[Owasp-topten] OWASP Top 10 2009

Jeremiah Grossman jeremiah at whitehatsec.com
Tue May 19 12:09:46 EDT 2009

Hi All,

Beyond what the exactly OWASP Top Ten is a top ten of, its important  
to keep in mind how the document has and will be used. First the OWASP  
Top Ten is an awareness (marketing) document. This is closely followed  
by a digestible prioritized list of action items designed for those  
just getting into webappsec, who don't yet know where they stand, and  
what they should be internally focused on. As these areas become more  
understood to them, the less relevant the document, which to me  
signals success.

Having said that, the number of items/vulns/attacks one could focus  
attention on WebAppSec is plainly enormous. Our job is to help  
newcomers prioritize on a grossly generalized basis. As such, we  
should NOT be trying to include everything we can in the Top Ten nor  
make the nomenclature anymore confusing to non-experts than it already  
is. Instead, we need to make some sacrifices and keeps thing  
exceedingly simple.

We should be focusing on issues of prevelance, severity, impact, and  
overall likelihood of exploitation. Lets leave the edge cases and  
catch-alls out. While many of these data points were limited in the  
past, they are no longer so we are benefited where previous OWASP Top  
Ten groups were not. Sources of data included, but not limited to:

The 2009 Data Breach Investigations Report

The Web Hacking Incidents Database

WASC Web Application Security Statistics Project

WhiteHat Website Security Statistics Report

Here would be my list (of attacks), in order, as the thing that are  
more pressing and plaguing high value websites right now. We'd need to  
settle on the exact naming conventions later.

1) SQL Injection
2) Cross-Site Scripting (+ Flash issues)
3) Insecure Direct Object Reference / Predictable Resources Location
4) Authentication/Authorization Bypass
5) Open URL Redirectors
6) Cross Site Request Forgery
7) Insecure Communications / Insufficient Transport Layer Protection  
** not an attack
8) Information Leakage and Improper Error Handling  (+ Flash issues)   
** not an attack
9) Malvertising *JS  includes, integrating arbitrary client-side code  
in an environment
with limited to no security controls.
10) Password Recovery Attacks (secret questions be gone!)

Thanks all.

More information about the Owasp-topten mailing list