the last top was released in January 2003. This update incorporates all the discussion and up to date views, opinions and debate in the OWASP community over the past 12 months. Overall, there have been minor improvements to all parts of the Top Ten, and only a few major changes:
WAS-XML Alignment
One of the new projects initiated in 2003 is the Web Application Security Technical Committee (WAS TC) at OASIS. The purpose of the WAS TC is to produce a classification scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools. The OWASP Top Ten project has used the WAS TC as a reference for reprofiling the Top Ten to provide a standardized approach to the classification of web application security vulnerabilities. The WAS Thesaurus defines a standard language for discussing web application security, and we adopt that vocabulary here.
Addition of Denial of Service
The only top level category that changed was the addition of the A9 Denial of Service category to the list. Our research has shown that a broad array of organizations are susceptible to this type of attack. Based on the likelihood of a denial of service attack and the consequences if the attack succeeds, we have determined that it warrants inclusion in the Top Ten. To accommodate this new entry, we have combined last year’s A9 Remote Administration Flaws into the A2 Broken Access Control category as it is a special case of that category. We believe this is appropriate, as the types of flaws in A2 are typically the same as those in A9 and require the same types of remediation.

The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.

New Top Ten 2004Top Ten 2003New WAS Thesaurus

A1 Unvalidated Input

A1 Unvalidated Parameters

Input Validation

A2 Broken Access Control

A2 Broken Access Control
(A9 Remote Administration Flaws)

Access Control

A3 Broken Authentication and Session Management

A3 Broken Account and Session Management

Authentication and Session Management

A4 Cross Site Scripting (XSS) Flaws

A4 Cross Site Scripting (XSS) Flaws

Input Validation->Cross site scripting

A5 Buffer Overflows

A5 Buffer Overflows

Buffer Overflows

A6 Injection Flaws

A6 Command Injection Flaws

Input Validation->Injection

A7 Improper Error Handling

A7 Error Handling Problems

Error Handling

A8 Insecure Storage

A8 Insecure Use of Cryptography

Data Protection

A9 Denial of Service

N/A

Availability

A10 Insecure Configuration Management

A10 Web and Application Server Misconfiguration

Application Configuration Management
Infrastructure Configuration Management