Sneha Patra D20A 40
SAD Experiment 5
Aim: Study of OWASP vulnerabilities.
Theory
1. Introduction to OWASP
The Open Web Application Security Project (OWASP) is a non-profit organization dedicated
to improving the security of software. It provides freely available resources, tools, and
methodologies to help developers, testers, and organizations protect applications from cyber
threats.
OWASP is widely known for publishing the OWASP Top 10, a regularly updated report that
highlights the most critical web application security risks. These risks serve as a standard
awareness document for developers and security professionals.
2. Importance of OWASP in Cybersecurity
● Provides a global benchmark for web application security.
● Helps organizations identify, prioritize, and mitigate vulnerabilities.
● Encourages secure coding practices among developers.
● Assists in compliance with standards such as ISO 27001, PCI-DSS, GDPR.
● Supports both education and industry adoption through free tools and documentation.
3. OWASP Top 10 Vulnerabilities (2021 Edition)
The OWASP Top 10 lists the most common and dangerous vulnerabilities in web applications.
They include:
1. Broken Access Control – Improper enforcement of user privileges allowing
unauthorized access.
2. Cryptographic Failures – Weak or incorrect use of encryption leading to exposure of
sensitive data.
3. Injection Attacks – Malicious input (SQL, NoSQL, LDAP, Command Injection) altering
execution of queries.
� 4. Insecure Design – Security flaws due to poor architectural decisions.
5. Security Misconfiguration – Improperly configured servers, frameworks, or application
settings.
6. Vulnerable and Outdated Components – Use of outdated libraries, plugins, or
frameworks with known vulnerabilities.
7. Identification and Authentication Failures – Weak or broken authentication
mechanisms leading to account takeover.
8. Software and Data Integrity Failures – Untrusted code or data updates that may lead
to compromise.
9. Security Logging and Monitoring Failures – Inadequate logging or monitoring,
delaying detection of attacks.
10. Server-Side Request Forgery (SSRF) – Attackers trick a server into making
unintended requests to internal resources.
4. OWASP Risk Rating Methodology
OWASP developed a risk rating methodology to evaluate and prioritize vulnerabilities. It
consists of:
● Likelihood Factors
○ Skill level, motive, opportunity, and ease of discovery/exploitation.
● Impact Factors
○ Technical impact: Confidentiality, Integrity, Availability (CIA triad).
○ Business impact: Financial loss, brand damage, regulatory penalties.
● Final Risk Score
○ Calculated as a combination of likelihood × impact.
○ Risks categorized as Low, Medium, High, or Critical.
This structured methodology allows organizations to focus on the most severe risks first,
ensuring efficient allocation of resources.
�5. OWASP Methodologies and Tools
Apart from the Top 10 list, OWASP provides methodologies and tools such as:
● OWASP ASVS (Application Security Verification Standard) – A framework for testing
security requirements.
● OWASP SAMM (Software Assurance Maturity Model) – Helps organizations assess
and improve software security practices.
● OWASP Threat Dragon – A threat modeling tool to identify risks during the design
phase.
● OWASP ZAP (Zed Attack Proxy) – Widely used penetration testing tool for finding web
vulnerabilities.
● OWASP Cheat Sheets – Best practice guidelines for secure coding.
6. Conclusion
OWASP plays a critical role in modern cybersecurity, acting as a foundation for developers,
testers, and organizations to create secure applications. Its Top 10 vulnerabilities serve as a
checklist to identify common risks, while its risk rating methodology ensures structured
prioritization of threats. By adopting OWASP methodologies and tools, organizations can
significantly reduce the chances of successful cyber-attacks, safeguard sensitive data, and
maintain compliance with security standards.