Get a free application, infrastructure and malware scan report - Scan Your Website Now

Subscribe to our Newsletter
Try AppTrana WAAP (WAF)

OWASP Top 10 Web Application Security Risks and Vulnerabilities to Watch Out for in 2020

Posted DateOctober 5, 2020
Posted Time 4   min Read

The OWASP Top 10 Application Security Risks is a great starting point for organizations to stay on top of web application security in 2020. OWASP (Open Web Application Security Project) is an international non-profit foundation. OWASP web security projects play an active role in promoting robust software and application security. OWASP Top 10 Application Security Risks is one of its most well-known projects.
Let us now delve into these security risks.

What are OWASP Top 10 Application Security Risks?

What are OWASP Top 10 Application Security Risks

OWASP Top 10 Web App Vulnerabilities represents a broad consensus among security experts of the most common security risks facing organizations. The vision behind OWASP Top 10 Application Security Risks is to build a culture of secure web development and web application security through awareness creation.

OWASP Top 10 Web App Vulnerabilities and Security Risks to Watch Out for in 2020

Being known vulnerabilities, the OWASP Top 10 Risks are easily identified, analyzed, automatically patched, and mitigated by Managed, Intelligent, and Holistic Security Solutions like AppTrana.

1. Injection

Injection flaws occur when untrusted/ invalid data is sent to a code interpreter by the attackers. Relayed to the web application through user data submission fields (such as forms, comment sections, etc.), the invalid data tricks the interpreter into executing actions that it is not programmed to do so.

Examples: SQL Injections, CRLF Injections, LDAP Injections, etc

• Unvalidated and un-sanitized user inputs allowed.
• Non-parameterized queries used
• Insecure frameworks used.
• Improper permissions and privileges.

2. Broken Authentication

Incorrectly configured authentication and session management provide open entryways for attackers to compromise passwords and keys, engage in identity thefts, hijack sessions, or even gain control over the entire application.

• Weak password policies
• Poor session management policies and practices
• Logical issues in authentication mechanisms

3. Sensitive Data Exposure

Sensitive data exposure is one of the most prevalent of the OWASP Top 10 Web App Vulnerabilities. Improper and insufficient security policies, processes, and practices by applications/ APIs enable attackers to gain access to and utilize sensitive data (PII, financial data, etc.). Stolen data can be used for credit card frauds, identity thefts, and so on.

• Unencrypted databases/ data at rest and transit.
• Lack of well-defined data security policies and procedures.
• Caching of sensitive data
• Collection and storage of unnecessary sensitive data.

4. XML External Entities (XXE)

When XML External Entities are parsed by poorly configured/ legacy XML parsers/ processors, the XXE vulnerability arises. Using XXE vulnerabilities, attackers can gain access to confidential information, any backend/ external systems, and server filesystems. They can also engage in data corruption, remote code execution, CSRF, and DoS attacks.

• DTD and External Entities are not disabled.
• Outdated and poorly configured XML processors and libraries
• Unvalidated and un-sanitized user inputs, file uploads, and URLs.
• Unchecked dependencies and configurations.

5. Broken Access Control

When access controls are broken/ misconfigured, attackers can simply bypass authorization and perform actions they should be permitted to do. For instance, modify/ delete data, meddle with access rights, etc.

• Missing/ non-functional restrictions and controls
• Misconfigured policies
• Least privilege principles are not applied.
• Unnecessary services, open ports, legacy functionalities, no-longer-in-use accounts, etc.

6. Security Misconfiguration

Security misconfigurations are the most common of the Top 10 web application vulnerabilities. Improper implementation/ implementation of security controls (intended to keep the app secure) with dangerous errors/gaps create security misconfigurations.
Examples: Legacy software, verbose error messages, using debug mode during development, unused pages, etc.

• Human Error
• Easily exploitable gateways exist in the application
• Incomplete and/or unchanged temporary configurations
• Use of default settings and configurations.

7. Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS)

XSS vulnerabilities enable attackers to inject malicious client-side scripts into the application. Once the code is injected, the application is used to propagate the payload on the unsuspecting users. Using XSS, session hijacking, redirection to other websites and even website defacements are possible.

• Insecure coding practices
• Unvalidated and un-sanitized user inputs/ user-generated content.
• Permission to add custom code in the URL path or onto the website.

8. Insecure Deserialization

Mostly targeted against applications that constantly serialize and deserialize data, insecure deserialization leads to remote code execution, privilege escalation attacks, DDoS attacks, injection attacks, and so on,

Cause: Deserialization of data from untrusted sources

9. Using Components with Known Vulnerabilities

Today, web applications, whether simple, elaborate, or complex, have several dependencies/ components (frameworks, libraries, third-party components, open-source code, etc.). Some of these components have known vulnerabilities and erode web application security immensely, apart from predisposing the application to data breaches.

10. Insufficient Logging & Monitoring

Efficient and regular logging and monitoring processes are essential for more agile and effective application security. Inefficient and insufficient processes coupled with ineffective/missing incident response significantly raises security risks. They provide attackers leeway to orchestrate further attacks, pivot to other systems, tamper with data, and so on.


The vulnerabilities listed in OWASP Top 10 Application Security Risks are so common and severe that web applications/ software with these gaps must not be delivered to customers/ users. Use this list as an effective first step in securing vulnerabilities and minimizing your security risks.

You can start with the AppTrana Free Forever Website Security Scan to find out how it works.

web application security banner

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

API Security
OWASP Top 10 Vulnerabilities in 2021: How to Mitigate Them?

Read on to find out the OWASP Top 10 vulnerabilities 2021 explained in detail, along with ways to mitigate each.

Spread the love

Read More
Serialization Attacks and How to Prevent Them
What are Serialization Attacks and How to Prevent Them?

Serialization and deserialization are powerful tools but need to be securely executed to ensure they aren’t counterproductive. Explore here.

Spread the love

Read More
10 Tips to Protect Against OWASP Top 10
Top 10 Tips to Protect Against OWASP Top 10 Vulnerabilities

Foster a culture of secure development and usage of web applications by protecting your business against OWASP Top 10 vulnerabilities.

Spread the love

Read More


Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Know More Take Free Trial


Indusface is the only cloud WAAP (WAF) vendor with 100% Customer Recommendation for 3 consecutive years.

A Customers’ Choice for 2022 and 2023 - Gartner® Peer Insights™

The reviews and ratings are in!