New OWASP Top 10 Web Application List

The Open Web Application Security Project (OWASP) has updated their Top 10 security issues that plague (Internet) web applications. The original version came out in 2004 and through the hard efforts of many members and non members of the OWASP community, the list has been updated to be more consistent as well as more reflective of the current state of web application vulnerabilities.

Following are both the new and old lists.

New 2007 List
A1 – XSS
A2 – Injection Flaws
A3 – Malicious File Execution
(e.g., code that accepts file: PHP, XML, attach)
A4 – Insecure Direct Object References
(e.g., URL or parameter manipulation)
A5 – Cross Site Request Forgery
A6 – Information Leakage and Improper Error Handling
A7 – Broken Authentication and Session Management
A8 – Insecure Cryptographic Storage (e.g., poor cookie entropy)
A9 – Insecure Communication
A10 – Failure to Restrict URL Access

New 2007 List:

Old 2004 List
A1 – Unvalidated Input
A2 – Broken Access Control
A3 – Broken Authencation and Session Management
A4 – XSS
A5 – Buffer Overflows
A6 – Injection Flaws
A7 – Improper Error Handling
A8 – Insecure Storage
A9 – Denial of Service
A10 – Insecure Configuration Management

The new list is certainly better.

Personally, however, I think getting rid of both Unvalidated Input and Insecure Configuration Management is a mistake as I think they continue to be important web application issues as opposed to Cross Site Request Forgery and Insecure Cryptographic Storage. I think those issues are important, but not worthy of the Top 10.

In addition, I also think that Broken Access Control is far more prevalent and more important than Injection Flaws. I mostly believe that because most injection and XSS issues, as it turns out, can be to a large degree addressed with both input (data flowing from the client to the server) and output (data flowing from the server to the client) filtering.