The document outlines the top 10 vulnerabilities according to OWASP: 1) Injection, 2) Broken Authentication & Session Management, 3) Sensitive Data Exposure, 4) XML External Entities, 5) Broken Access Control, 6) Security Misconfiguration, 7) Cross-Site Scripting, 8) Insecure Deserialization, 9) Using Components with Known Vulnerabilities, and 10) Insufficient Logging & Monitoring. Each vulnerability is briefly described, with Injection being the most common issue that allows hostile data to execute unintended commands. Broken Authentication, Sensitive Data Exposure, and Cross-Site Scripting are also major risks. Proper logging and monitoring is important to detect attacks.

1. OWASP TOP 10
VULNERABILITIES

2. OWASP TOP 10:
1. Injection
2. Broken Authentication & Session Management
3. Sensitive Data Exposure
4. XML External Entities(XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting(XSS)
8. Insecure Deserialization
9. Using components with known vulnerabilities
10. Insufficient logging & monitoring

4. #1: INJECTION
• Injections are at the head of the OWASP Top 10 and
Injection flaws, particularly
SQL Injection, are common in web applications.
• Injection occurs when user-supplied data is sent to an
interpreter as part of a command or query. The
attacker’s hostile data tricks the interpreter into
executing unintended commands or changing data.

5. #2: BROKEN AUTHENTICATION & SESSION
MANAGEMENT
• Broken Authentication &
Session Management allows
anonymous attacks aimed at
attempting to steal valuable
data, especially personally
identifiable information.

7. #3: SENSITIVE DATA EXPOSURE
• Sensitive data, such as credit card numbers, health
data, or passwords should have extra protection given
the potential of damage if it falls into the wrong
hands.
• If data is stored or transferred as plain text, if
older/weaker encryption is used, or if data is decrypted
carelessly, attacker can gain access and exploit the data.

9. #4: XML EXTERNAL ENTITIES
• XML is a data format used to describe different data
elements.
• XML also uses “entities” to help define related data, but
entities can access remote or local content, as harmless
as pulling a current stock price from a third party
website.
• If a developer uses a common or default filename in a
common location, an attacker’s job is easy.

10. #5: BROKEN ACCESS CONTROL
• Access control, or authorization, is how web apps let
different users access different content, data or
functions.
• Sometimes gaining unauthorized access is as simple as
manually entering an unlinked URL in a browser, such
as http://example.com/admin
• As with other vulnerabilities, attackers can gain access
to(or modify)data, accounts and functions that they
shouldn’t.

11. #6: SECURITY MISCONFIGURATION
• Security Misconfiguration arises when Security settings are defined,
implemented, and maintained as defaults.
• Example #1: The app server admin console is automatically installed
and not removed
• Example #2: Directory listing is not disabled on your server
• Example #3: App server configuration allows stack traces to be returned to
users, potentially exposing underlying flaws
• Example #4: App server comes with sample applications that are not
removed from your production server

12. #7: CROSS-SITE SCRIPTING
• Cross-site Scripting (XSS) is a client-side code injection attack.
• The attacker aims to execute malicious scripts in a web browser
of the victim by including malicious code in a legitimate web
page or web application.
• The actual attack occurs when the victim visits the web page or
web application that executes the malicious code.
• he web page or web application becomes a vehicle to deliver
the malicious script
to the user’s browser.

14. #8: INSECURE DESERIALIZATION
• It occurs when untrusted data is used to abuse the logic of
an application, inflict a denial of service (DoS) attack, or
even execute arbitrary code upon it
being deserialized.
• It’s frequently possible for an attacker to abuse these
deserialization features when the application is
deserializing untrusted data which the attacker controls.

15. #9: USING COMPONENTS WITH KNOWN
VULNERABILITIES
• Known vulnerabilities are vulnerabilities that were discovered in
open source components and published in the NVD, security
advisories or issue trackers.
• From the moment of publication , a vulnerability can be exploited by
hackers who find the documentation.
• The possible impact of open source vulnerabilities ranges from
minor to some of the largest breaches known.
• It’s estimated that well over 80% of all software includes, at least,
some open source components.

16. #10: INSUFFICIENT LOGGING AND
MONITORING
• Insufficient logging and monitoring vulnerability occurs
when the security-critical events aren’t logged properly,
and the system is not monitoring the current
happenings.
• The lack of these functionalities can make the malicious
activities harder to detect and it affects effective incident
handling when an attack happens.

17. HOW TO ACHIEVE LOGGING AND
MONITORING: