Difference between revisions of "Top 10 2013-Details About Risk Factors"

From OWASP
Jump to: navigation, search
(Changed use of Template 'Top_10_2010:SubsectionAdvancedTemplate': Replace Parameter 'number' by 'subsection' and 'position' ;added {{Top_10:SubsectionTableEndTemplate}})
(5 intermediate revisions by 2 users not shown)
Line 6: Line 6:
 
}}
 
}}
  
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|title=Top 10 Risk Factor Summary|number=whole|width=100%|year=2013}}
+
{{Top_10:SubsectionTableBeginTemplate|type=main}} {{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=firstWhole|title={{Top_10:LanguageFile|text=top10RiskFactorSummary}}|width=100%|year=2013}}
  
 
The following table presents a summary of the 2013 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, <u>you must consider your own specific threat agents and business impacts</u>. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.
 
The following table presents a summary of the 2013 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, <u>you must consider your own specific threat agents and business impacts</u>. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.
Line 20: Line 20:
 
     <th style="border: 3px solid #444444;">Threat Agents</th>
 
     <th style="border: 3px solid #444444;">Threat Agents</th>
 
     <th style="border: 3px solid #444444;">Attack Vectors</th>
 
     <th style="border: 3px solid #444444;">Attack Vectors</th>
     <th style="border: 3px solid #444444;" colspan="2">Security Weakness</th>
+
     <th style="border: 3px solid #444444;">Security Weakness<div style="font-size: 60%;">(Prevalence)</div></th>
 +
    <th style="border: 3px solid #444444;">Security Weakness<div style="font-size: 60%;">(Detectability)</div></th>
 
     <th style="border: 3px solid #444444;">Technical Impacts</th>
 
     <th style="border: 3px solid #444444;">Technical Impacts</th>
 
     <th style="border: 3px solid #444444;">Business Impacts</th>
 
     <th style="border: 3px solid #444444;">Business Impacts</th>
 
</tr>
 
</tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A1 A1 Injection]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A1 A1 Injection]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|style=border: 3px solid #444444}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A2 A2 Authentication]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A2 A2 Authentication]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||WIDESPREAD|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||WIDESPREAD|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|style=border: 3px solid #444444}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A3 A3 XSS]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A3 A3 XSS]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|style=border: 3px solid #444444}}
 
{{Top_10_2010:SummaryTableValue-0-Template||VERY WIDESPREAD|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-0-Template||VERY WIDESPREAD|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A4 A4 Insecure DOR]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A4 A4 Insecure DOR]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A5 A5 Config]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A5 A5 Config]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A6 A6 Sens. Data]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A6 A6 Sens. Data]</td><td style="border: 3px solid #444444;"><b>?</b></td>
{{Top_10_2010:SummaryTableValue-3-Template||EASY|year=2013|}}
+
{{Top_10_2010:SummaryTableValue-3-Template||DIFFICULT|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||UNCOMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||UNCOMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||SEVERE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A7 A7 Function Acc.]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A7 A7 Function Acc.]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A8 A8 CSRF]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A8 A8 CSRF]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||COMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A9 A9 Components]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A9 A9 Components]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||WIDESPREAD|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||WIDESPREAD|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||DIFFICULT|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||DIFFICULT|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/A10 A10 Redirects]</td><td style="border: 3px solid #444444;">&nbsp;</td>
+
<tr><td style="border: 3px solid #444444;">[https://www.owasp.org/index.php/Top_10_2013-A10 A10 Redirects]</td><td style="border: 3px solid #444444;"><b>?</b></td>
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||AVERAGE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||UNCOMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-3-Template||UNCOMMON|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-1-Template||EASY|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
 
{{Top_10_2010:SummaryTableValue-2-Template||MODERATE|year=2013|}}
<td style="border: 3px solid #444444;">&nbsp;</td></tr>
+
<td style="border: 3px solid #444444;"><b>?</b></td></tr>
  
  
 
</table></center> <!-- End risk table -->
 
</table></center> <!-- End risk table -->
  
</td></tr></table> <!-- Close big box -->
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|subsection=freetext|position=whole|title={{Top_10:LanguageFile|text=additionalRisksToConsider}}|width=100%|year=2013}}
 
+
{{Top_10_2010:SubsectionAdvancedTemplate|type={{Top_10_2010:StyleTemplate}}|title=Additional Risks to Consider|number=whole|width=100%|year=2013}}
+
 
The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
 
The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time.  Other important application security risks (in alphabetical order) that you should also consider include:
 
* [https://www.owasp.org/index.php/Clickjacking  Clickjacking]
 
* [https://www.owasp.org/index.php/Clickjacking  Clickjacking]
Line 111: Line 110:
 
* [https://www.owasp.org/index.php/ApplicationLayerIntrustionDetection  Lack of Intrusion Detection and Response]
 
* [https://www.owasp.org/index.php/ApplicationLayerIntrustionDetection  Lack of Intrusion Detection and Response]
 
* [https://www.owasp.org/index.php/Top_10_2007-A3  Malicious File Execution] (Was 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A3  Entry 2007-A3])
 
* [https://www.owasp.org/index.php/Top_10_2007-A3  Malicious File Execution] (Was 2007 Top 10 – [https://www.owasp.org/index.php/Top_10_2007-A3  Entry 2007-A3])
* Mass Assignment
+
* [http://en.wikipedia.org/wiki/Mass_assignment Mass Assignment]
 
* [https://www.owasp.org/index.php/Privacy_Violation  User Privacy]
 
* [https://www.owasp.org/index.php/Privacy_Violation  User Privacy]
 
+
{{Top_10:SubsectionTableEndTemplate}}
 
{{Top_10_2013:BottomTemplate
 
{{Top_10_2013:BottomTemplate
 
   |usenext=Nothing
 
   |usenext=Nothing

Revision as of 04:57, 14 April 2013

[[Top 10 {{{year}}}-Note About Risks|← Note About Risks]]
2013 Table of Contents

2013 Top 10 List

 
Top 10 Risk Factor Summary

The following table presents a summary of the 2013 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even egregious software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.


RISK Threat Agents Attack Vectors Security Weakness
(Prevalence)
Security Weakness
(Detectability)
Technical Impacts Business Impacts
A1 Injection? EASY COMMON AVERAGE SEVERE ?
A2 Authentication? AVERAGE WIDESPREAD AVERAGE SEVERE ?
A3 XSS? AVERAGE VERY WIDESPREAD EASY MODERATE ?
A4 Insecure DOR? EASY COMMON EASY MODERATE ?
A5 Config? EASY COMMON EASY MODERATE ?
A6 Sens. Data? DIFFICULT UNCOMMON AVERAGE SEVERE ?
A7 Function Acc.? EASY COMMON AVERAGE MODERATE ?
A8 CSRF? AVERAGE COMMON AVERAGE MODERATE ?
A9 Components? AVERAGE WIDESPREAD DIFFICULT MODERATE ?
A10 Redirects? AVERAGE UNCOMMON EASY MODERATE ?
Additional Risks to Consider

The Top 10 cover a lot of ground, but there are other risks that you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (in alphabetical order) that you should also consider include:

[[Top 10 {{{year}}}-Note About Risks|← Note About Risks]]
2013 Table of Contents

2013 Top 10 List

 

© 2002-2013 OWASP Foundation This document is licensed under the Creative Commons Attribution-ShareAlike 3.0 license. Some rights reserved. CC-by-sa-3 0-88x31.png
[[Category:OWASP Top Ten {{{year}}} Project]]