OWASP 2017

A1:2017 Injection

Injection, ranked A1 in the OWASP Top 10 for 2017, refers to flaws where untrusted data is sent to an interpreter as part of a command or query. Attackers can exploit this by injecting malicious input to access or modify data, execute system commands, or bypass security controls. Common examples include SQL, OS, and LDAP injection. These attacks are dangerous, often easy to exploit, and can lead to serious breaches. Preventing them requires using safe APIs, validating input, and avoiding direct inclusion of user input in queries or commands.

A2:2017 Broken Authentication

Broken Authentication, listed as A02 in the OWASP Top 10 for 2017, occurs when applications incorrectly implement authentication and session management, allowing attackers to compromise passwords, keys, or session tokens. This can result in account takeovers or unauthorized access to systems. Common issues include weak passwords, predictable login credentials, exposed session IDs, and improper timeout settings. To prevent this, use multi-factor authentication, secure password storage, and strong session handling practices that rotate tokens and invalidate sessions after logout or inactivity.

A3:2017 Sensitive Data Exposure

Sensitive Data Exposure, listed as A03 in the OWASP Top 10 for 2017, refers to failures in protecting sensitive information such as passwords, credit card numbers, or personal data. This often happens when data is transmitted or stored without proper encryption or when outdated protocols and weak cryptographic keys are used. XXE (XML External Entities) is a specific type of attack that exploits insecure XML parsers to access internal files or perform server-side requests. Preventing these issues requires strong encryption, secure data handling, and disabling dangerous XML features that allow external entity resolution.

A4:2017 XML External Entities

XML External Entities (XXE), listed as A04 in the OWASP Top 10 for 2017, is a vulnerability that occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. Attackers can exploit this to access internal files, perform server-side request forgery (SSRF), or reveal sensitive data. This risk often affects applications that accept XML uploads or SOAP messages without disabling external entity processing. To prevent XXE, developers should disable DTDs, use secure parsers, and prefer safer data formats like JSON when possible.

A5:2017 Broken Access Control

Broken Access Control, listed as A05 in the OWASP Top 10 for 2017, occurs when applications fail to enforce restrictions on what authenticated users are allowed to do. This can allow users to access data or functions outside their intended permissions, such as viewing other users’ information, modifying records, or performing admin-level actions. These flaws are often caused by missing or inconsistent access checks on the server. To prevent them, enforce role-based access rules, deny access by default, and validate permissions server-side for every request, not just in the user interface.

A6:2017 Security Misconfiguration

Security Misconfiguration, listed as A06 in the OWASP Top 10 for 2017, refers to improper setup of security controls in applications, servers, databases, or platforms. It includes using default credentials, overly verbose error messages, unnecessary features, or outdated software. These issues often arise from insecure default settings or a lack of hardening and regular maintenance. Attackers can exploit misconfigurations to gain unauthorized access or leak sensitive information. To prevent this, developers and administrators should disable unused services, enforce secure settings, keep systems updated, and automate configuration checks where possible.

A7:2017 Cross Site Scripting

Cross-Site Scripting (XSS), listed as A07 in the OWASP Top 10 for 2017, occurs when an application includes untrusted data in web pages without proper validation or escaping. This allows attackers to inject malicious scripts into content viewed by other users, leading to session hijacking, defacement, or redirection to malicious sites. XSS typically happens when input is reflected in the browser or stored and later displayed. Preventing XSS requires proper output encoding, input validation, using secure libraries, and applying Content Security Policy (CSP) to reduce the impact of potential attacks.

A8:2017 Insecure Deserialsation

Secure Deserialization, listed as A08 in the OWASP Top 10 for 2017, occurs when untrusted data is used to reconstruct objects in an application, allowing attackers to manipulate serialized data to execute code, tamper with objects, or escalate privileges. This risk arises when applications blindly trust incoming data and use unsafe deserialization methods. Successful exploitation can lead to remote code execution or access control bypass. To prevent this, avoid deserializing data from untrusted sources, implement integrity checks, and use formats like JSON instead of native binary serialization when possible.

A9:2017 Components With Known Vunerabilities

Components with Known Vulnerabilities, listed as A09 in the OWASP Top 10 for 2017, refers to the use of libraries, frameworks, and other software modules with publicly known security flaws. Applications often rely on third-party components, and if these are outdated or unpatched, attackers can exploit their weaknesses to compromise systems. Many vulnerabilities are well-documented and easily discoverable, making unpatched components a major risk. To reduce exposure, organizations should track their dependencies, keep them updated, use tools to detect known issues, and remove unused components from the application environment.

A10:2017 Insufficient Logging And Monitoring

Insufficient Logging and Monitoring, listed as A10 in the OWASP Top 10 for 2017, refers to the failure to detect, log, and respond to security events effectively. Without proper logging and monitoring, attacks can go unnoticed, giving attackers more time to exploit systems or exfiltrate data. This includes missing audit trails, poor alerting, or not reviewing logs regularly. It also affects incident response, as teams may lack the visibility needed to understand or contain an attack. To improve security, applications should log critical events, monitor them actively, and ensure alerts trigger timely investigation and response.