OWASP Top 10: Security Risks for Web Applications

This article is a glossary entry on the OWASP Top 10 Security Risks – including exam questions and tags.

In a Nutshell

The OWASP Top 10 is a regularly updated list of the ten most critical security risks for web applications, published by the OWASP organization. It serves as an industry-wide standard for security assessment.

Compact Technical Description

The OWASP Top 10 serves as an industry-recognized standard for assessing the security of web applications. It identifies the most common and serious vulnerabilities based on real attack and application data.

Each category contains description, risks, causes, and countermeasures. Developers, security professionals, and auditors use the list to assess and secure software projects.

The current version (as of 2021) includes new groupings such as Insecure Design or Software and Data Integrity Failures. The list is considered essential reading for security awareness and secure software development.

Exam-Relevant Key Points

• 10 most common web security risks are categorized
• Regular updates based on real attack data
• IHK-relevant for software development and architecture
• Security concepts must consider OWASP Top 10
• Basis for audits and security policies
• Injection, XSS, authentication failures as main threats
• Prevention saves high follow-up costs from exploits
• Documentation requirement in audit and project documentation

Core Components (OWASP Top 10 2021)

1. A01 – Broken Access Control: Insufficient access control
2. A02 – Cryptographic Failures: Weak encryption
3. A03 – Injection: SQL, OS, LDAP injection
4. A04 – Insecure Design: Deficient security architecture
5. A05 – Security Misconfiguration: Incorrect configuration
6. A06 – Vulnerable Components: Vulnerable libraries
7. A07 – Identification & Authentication Failures: Authentication issues
8. A08 – Software and Data Integrity Failures: Integrity problems
9. A09 – Security Logging and Monitoring Failures: Inadequate logging
10. A10 – Server-Side Request Forgery (SSRF): Server-side requests

Practical Examples

SQL Injection (A03)

// Vulnerable code
String query = "SELECT * FROM benutzer WHERE name = '" + userName + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);

// Secure alternative with prepared statements
String query = "SELECT * FROM benutzer WHERE name = ?";
PreparedStatement stmt = connection.prepareStatement(query);
stmt.setString(1, userName);
ResultSet rs = stmt.executeQuery();

Cross-Site Scripting (A07)

// Vulnerable code
function zeigeNachricht(nachricht) {
    document.getElementById('output').innerHTML = nachricht;
}

// Secure alternative
function zeigeNachricht(nachricht) {
    document.getElementById('output').textContent = nachricht;
}

// Or with escaping
function escapeHtml(text) {
    const div = document.createElement('div');
    div.textContent = text;
    return div.innerHTML;
}

Broken Access Control (A01)

// Vulnerable code
@GetMapping("/admin/users")
public List<User> getUsers(HttpServletRequest request) {
    // No check if user is admin!
    return userService.getAllUsers();
}

// Secure alternative
@GetMapping("/admin/users")
public List<User> getUsers(HttpServletRequest request) {
    User currentUser = getCurrentUser(request);
    if (!currentUser.hasRole("ADMIN")) {
        throw new UnauthorizedException("Admin-Rechte erforderlich");
    }
    return userService.getAllUsers();
}

Countermeasures

General Security Principles

• Defense in Depth: Multiple security layers
• Least Privilege: Grant minimal permissions
• Security by Design: Plan security from the start
• Regular Updates: Keep systems and libraries current

Specific Measures

• Input Validation: Validate all user inputs
• Output Encoding: Properly escape outputs
• Parameterized Queries: Prevent SQL injection
• Strong Authentication: Multi-factor authentication
• HTTPS: Enforce encrypted communication
• Security Headers: Use CSP, HSTS, X-Frame-Options

Advantages and Disadvantages

Advantages of OWASP Top 10

• Awareness: Raises awareness of security risks
• Standardization: Common language for security
• Prioritization: Focus on most critical risks
• Practice-oriented: Based on real attack data

Disadvantages

• Completeness: Does not cover all possible risks
• False security: Focusing only on Top 10 can ignore other risks
• Updates: List can become outdated quickly
• Complexity: Implementation requires expertise

Common Exam Questions

1. What is OWASP and why is the Top 10 list important? OWASP is an organization focused on application security. The Top 10 list prioritizes the most critical risks.

2. Explain SQL Injection and how to prevent it! SQL Injection is injecting SQL code through user inputs. Prevented through prepared statements and input validation.

3. What is the difference between XSS and CSRF? XSS (Cross-Site Scripting) executes code in the victim’s browser, CSRF (Cross-Site Request Forgery) performs actions on behalf of the victim.

4. Why is Security by Design important? Integrating security from the start is more effective and cost-efficient than securing afterwards.

Most Important Sources

1. https://owasp.org/www-project-top-ten/
2. https://cheatsheetseries.owasp.org/
3. https://portswigger.net/web-security