Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

Managed WAF

Starts at $99

Guided onboarding, monitoring of latency, false positives, and DDoS attacks, custom rules, and more

Try Free For 14 Days

OWASP Top 10 Vulnerabilities 2013

Posted DateFebruary 19, 2014
Posted Time 2   min Read

By Client Services Team, Indusface

SR No. Vulnerability Title % of vulnerability
1 Application Error message 43%
2 Browsable Web directory 11%
3 Cross-Site Scripting 10%
4 Potential Information Leakage 10%
5 SQL Injection 7%
6 Debug feature enabled 6%
7 Possible Sensitive Directories/Files Exposed 4%
8 Source Code Disclosure 3%
9 OS Command Injection 3%
10 Possible Backup File(s) 1%

Find such security issues on your website with Indusface WAS Free Website Scanner.

For 2013, the OWASP Top 10 Most Common Critical Web Application Security Risks are:

Application Error message

An attacker can try to force the target website to produce error messages bypassing different attack vectors to different parameters and then analyze the errors to get target information. This page contains an error/warning message that may disclose sensitive information.

Browsable web directory

A web directory was found to be browsable, which means that anyone can see the contents of the directory. Browsable directories could allow an attacker to view “hidden” files in the webroot, including CGI scripts, data files, or backup pages.

Cross-Site Scripting

The next category in our OWASP Top 10 vulnerabilities list is XSS. This flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface websites, or redirect the user to malicious sites.

Potential Information Leakage

The application uses the ASP.NET 2.0 view state (__VIEWSTATE) feature without encryption to maintain the application state. Application designers have been known to put passwords and other sensitive data inside the view state. Therefore, it is a good idea to always use view state encryption in ASP.NET applications.

SQL Injection

Web applications that do not properly sanitize user input before passing it to a database system are vulnerable to SQL injection. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Debug feature enabled

The ASP.NET application is running in debug mode which allows a remote user to gather information about an application by using the DEBUG verb in an HTTP request. This can leak information including source code, hidden filenames, and detailed error messages.

Possible Sensitive Directories/Files Exposed

These directories/files are not directly linked to the website. This check looks for common sensitive resources like backup directories, database dumps, administration pages, temporary directories. Each one of these directories could help an attacker to learn more about his target.

Source Code Disclosure

Source code disclosure allows a malicious user to obtain the source code of a server-side application from a webpage. Disclosure of source code can be devastating for a web application.

OS Command Injection

A webform contains fields with data that is probably sensitive in nature. This form of data is submitted over an unencrypted connection, which could allow hackers to sniff the network and view the data in plaintext.

Possible Backup File(s)

Possible Backup files are usually created by developers to back up their work or by administrators when making backups of the webserver.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

blocking bots
Blocking Bots: Why We Need Advanced WAF?

Learn why advanced WAF is crucial in blocking bots and protecting your website from malicious activities. Enhance your web security now.

Read More
owasp-mitigation-techniques
OWASP Mitigation Techniques

OWASP Top 10 seeks to create a more secure software development culture and improved web application security. It gives a good rundown of the critical web application security risks –.

Read More
How To Build A WAF At The Application Layer
How to Build A WAF At the Application Layer?

Building WAF in a modern IT environment with increasingly complex applications is tough process. Here is a guide to help you.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!