Understanding the OWASP Top 10 2017: A Comprehensive Guide to Web Application Security

The OWASP Top 10 2017 represents a crucial consensus document outlining the most critical security risks facing web applications. Developed by the Open Web Application Security Project, this list serves as an essential resource for developers, security professionals, and organizations worldwide. Understanding these vulnerabilities is fundamental to building secure applications in our increasingly digital world.

The 2017 edition reflected significant changes from previous versions, with new vulnerabilities emerging and existing threats evolving in response to changing technology landscapes. This iteration placed greater emphasis on API security and reflected the industry’s growing awareness of different attack vectors that had gained prominence since the 2013 release.

1. A1:2017-Injection

   Injection flaws remain at the top of the list, maintaining their position from previous versions due to their prevalence and potential impact. Injection occurs when untrusted data is sent to an interpreter as part of a command or query, tricking the interpreter into executing unintended commands or accessing unauthorized data. SQL injection represents the most common form, where attackers manipulate database queries through user input fields.

   Other injection types include OS command injection, LDAP injection, and XML injection. The consequences can be devastating, ranging from data loss and corruption to complete host takeover. Prevention requires strict input validation, parameterized queries, stored procedures, and proper escaping of special characters. Organizations should also implement the principle of least privilege, ensuring database accounts have minimal required permissions.

2. A2:2017-Broken Authentication

   Broken authentication mechanisms continue to pose significant threats, moving up from the third position in the previous list. This category encompasses various flaws in implementation that allow attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.

   Common vulnerabilities include weak credential recovery processes, session fixation attacks, exposed session IDs in URLs, and improper logout functionality. Prevention strategies include implementing multi-factor authentication, avoiding default credentials, ensuring strong password policies, and implementing secure session management with proper timeout controls.

3. A3:2017-Sensitive Data Exposure

   This category addresses the failure to properly protect sensitive data such as passwords, credit card numbers, health records, and personal information. Many web applications and APIs don’t properly protect sensitive data, leaving it vulnerable to theft or exposure through various attack vectors.

   Attackers may steal weakly protected data to conduct identity theft, credit card fraud, or other crimes. Protection requires classifying data processed by applications, understanding what data is considered sensitive, ensuring encryption of all sensitive data at rest and in transit, disabling caching for sensitive responses, and using strong, up-to-date cryptographic algorithms and protocols.

4. A4:2017-XML External Entities (XXE)

   XXE represents a new entry in the 2017 list, reflecting the growing recognition of this vulnerability type. Many older or poorly configured XML processors evaluate external entity references within XML documents, which can be exploited to disclose internal files, conduct denial of service attacks, or perform server-side request forgery.

   Attackers can exploit vulnerable code, dependencies, or integrations by uploading malicious XML files or submitting hostile content. Prevention involves using simpler data formats like JSON, patching XML processors, implementing server-side input validation, and disabling XML external entity processing in all XML parsers.

5. A5:2017-Broken Access Control

   Previously known as “Missing Function Level Access Control,” this category expanded in the 2017 edition to encompass broader access control issues. Restrictions on what authenticated users are allowed to do are often not properly enforced, allowing attackers to exploit these flaws to access unauthorized functionality or data.

   Common vulnerabilities include modifying URLs, internal application state, or HTML pages, or simply using custom API attack tools. Prevention requires implementing access control mechanisms once and reusing them throughout the application, denying access by default, and properly enforcing record ownership and user privileges.

6. A6:2017-Security Misconfiguration

   Security misconfiguration remains a prevalent issue, often resulting from incomplete or ad-hoc configurations, insecure default configurations, or verbose error messages containing sensitive information. Attackers will often attempt to exploit unpatched flaws, access default accounts, or gain access through unprotected files and directories.

   This vulnerability can occur at any level of an application stack, including the network services, platform, web server, application server, and custom code. Prevention requires implementing repeatable hardening processes, deploying minimal platforms without unnecessary features, and establishing robust application security configuration management.

7. A7:2017-Cross-Site Scripting (XSS)

   While XSS dropped in ranking from previous versions, it remains a significant threat. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript.

   XSS allows attackers to execute scripts in the victim’s browser, potentially hijacking user sessions, defacing websites, or redirecting users to malicious sites. Prevention requires properly context-dependent output encoding, enabling Content Security Policy, and using frameworks that automatically escape XSS by design.

8. A8:2017-Insecure Deserialization

   This new entry in the 2017 list addresses the growing threat of insecure deserialization, which often leads to remote code execution. Insecure deserialization occurs when untrusted data is used to abuse the logic of an application, inflict denial of service attacks, or execute arbitrary code.

   Attackers can manipulate serialized objects to achieve these malicious outcomes. Prevention strategies include not accepting serialized objects from untrusted sources, implementing integrity checks, isolating code that deserializes in low privilege environments, and logging deserialization exceptions and failures.

9. A9:2017-Using Components with Known Vulnerabilities

   Modern application development heavily relies on components, libraries, and frameworks, which often execute with full privileges. Vulnerabilities in these components can cause serious security impacts, and many organizations fail to identify and patch these vulnerabilities in a timely manner.

   Attackers can exploit known vulnerabilities in unpatched systems, potentially taking complete control of affected systems. Prevention requires removing unused dependencies, continuously inventorying component versions, monitoring sources for vulnerabilities, and obtaining components only from official sources over secure links.

10. A10:2017-Insufficient Logging & Monitoring

    This category moved up from its previous position, reflecting increased recognition of its importance. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper with, extract, or destroy data.

    Most breach studies show the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes. Prevention requires ensuring all login, access control, and server-side input validation failures are logged, establishing effective monitoring and alerting processes, and establishing effective incident response and recovery plans.

The OWASP Top 10 2017 serves as more than just a list of vulnerabilities—it represents a fundamental shift in how organizations approach application security. The inclusion of new categories like XXE and Insecure Deserialization reflects the evolving threat landscape, while the repositioning of existing vulnerabilities indicates changing prevalence and impact assessments.

Implementation of security controls addressing these vulnerabilities requires a comprehensive approach spanning people, processes, and technology. Organizations should integrate security throughout the software development lifecycle, from requirements gathering through design, implementation, testing, and deployment. Security training for developers, secure coding standards, and regular security testing are essential components of an effective application security program.

While the OWASP Top 10 2017 has been superseded by newer versions, understanding its contents remains valuable for security professionals. The principles underlying these vulnerabilities continue to be relevant, and many organizations still struggle with these fundamental security issues. The document provides an excellent foundation for building security awareness and establishing baseline security controls.

Looking forward, the trends identified in the 2017 edition have continued to evolve, with cloud security, API security, and supply chain security gaining increased attention. However, the core principles of input validation, proper authentication and authorization, secure configuration, and comprehensive monitoring remain timeless. Organizations that successfully address the OWASP Top 10 2017 vulnerabilities establish a strong foundation for protecting against both current and emerging threats.