The top ten exploits are:
- Cross-site Scripting (XSS)
- Broken Authentication and Session Management:
- Insecure Direct Object References:
- Cross-Site Request Forgery
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
OWASP hasn't just identified the key exploits – the OWASP organization has invested hundreds of unpaid hours to document each of the top ten exploits, in the form of the OWASP Top 10 guide. This 22-page PDF document outlines each exploit, providing detailed information on how to test for each exploit. While it isn't a long document, this free PDF should become your handbook for security-related testing activities.
The second OWASP document every tester should print and retain is the OWASP Testing Guide. As the OWASP site describes, "this project's goal is to create a "best practices" web application penetration testing framework which users can implement in their own organizations and a "low level" web application penetration testing guide that describes how to find certain issues." The testing guide is 350 pages long and includes detailed analysis and step-by-step instructions for testing for various security-related vulnerabilities. This document is used by many educational institutions as a textbook for security testing.
This was first published in June 2010