Difference between revisions of "Top 10-2017 Details About Risk Factors"

Revision as of 15:11, 23 April 2017

Top 10 Risk Factor Summary

The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.

Risk	Threat Agents	Attack Vectors	Security Weakness (Prevalence)	Security Weakness (Detectability)	Technical Impacts	Business Impacts
A1-Injection	App Specific	EASY	COMMON	AVERAGE	SEVERE	App Specific
A2-Authentication	App Specific	AVERAGE	COMMON	AVERAGE	SEVERE	App Specific
A3-XSS	App Specific	AVERAGE	VERY WIDESPREAD	AVERAGE	MODERATE	App Specific
A4-Access Ctrl	App Specific	EASY	WIDESPREAD	EASY	MODERATE	App Specific
A5-Misconfig	App Specific	EASY	COMMON	EASY	MODERATE	App Specific
A6-Sens. Data	App Specific	DIFFICULT	UNCOMMON	AVERAGE	SEVERE	App Specific
A7-Attack Prot.	App Specific	EASY	COMMON	AVERAGE	MODERATE	App Specific
A8-CSRF	App Specific	AVERAGE	UNCOMMON	EASY	MODERATE	App Specific
A9-Vulnerable Components	App Specific	AVERAGE	COMMON	AVERAGE	MODERATE	App Specific
A10-API Prot.	App Specific	AVERAGE	COMMON	DIFFICULT	MODERATE	App Specific

Additional Risks to Consider

The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (in alphabetical order) that you should also consider include:

Clickjacking (CAPEC-103)
Denial of Service (CWE-400) (Was 2004 Top 10 – Entry 2004-A9)
Deserialization of Untrusted Data (CWE-502) For defenses, see: OWASP Deserialization Cheat Sheet
xpression Language Injection (CWE-917)
Information Leakage (CWE-209) and Improper Error Handling (CWE-388) (was part of 2007 Top 10 – Entry 2007-A6)
Hotlinking Third Party Content (CWE-829)
Malicious File Execution (CWE-434]) (Was 2007 Top 10 – Entry 2007-A3)
Mass Assignment (CWE-915)
Server-Side Request Forgery (SSRF) (CWE-918)
Unvalidated Redirects and Forwards (CWE-601) (Was 2013 Top 10 – Entry 2013-A10)
User Privacy (CWE-359)

← Note About Risks

2017 Table of Contents

PDF version

@@ Line 27: / Line 27: @@
       <th style="border: 3px solid #444444;">{{Top_10:LanguageFile|text=businessImpacts|language=en}}</th>
 </tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}|A1-{{Top_10_2010:ByTheNumbers|1|language=en|year=2017}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=2|impact=1|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2-{{Top_10:LanguageFile|text=authentication|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A2-{{Top_10_2010:ByTheNumbers|2|language=en|year=2017}}|A2-{{Top_10:LanguageFile|text=authentication|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=2|detectability=2|impact=1|language=en|year=2017}}
@@ Line 38: / Line 38: @@
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3-{{Top_10:LanguageFile|text=xssShort|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A3-{{Top_10_2010:ByTheNumbers|3|language=en|year=2017}}|A3-{{Top_10:LanguageFile|text=xssShort|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=0|detectability=2|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10:LanguageFile|text=accessCtrl|year=2017|language=en}}]]</td><td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A4-{{Top_10_2010:ByTheNumbers|4|language=en|year=2017}}|A4-{{Top_10:LanguageFile|text=accessCtrl|year=2017|language=en}}]]</u></b></td>
+<td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=1|detectability=1|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5-{{Top_10:LanguageFile|text=misconfig|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A5-{{Top_10_2010:ByTheNumbers|5|language=en|year=2017}}|A5-{{Top_10:LanguageFile|text=misconfig|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=1|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6-{{Top_10:LanguageFile|text=sensData|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A6-{{Top_10_2010:ByTheNumbers|6|language=en|year=2017}}|A6-{{Top_10:LanguageFile|text=sensData|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=3|prevalence=3|detectability=2|impact=1|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10:LanguageFile|text=attackProt|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A7-{{Top_10_2010:ByTheNumbers|7|language=en|year=2017}}|A7-{{Top_10:LanguageFile|text=attackProt|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=1|prevalence=2|detectability=2|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8-{{Top_10:LanguageFile|text=csrfShort|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A8-{{Top_10_2010:ByTheNumbers|8|language=en|year=2017}}|A8-{{Top_10:LanguageFile|text=csrfShort|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=3|detectability=1|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9-{{Top_10:LanguageFile|text=vulnComponents|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A9-{{Top_10_2010:ByTheNumbers|9|language=en|year=2017}}|A9-{{Top_10:LanguageFile|text=vulnComponents|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=2|detectability=2|impact=2|language=en|year=2017}}
 <td style="border: 3px solid #444444"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td></tr>
-<tr><td style="border: 3px solid #444444;">[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10:LanguageFile|text=ApiProt|year=2017|language=en}}]]</td>
+<tr><td style="border: 3px solid #444444;"><b><u>[[{{Top_10:LanguageFile|text=documentRootTop10|year=2017|language=en}}-A10-{{Top_10_2010:ByTheNumbers|10|language=en|year=2017}}|A10-{{Top_10:LanguageFile|text=ApiProt|year=2017|language=en}}]]</u></b></td>
 <td style="border: 3px solid #444444;"><b>{{Top_10:LanguageFile|text=appSpecific|language=en}}</b></td>
    {{Top_10:SummaryTableTemplate|type=valueOnly|exploitability=2|prevalence=2|detectability=3|impact=2|language=en|year=2017}}
@@ Line 82: / Line 83: @@
 {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=whole|title={{Top_10:LanguageFile|text=additionalRisksToConsider|language=en}}|width=100%|year=2017|language=en}}
 The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
-* [[Clickjacking]] ([https://capec.mitre.org/data/definitions/103.html CAPEC-103])
+* <u>[[Clickjacking]]</u> (<u>[https://capec.mitre.org/data/definitions/103.html CAPEC-103]</u>)
-* [https://www.owasp.org/index.php/Application_Denial_of_Service Denial of Service] ([http://cwe.mitre.org/data/definitions/400.html CWE-400]) (Was 2004 Top 10 – [https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service Entry 2004-A9])
+* <u>[[Application_Denial_of_Service|Denial of Service]]</u> (<u>[http://cwe.mitre.org/data/definitions/400.html CWE-400]</u>) (Was 2004 Top 10 – <u>[[A9_2004_Application_Denial_of_Service|Entry 2004-A9]]</u>)
-* [https://www.owasp.org/index.php/Deserialization_of_untrusted_data Deserialization of Untrusted Data] ([http://cwe.mitre.org/data/definitions/502.htmlCWE-502]) For defenses, see: [https://www.owasp.org/index.php/Deserialization_Cheat_Sheet OWASP Deserialization Cheat Sheet]
+* <u>[[Deserialization_of_untrusted_data|Deserialization of Untrusted Data]]</u> (<u>[http://cwe.mitre.org/data/definitions/502.html CWE-502]</u>) For defenses, see: <u>[[Deserialization_Cheat_Sheet|OWASP Deserialization Cheat Sheet]]</u>
-* [https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf xpression Language Injection] ([http://cwe.mitre.org/data/definitions/917.html CWE-917])
+* <u>[https://www.aspectsecurity.com/uploads/downloads/2011/09/ExpressionLanguageInjection.pdf xpression Language Injection]</u> (<u>[http://cwe.mitre.org/data/definitions/917.html CWE-917]</u>)
-* [http://projects.weba'psec.org/Information-Leakage Information Leakage] ([https://cwe.mitre.org/data/definitions/209.html CWE-209]) and [https://www.owasp.org/index.php/Top_10_2007-A6 Improper Error Handling] ([https://cwe.mitre.org/data/definitions/388.html CWE-388]) (was part of 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A6 Entry 2007-A6])
+* <u>[http://projects.webappsec.org/Information-Leakage Information Leakage]</u> (<u>[https://cwe.mitre.org/data/definitions/209.html CWE-209]</u>) and <u>[[Top_10_2007-A6|Improper Error Handling]]</u> (<u>[https://cwe.mitre.org/data/definitions/388.html CWE-388]</u>) (was part of 2007 Top 10 – <u>[[Top_10_2007-A6|Entry 2007-A6]]</u>)
-* [https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf Hotlinking Third Party Content] ([https://cwe.mitre.org/data/definitions/829.htmlCWE-829])
+* <u>[https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf Hotlinking Third Party Content]</u> (<u>[https://cwe.mitre.org/data/definitions/829.html CWE-829]</u>)
-* [https://www.owasp.org/index.php/Top_10_2007-A3 Malicious File Execution] ([https://cwe.mitre.org/data/definitions/434.html CWE-434]) ([Was 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A3 Entry 2007-A3])
+* <u>[[Top_10_2007-A3|Malicious File Execution]]</u> (<u>[https://cwe.mitre.org/data/definitions/434.html CWE-434]]</u>) (Was 2007 Top 10 – <u>[[Top_10_2007-A3|Entry 2007-A3]]</u>)
-* [http://en.wikipedia.org/wiki/Mass_assignment_vulnerability Mass Assignment] ([http://cwe.mitre.org/data/definitions/915.html CWE-915])
+* <u>[http://en.wikipedia.org/wiki/Mass_assignment_vulnerability Mass Assignment]</u> (<u>[http://cwe.mitre.org/data/definitions/915.html CWE-915]</u>)
-* [https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery] (SSRF) (CWE-918)
+* <u>[https://cwe.mitre.org/data/definitions/918.html Server-Side Request Forgery (SSRF) (CWE-918)]</u>
-* [https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards Unvalidated Redirects and Forwards] ([https://cwe.mitre.org/data/definitions/601.html CWE-601]) (Was 2013 Top 10 – [https://cwe.mitre.org/data/definitions/601.html Entry 2013-A10])
+* <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Unvalidated Redirects and Forwards]]</u> (<u>[https://cwe.mitre.org/data/definitions/601.html CWE-601]</u>) (Was 2013 Top 10 – <u>[[Top_10_2013-A10-Unvalidated_Redirects_and_Forwards|Entry 2013-A10]]</u>)
-* [https://www.owasp.org/index.php/Privacy_Violation User Privacy] ([https://cwe.mitre.org/data/definitions/359.htmlCWE-359]])
+* <u>[[Privacy_Violation|User Privacy]]</u> (<u>[https://cwe.mitre.org/data/definitions/359.html CWE-359]</u>)
 {{Top_10:SubsectionTableEndTemplate}}

Difference between revisions of "Top 10-2017 Details About Risk Factors"

Revision as of 15:11, 23 April 2017

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools