The Open Web Application Security Project (OWASP) Foundation is a nonprofit foundation focused on improving the security of software.
OWASP Web Security Testing Guide
The OWASP Web Security Testing Guide → applies to web application testing specifically. It focuses on design review, code reviews, data flow modelling, methods of testing weaknesses that are only found in application implementations, and security testing at all stages of the Software Development Life Cycle (SDLC).
Its sections include information gathering methods for web application security testing and testing of configuration and deployment management, identity management, authentication, authorisation, session management, input validation, error handling, weak cryptography, business logic, client-side issues, and application programming interfaces (APIs).
OWASP Top 10 2021
The OWASP Top 10 document lists the ten most common security flaws in web applications that may put an organisation at risk. Listed here with its notable CWE’s for quick references on low-hanging fruit.
Broken Access Control
Many web applications do not enforce restrictions on what an authenticated user can do within the application. An attacker that exploits this flaw can gain access to sensitive information or perform undesired actions. Notable Common Weakness Enumerations (CWEs) included are:
The third most common flaw in web applications is sensitive data exposure flaws that involve web applications or APIs not protecting sensitive data within the application. This could be financial data, healthcare data, or Personally Identifiable Information (PII) data. This could be due to a lack of encryption at rest and in transit, or other missing access control methods. Notable Common Weakness Enumerations (CWEs) included are:
Injection flaws occur when data is input into an application but the input is not sanitised or validated by the developer of the application. Notable Common Weakness Enumerations (CWEs) included are:
Insecure covers risk-related design flaws in applications. This new category looks to improve on the use of threat modeling and secure design patterns and principles during the development of the application. Notable Common Weakness Enumerations (CWEs) include:
Applications should have their default settings altered and security configuration settings reviewed as security misconfigurations is a common flaw in web applications. Notable CWEs included are:
Vulnerable and Outdated Components
Components are libraries of code that an application may use. Development of an application may be following secure coding best practices, but once a third-party library is called, that component may be developed in an unsecure manner that exposes the application to security flaws.
Identification and Authentication Failures
Flaws in authentication or session management may allow attackers to access passwords, keys, or session tokens. Notable CWEs included are:
Software and Data Integrity Failures
This flaw pertains to failures when verifying the integrity of components when applying software updates or updates to critical data. Insecure Deserialization from 2017 is included in this category. Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks. Notable Common Weakness Enumerations (CWEs) include:
Security Logging and Monitoring Failures
Lack of logging and monitoring means that an application or system does not have the capabilities to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response. This category includes:
Server-Side Request Forgery
This security flaw enables attackers to invoke requests from a vulnerable web application to another system. This category represents the scenario where the security community members are telling OWASP this is important, even though it’s not illustrated in the data yet.
The OWASP Foundation has other projects as well, like OWASP Mobile Application Security.