Difference between revisions of "2004 Updates OWASP Top Ten Project"

From OWASP
Jump to: navigation, search
m
m
Line 10: Line 10:
 
The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.
 
The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.
  
{| width="95%" border="1" bgcolor="eeeeff" align="center" cellpadding="4" cellspacing="0"
+
{| width="95%" border="1" cellpadding="4" align="center" bgcolor="eeeeff"
'''New Top Ten 2004'''
+
|- class="mainText2"
'''Top Ten 2003'''
+
'''New WAS Thesaurus'''
+
 
|
 
|
A1 Unvalidated Input
+
<div align="center">'''New Top Ten 2004'''</div>
 
|
 
|
A1 Unvalidated Parameters
+
<div align="center">'''Top Ten 2003'''</div>
 
|
 
|
Input Validation
+
<div align="center">'''New WAS Thesaurus'''</div>
|
+
|- class="mainText2"
A2 Broken Access Control
+
| A1 Unvalidated Input
|
+
| A1 Unvalidated Parameters
A2 Broken Access Control
+
| Input Validation
<br>(A9 Remote Administration Flaws)
+
|- class="mainText2"
|
+
| A2 Broken Access Control
Access Control
+
| A2 Broken Access Control<br /> (A9 Remote Administration Flaws)
|
+
| Access Control
A3 Broken Authentication and Session Management
+
|- class="mainText2"
|
+
| A3 Broken Authentication and Session Management
A3 Broken Account and Session Management
+
| A3 Broken Account and Session Management
|
+
| Authentication and Session Management
Authentication and Session Management
+
|- class="mainText2"
|
+
| A4 Cross Site Scripting (XSS) Flaws
A4 Cross Site Scripting (XSS) Flaws
+
| A4 Cross Site Scripting (XSS) Flaws
|
+
| Input Validation->Cross site scripting
A4 Cross Site Scripting (XSS) Flaws
+
|- class="mainText2"
|
+
| A5 Buffer Overflows
Input Validation->Cross site scripting
+
| A5 Buffer Overflows
|
+
| Buffer Overflows
A5 Buffer Overflows
+
|- class="mainText2"
|
+
| A6 Injection Flaws
A5 Buffer Overflows
+
| A6 Command Injection Flaws
|
+
| Input Validation->Injection
Buffer Overflows
+
|- class="mainText2"
|
+
| A7 Improper Error Handling
A6 Injection Flaws
+
| A7 Error Handling Problems
|
+
| Error Handling
A6 Command Injection Flaws
+
|- class="mainText2"
|
+
| A8 Insecure Storage
Input Validation->Injection
+
| A8 Insecure Use of Cryptography
|
+
| Data Protection
A7 Improper Error Handling
+
|- class="mainText2"
|
+
| A9 Denial of Service
A7 Error Handling Problems
+
| N/A
|
+
| Availability
Error Handling
+
|- class="mainText2"
|
+
| A10 Insecure Configuration Management
A8 Insecure Storage
+
| A10 Web and Application Server Misconfiguration
|
+
| Application Configuration Management<br /> Infrastructure Configuration Management
A8 Insecure Use of Cryptography
+
|
+
Data Protection
+
|
+
A9 Denial of Service
+
|
+
N/A
+
|
+
Availability
+
|
+
A10 Insecure Configuration Management
+
|
+
A10 Web and Application Server Misconfiguration
+
|
+
Application Configuration Management
+
<br>Infrastructure Configuration Management
+
 
|}
 
|}
  

Revision as of 13:24, 19 May 2006

What's new?
OWASP has come a long way since the last top was released in January 2003. This update incorporates all the discussion and up to date views, opinions and debate in the OWASP community over the past 12 months. Overall, there have been minor improvements to all parts of the Top Ten, and only a few major changes:
WAS-XML Alignment
One of the new projects initiated in 2003 is the Web Application Security Technical Committee (WAS TC) at OASIS. The purpose of the WAS TC is to produce a classification scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools. The OWASP Top Ten project has used the WAS TC as a reference for reprofiling the Top Ten to provide a standardized approach to the classification of web application security vulnerabilities. The WAS Thesaurus defines a standard language for discussing web application security, and we adopt that vocabulary here.
Addition of Denial of Service
The only top level category that changed was the addition of the A9 Denial of Service category to the list. Our research has shown that a broad array of organizations are susceptible to this type of attack. Based on the likelihood of a denial of service attack and the consequences if the attack succeeds, we have determined that it warrants inclusion in the Top Ten. To accommodate this new entry, we have combined last year’s A9 Remote Administration Flaws into the A2 Broken Access Control category as it is a special case of that category. We believe this is appropriate, as the types of flaws in A2 are typically the same as those in A9 and require the same types of remediation.

The table below highlights the relationship between the new Top Ten, last year’s Top Ten, and the WAS TC Thesaurus.

New Top Ten 2004
Top Ten 2003
New WAS Thesaurus
A1 Unvalidated Input A1 Unvalidated Parameters Input Validation
A2 Broken Access Control A2 Broken Access Control
(A9 Remote Administration Flaws)
Access Control
A3 Broken Authentication and Session Management A3 Broken Account and Session Management Authentication and Session Management
A4 Cross Site Scripting (XSS) Flaws A4 Cross Site Scripting (XSS) Flaws Input Validation->Cross site scripting
A5 Buffer Overflows A5 Buffer Overflows Buffer Overflows
A6 Injection Flaws A6 Command Injection Flaws Input Validation->Injection
A7 Improper Error Handling A7 Error Handling Problems Error Handling
A8 Insecure Storage A8 Insecure Use of Cryptography Data Protection
A9 Denial of Service N/A Availability
A10 Insecure Configuration Management A10 Web and Application Server Misconfiguration Application Configuration Management
Infrastructure Configuration Management