INTERNAL-OWASP Top-10: How we do it

This is an INTERNAL article that explains how our dashboards and report identify a particular Synthetic Issue as belonging to one of the OWASP Top-10 categories.

What is “OWASP Top-10”?

The OWASP project defines it as:

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

It’s a list of 10 categories of vulnerabilities that the OWASP considers common and critical. The implied recommendation is that any vulnerability that has the flavor of one of these top-10 categories should be considered important. The full information is available at: OWASP Top Ten Web Application Security Risks | OWASP .

What Are the Top-10 Categories?

The current version (" 2017 ") lists the following:

  • A1 - Injection
  • A2 - Broken Authentication
  • A3 - Sensitive Data Exposure
  • A4 - XML External Entities (XXE)
  • A5 - Broken Access Control
  • A6 - Security Misconfiguration
  • A7 - Cross-Site Scripting (XSS)
  • A8 - Insecure Deserialization
  • A9 - Using Components with Known Vulnerabilities
  • A10 - Insufficient Logging & Monitoring

These are rather vague labels. So again, refer to for the full definitions.

How Does ZeroNorth Associate Synthetic Issues to OWASP Top-10?

This done by mapping the CWEs associated with a Synthetic Issue to the OWASP Top-10 definitions. For example, A1:2017 has associated with it the following CWEs:

  • CWE-77: Command Injection
  • CWE-89: SQL Injection
  • CWE-564: Hibernate Injection
  • CWE-917: Expression Language Injection

So, in ZeroNorth code, a Synthetic Issue that has any one of the above CWEs will be marked as belonging to A1 category.

ZeroNorth Mapping Logic

So, based on the 2017 standard, the CWE mappings by the Top-10 categories are:

The above logic is found in our burlap code here:

Some Things to Keep in Mind

  • ZeroNorth will never identify an A9 category since A9 has no CWEs associated with it.
  • The logic for associating a Synthetic Issue with an OWASP Top-10 category is in the UI, not in GAUSS. This means that examining the full details of a Synthetic Issue (even via API calls) will not provide this information.