OWASP Top 10: which are the main threats?

OWASP Top 10

The Open Web Application Security Project or OWASP , as we said in a previous article, is a not-for-profit organisation that aims at providing ‘best-in-class’ application security solutions. Their advices and tools are free, vendor neutral, unbiased yet practical. The organisation also lists the OWASP Top 10 web application security risks to help developers and system owners implement every measure in order to ensure protection. The current OWASP Top 10 list has been updated in 2017.

Event though these vulnerabilities can be plugged with proper measure, only the 30% of applications passed OWASP scan in 2017. Less than 40% of internally developed software passed the OWASP Top 10 policy scan. As far as third-party developed applications are concerned the amount is lower than 25%.


OWASP TOP 10: the list

  • Injection flaws like SQL injection , LDAP injection and CRLF injection top the OWASP top 10 list when it comes to web security vulnerability threats. Basically, this happens when an attacker sends hostile or untrusted data to an interpreter and it is executed without proper authorisation. Almost every source of data can be an injection vector including parameters, environment variables, internal/external web services and users.
  • Broken authentication and session management come next and allow attackers to negotiate passwords, user details, session tokens or keys and take control of the system.
  • Exposure of sensitive data enables attackers to get such information and these events are most common with financial or theft-of-identity-related frauds.
  • XML External Entity is a Web-Application-Security related vulnerability. This vulnerabilities allows hackers to disclose protected files from a server or a connected network.
  • Broken Access Control helps attackers to get unauthorized functionality/data and then use, delete or modify them to compromise the security of the system.


  • Security Misconfiguration leads to exposure of the system to vulnerabilities that can be exploited by the attackers.
  • Cross-Site Scripting or XSS faults let attackers introduce client-side scripts into any application to take control over the system.
  • Insecure deserialization lets the attacker remotely execute code in the application and delete/tamper serialized objects.
  • Use of Components with Known Vulnerabilities allow the attackers to exploit them and take control over the server.
  • Insufficient Logging and Monitoring leads to persistent security threats when the breach is not detected immediately.

OWASP Top 10: how can I protect myself?

Protecting your business is easy with Swascan Vulnerability Assessment. The scanner crawls the entire website to check for vulnerabilities. In addition, it prepares a detailed report along with suggesting the means to fix them. There are some advantages of such scanner as it can also check the website’s vulnerability for SQL injection, cross-site scripting, Path traversal etc.

In order to ensure absolute protection, Swascan developed a unique Vulnerability Assessment tool.

OWASP Top 10

It spots all the vulnerabilities of a web site or web application and allows to fix them. Clicking on the button below you can have a free trial of the solution:



In order to assure to your business the best tool available, Swascan developed a special ( Premio Cisco-Marzotto winner ) cybersecurity platform. It is completely in Cloud, Pay per Use and SaaS. You can see for yourself in our brochure: Cybersecurity platform and have an in-depth look at our services. Our four services cover all the governance needs in terms of risk management and periodic assessment. Basically, if you need to understand the areas in which your efforts must focus, Vulnerability Assessment, Network Scan, Code Review and GDPR Self-Assessment are the right tools for you. Last but not least, don’t forget GDPR: our platform is 100% GDPR compliant ( GDPR infographic ).

Portability of the data: one of the rights introduced by the GDPR
CyberSecurity trends: what is going to happen in 2018?

Cyber Incident Swascan Emergency

Contact us for immediate support

The undersigned, as data subject, DECLARES that I have read and understood the content of the privacy policy pursuant to Article 13, GDPR. AGREE to the processing of data in relation to the sending by the Data Controller of commercial and / or promotional communications relating to (i) own products / services, or (ii) products / services offered by third parties.
The consent given may be revoked at any time by contacting the Data Controller at the addresses provided in the aforementioned privacy policy.