OWASP Top Ten 2017

Details About Risk Factors

Top 10 Risk Factor Summary
The following table presents a summary of the 2017 Top 10 Application Security Risks, and the risk factors we have assigned to each risk. These factors were determined based on the available statistics and the experience of the OWASP Top 10 team. To understand these risks for a particular application or organization, you must consider your own specific threat agents and business impacts. Even severe software weaknesses may not present a serious risk if there are no threat agents in a position to perform the necessary attack or the business impact is negligible for the assets involved.

RISK Threat Agents Attack Vectors
(Exploitability)
Security Weakness
(Prevalence)
Security Weakness
(Detectability)
Impacts
(Technical)
Impacts
(Business)
Score
A1:2017-Injection App. Specific EASY: 3 COMMON: 2 EASY: 3 SEVERE: 3 App. Specific 8.0
A2:2017-Broken Authentication App. Specific EASY: 3 COMMON: 2 AVERAGE: 2 SEVERE: 3 App. Specific 7.0
A3:2017-Sensitive Data Exposure App. Specific AVERAGE: 2 WIDESPREAD: 3 AVERAGE: 2 SEVERE: 3 App. Specific 7.0
A4:2017-XML External Entities (XXE) App. Specific AVERAGE: 2 COMMON: 2 EASY: 3 SEVERE: 3 App. Specific 7.0
A5:2017-Broken Access Control App. Specific AVERAGE: 2 COMMON: 2 AVERAGE: 2 SEVERE: 3 App. Specific 6.0
A6:2017-Security Misconfiguration App. Specific EASY: 3 WIDESPREAD: 3 EASY: 3 MODERATE: 2 App. Specific 6.0
A7:2017-Cross-Site Scripting (XSS) App. Specific EASY: 3 WIDESPREAD: 3 EASY: 3 MODERATE: 2 App. Specific 6.0
A8:2017-Insecure Deserialization App. Specific DIFFICULT: 1 COMMON: 2 AVERAGE: 2 SEVERE: 3 App. Specific 5.0
A9:2017-Using Components with Known Vulnerabilities App. Specific AVERAGE: 2 WIDESPREAD: 3 AVERAGE: 2 MODERATE: 2 App. Specific 4.7
A10:2017-Insufficient Logging & Monitoring App. Specific AVERAGE: 2 WIDESPREAD: 3 DIFFICULT: 1 MODERATE: 2 App. Specific 4.0

Project Sponsorship
The Top 10 covers a lot of ground, but there are many other risks you should consider and evaluate in your organization. Some of these have appeared in previous versions of the Top 10, and others have not, including new attack techniques that are being identified all the time. Other important application security risks (ordered by CWE-ID) that you should additionally consider include:
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’, ‘AppDoS’)
* CWE-434: Unrestricted Upload of File with Dangerous Type
* CWE-451: User Interface (UI) Misrepresentation of Critical Information (Clickjacking and others)
* CWE-601: Unvalidated Forward and Redirects
* CWE-799: Improper Control of Interaction Frequency (Anti-Automation)
* CWE-829: Inclusion of Functionality from Untrusted Control Sphere (3rd Party Content)
* CWE-918: Server-Side Request Forgery (SSRF)