A1 – Injection
Injection vulnerabilities—such as to SQL, OS, or LDAP injection—occurs when a malicious hacker takes advantage of insecure web application by injecting commands into forms such as a input fields and then gain access to sensitive data which is stored in the web application’s backend database.
A2 – Broken Authentication and Session Management
Broken Authentication and Session Management involves all kinds of vulnerabilities that are caused by error in implementations of authentication and/or session management. Most common security risks related to authentication and session management are stealing of passwords or session tokens and impersonating legitimate users.
A3 – Cross-Site Scripting
A4 – Insecure Direct Object References
Insecure Direct Object Reference also called IDOR. A direct object reference means that an internal object such as a file or database key is exposed to the user. Insecure direct object references is a flaw in the design of the web application where access to a sensitive object, such as a directory, a particular record or a database is not fully protected and the object is exposed by the application.
A5 – Security Misconfiguration
Security misconfiguration is a very common vulnerability category that occurs when a component is susceptible to attack due to an insecure configuration. To ensure the security of a web application it is important to also secure the configuration of the web server, secure the operating system of the web server and ensure that it is always updated with the latest security patches.
A6 – Sensitive Data Exposure
Sensitive data stored in databases or any other object should be well protected. Credit card information and user passwords should never travel or be stored unencrypted, and passwords should always be hashed. Obviously the crypto/hashing algorithm must not be a weak one – when in doubt, use AES (256 bits and up) and RSA (2048 bits and up).
A7 – Missing Function Level Access Control
All web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If the authentication check in sensitive request handlers is insufficient or non-existent, the vulnerability can be categorized as Missing Function Level Access Control.
A8 – Cross-site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This vulnerability can lead to a wide range of state-changing requests such as changing credentials, transferring funds, and modifying settings being executed on the user’s behalf.
A9 – Using Components with Known Vulnerabilities
Vulnerable components, such as libraries, frameworks, and other software modules almost always run with full privilege. It is very common for web services to include a component with known security vulnerability.
A10 – Unvalidated Redirects and Forwards
Website visitors are frequently redirected and forwarded to different pages and even other third party websites depending on the visitor location, type of browser being used and several other factors. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.