OWASP Top 10 2013 report

This report displays OWASP Top 10 2013 issues found on your site.

The OWASP Top Ten 2010 vulnerabilities include:

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

Why it matters

The OWASP Top Ten 2013 is a significant update to the 2010 version. It presents a more concise, risk focused list of the Top 10 Most Critical Web Application security risks and how to assess them. Each item in the top 10 is presented with the general likelihood and consequence factors that are used to categorize the typical severity of the risk. Project managers should include time and budget for application security activities including developer training, application security policy development, security mechanism design and development, penetration testing, and security code review as part over the overall effort to address the risks.

From ASE 9.0.3.9 onwards, the OWASP 2013 report is replaced with OWASP 2017 Report.

The OWASP 2017 vulnerabilities include:

  1. Injection
  2. Broken authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XXE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross site scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

What Changed From 2013 to 2017?

The threat landscape for applications and APIs constantly changes. The key factors in this evolution are the rapid adoption of new technologies (including cloud, containers, and APIs), the acceleration and automation of software development processes like Agile and DevOps, the explosion of third-party libraries and frameworks, and advances made by attackers. These factors frequently make applications and APIs more difficult to analyze, and can significantly change the threat landscape. To keep pace, the OWASP organization periodically updates the OWASP Top 10. In this 2017 release, following changes were made:
  • Merged 2013-A4: "Insecure Direct Object References" and 2013-A7: "Missing Function Level Access Control" into 2017-A5: "Broken Access Control".
  • Dropped 2013-A8: "Cross-Site Request Forgery (CSRF)" as many frameworks include CSRF defenses, it was found in only 5% of applications.
  • Dropped 2013-A10: "Unvalidated Redirects and Forwards", while found in approximately in 8% of applications, it was edged out overall by XXE.
  • Added 2017-A4: "XML External Entities (XXE)".
  • Added 2017-A8: "Insecure Deserialization".
  • Added 2017-A10: "Insufficient Logging and Monitoring".
    Note: All report pack templates created prior to 9.0.3.9 will have report OWASP 2013. If required, this can be manually removed and the user can add OWASP 2017 report.