The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
The OWASP Top 10 Project name the most critical web application security risks and how to prevent them.
In its current 2017 edition the following categories are listed:
- Injection: for example SQL, NoSQL, OS or LDAP injection. Can be used to execute unintended commands or accessing sensitive data.
- Broken Authentication: Allow attackers to compromise passwords, keys or session tokens, or adopt (temporarily) other user’s identity.
- Sensitive Data Exposure: Attackers can steal not properly protected data, such as financial, healthcare or other sensitive data.
- XML External Entities (XXE): XML processors may evaluate external entity references within XML documents, which can be used e.g. to disclose internal files.
- Broken Access Control: Not properly enforced restrictions can be used by attackers to access unauthorized data like personal information or other sensitive information.
- Security Misconfiguration: Misconfiguration like unpatched or unsecure configuration of OS can lead to e.g. openly accessible sensitive data.
- Cross-Site Scripting (XSS): An application includes untrusted data without proper validation. This allows an attacker to execute scripts in the victim’s browser.
- Insecure Deserialization: Insufficient deserialization can lead e.g. to remote code execution, replay attacks or injection attacks.
- Using Components with Known Vulnerabilities: Components run with same privileges as the application itself. Exploiting vulnerable components can lead to data loss or server takeover.
- Insufficient Logging & Monitoring: Makes it more difficult to detect attacks and lead to delayed respond.
OWASP Top 10 and Greenbone
None of the categories list any specific vulnerability with a CVE number, but Vulnerability Management solution work along known and documented vulnerability descriptions (CVEs).
Greenbone covers vulnerabilities that can be catergorized along the OWASP Top10. For example in the family of VTs called “Web Application Abuses”, where most of the identified vulnerabilities can be categorized into OWASP Top10.
Since there is no correlation between OWASP categories and specific VTs or CVEs, any assignment made by Greenbone is misleading. We don’t offer a listing around OWASP Top 10 vulnerabilities as the inclusion or exclusion of a specific vulnerability into the list would be a bias.
Although there is no OWASP scan configuration, a “Full and Fast” scan configuration with enabled generic web application scanning will cover most of the vulnerabilities for the categories FullAndFastEnabledWebApplicationScanning.xml (763.0 KB) .