| ||
In January 2004, the Open Web Application Security Project (OWASP) released a paper entitled, The Ten Most Critical Web Application Security Vulnerabilities (www.owasp.org/documentation/topten.html). This short appendix maps the 19 sins to the OWASP work.
OWASP Top Ten | 19 Sins |
---|---|
A1 Unvalidated Input | Sin 4, SQL Injection |
A2 Broken Access Control | Sin 14, Improper File Access |
A3 Broken Authentication and Session Management | Sin 9, Use of Magic URLs and Hidden Form Fields |
A4 Cross Site Scripting (XSS) Flaws | Sin 7, Cross-Site Scripting |
A5 Buffer Overflows | Sin 1, Buffer Overruns |
A6 Injection Flaws | Sin 4, SQL Injection |
A7 Improper Error Handling | Sin 6, Failing to Handle Errors |
A8 Insecure Storage | Sin 12, Failing to Store and Protect |
A9 Denial of Service | This is the outcome of an attack, not a coding defect. Many DoS attacks are mitigated through infrastructure, such as firewalls and use of quotas. |
A10 Insecure Configuration Management | This is an infrastructure issue that is beyond the scope of this book. |