The Open Web Application Security Project (OWASP) have published the top 10 most dangerous vulnerabilities in web-applications for 2013. This release comes to raise awareness about application security by identifying some of the most critical risks facing organizations.
The OWASP Top 10 for 2013 is based on 8 datasets from 7 firms that specialize in application security, including 4 consulting companies and 3 tool/SaaS vendors (1 static, 1 dynamic, and 1 with both). This data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. The Top 10 items are selected and prioritized according to this prevalence data, in combination with consensus estimates of exploitability, detectability, and impact estimates.
Injection flaws, such as SQL, OS, and LDAP injection remains the top security vulnerability for web application. This widely used bug allows attacker’s hostile data to trick the interpreter into executing unintended commands or accessing data without proper authorization.
Looking at the XSS flaws last year was ranked at the second place now it is in the third in the top. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
OWASP Top 10 comparison
Preventing attacker from exploit such vulnerabilities is possible by making the following:
- Patching all your web application and apply all security fixes instantly.
- Applying a strong authentication and session management controls.
- Avoid XSS vulnerabilities and apply proper filters
- Having a web application firewall in your defense in depth strategy so attacks can be identified and blocked.
- Monitor all your security events with SIEM to detect any intrusion at an early stage.
You can find the full document for OWASP at the following link.