Open Web Application Security Project (OWASP)

TOP TEN:

As of today, these are the top ten web application vulnerabilities listed below. The announcement of the release of the 2025 top ten list is expected toward the first half of next year.

1) Broken Access Control - This is in relation to the principle of least privilege. All users should only be granted access to information and applications that permit them to perform their jobs adequately. The privileges given should be in relation to the role of the individual. Being granted unnecessary access can have devastating consequences such as data being damaged, altered, or stolen.

2) Cryptographic Failures - This pertains to using weak or deprecated encryption algorithms and hash functions such as MD5 or SHA1, and in some cases, information that has not been encrypted at all, meaning that any information that is sent will be in clear text. A prime example would be using HTTP (non-encrypted) protocol instead of HTTPS (encrypted).

3) Injection - An injection attack is when the attacker is able to enter arbitrary code into input fields of an application and the codes are executed rather than ignored or denied from being used. One of the most notable is a Structured Query Language Injection (SQLi) attack which enables the attacker to enter SQL commands to retrieve private information from a database, or delete the data. The recommendation to prevent this from happening is to use a secure API, input validation, and parameterized queries.

4) Insecure Design - This refers to web applications being designed with security flaws that an attacker can take advantage of which can allow them to access and steal private information, by-pass authentication, escalate privileges, tamper with URLs to gain access to private information and more. Some ways to help prevent this would be using secure coding best practices with the Secure Development Lifecycle, use threat modeling, and consistently check for vulnerabilities throughout the process.

5) Security Misconfiguration - This vulnerability is the result of not implementing security best practices such as hardening, which means disabling any unused, or unnecessary ports and services, and adhering to the principle of least privilege, as well as ensuring default passwords and accounts are not enabled. Another vulnerability could be error handling which means ensuring that error messages do not reveal information that would be useful to an attacker. Some of the prevention steps are: performing hardening checks regularly, using principle of least privilege, ensuring that only necessary features, and services are enabled, and using ACLs and segmentation.

6) Vulnerable and Outdated Components - Using hardware and software that is that is outdated and no longer supported can have devastating consequences. Regular inventory and version checks should be performed to ensure all software and hardware components have the latest security patches. Consistently checking for vulnerabilities of specific versions of assets being used on the Common Vulnerability & Exposures database (CVE), is a great way to stay current, as well as checking vendor websites for updates.

7) Identification and Authentication Failures - Some examples of this vulnerability are: failing to implement security measures such as multi-factor authentication (MFA), not taking measures against password attacks such as dictionary, and brute force, and allowing session IDs to be reused. Examples of steps to mitigate some of these vulnerabilities would be: using random session IDs, limiting password attempts, and establishing a password complexity rule. NIST 800-63b can be referenced for further guidance as well.

8) Software and Data Integrity Failures - Some causes of this vulnerability are using untrusted third-party libraries and modules. Using these types of resources brings the potential for introducing malware into the application as well as unauthorized access. To help prevent this, use digital signatures to ensure the code is legitimate and has not been altered in any way, and use trusted libraries and other resources.

9) Security Logging and Monitoring Failures - Accurate and sufficient logging and monitoring are essential to detecting security incidents and indicators of compromise. If adequate alerts and record keeping are not in place, then many attacks will be overlooked. An example of this would be several failed login attempts taking place which could indicate a brute force attack, and no one is aware that it happened because it was not logged, and an alert was not set to notify anyone after a certain number of attempts. Some ways to help prevent such incidents from taking place are: setting alerts for failed login attempts, monitor for suspicious accounts, and trace all transactions. NIST 800-62r2 can also be used for further guidance.

10) Server-Side Request Forgery - For this vulnerability the attacker is able to cause a server to make requests to unauthorized resources and information inside of the network by manipulating the URL. Attackers often use this method to bypass firewalls, VPNs, and ACLs. Some measures that can be taken to prevent this are: input validation, disabling HTTP redirection, and using network segmentation to help reduce the impact of the attack as well as implementing a deny by default firewall policy.