OWASP Top 10 Review of Vulnerability Studies in Web Application Security

Yıl 2025, Cilt: 12 Sayı: 2, 847 - 861, 21.10.2025

Çisem Yaşar , Tuğba Saray Çetinkaya , Ediz Ertim

https://doi.org/10.17336/igusbd.1321489

Öz

In order to ensure information security, it is necessary to find the vulnerabilities and risks that exist in the resources that make up the information system. Most of these vulnerabilities are found in web applications, which are used for effective communication and information exchange and are found in almost all systems. OWASP (Open Web Application Security Project) identifies current and important concepts that constitute critical vulnerabilities and risks for web applications. For this purpose, it publishes a list of 10 items. In this study, the vulnerabilities and recommendations published by OWASP are discussed and it is aimed to contribute to the provision of information security in web applications. Each item was investigated and analyzed separately. When the literature was examined, the aims and methods used in the studies encountered were emphasized. The fourth category of insecure design, the eighth category of software and data integrity failures, and the tenth category of server-side request failures have been added to the current list. It has been observed that studies on these 3 categories are insufficient. As a result, with the newly added items, a contribution has been made to fill the gaps in the literature.

Anahtar Kelimeler

OWASP , Information Security , Web Application Security , Vulnerabilities , Web Application

Web Uygulamaları Güvenliği Alanında Güvenlik Açığı Çalışmalarından OWASP Top 10 İncelemesi

Öz

Bilgi güvenliğini sağlamak için bilgi sistemini oluşturan kaynaklarda var olan güvenlik açıkları ve risklerini bulmak gerekmektedir. Bu açıkların büyük bölümü etkili iletişim ve bilgi alışverişi sağlamak amacıyla kullanılan ve neredeyse bütün sistemlerde yer alan web uygulamalarında bulunmaktadır. OWASP (Open Web Application Security Project), web uygulamalarına yönelik kritik güvenlik açıkları ve risklerini oluşturan güncel ve önemli kavramları belirlemektedir. Bu amaçla 10 maddeden oluşan bir liste yayınlamaktadır. Bu çalışmada, OWASP tarafından yayımlanan güvenlik açıkları ve önerileri ele alınmış olup, web uygulamalarında bilgi güvenliğinin sağlanmasına yönelik katkı sunması amaçlanmıştır. Her madde ayrı ayrı araştırılarak analiz edilmiştir. Literatür incelendiğinde karşılaşılan çalışmaların amaçları ve kullanılan yöntemleri üzerinde durulmuştur. Yayımlanan güncel listeye dördüncü sırada olan güvensiz tasarım, sekizinci sırada yer alan yazılım ve veri bütünlüğü arızaları ve onuncu sırada yer alan sunucu taraflı istek arızaları kategorileri yeni eklenmiştir. Eklenen bu 3 kategori konusunda çalışmaların yetersiz olduğu görülmüştür. Sonuç olarak yeni eklenen maddelerle birlikte literatürde yer alan eksikliklerin giderilmesine yönelik katkı sağlanmıştır.

Anahtar Kelimeler

OWASP , Web Uygulama Güvenliği , Güvenlik Açıkları , Web Uygulamaları , Bilgi Güvenliği

Kaynakça

• ALAHMAD, M., ALKANDARI, A., & ALAWADHI, N. (2022). “Survey of Broken Authentication and Session Management of Web Application Vulnerability Attack.”, Journal of Engineering Science and Technology, 17(2), 0874-0882.
• ALENEZI, M., NADEEM, M., & ASIF, R. (2021). “SQL injection attacks countermeasures assessments.”, Indonesian Journal of Electrical Engineering and Computer Science, 21(2), 1121-1131. doi: 10.11591/ijeecs.v21.i2.pp1121-1131
• ALJABRI, M., ALDOSSARY, M., AL-HOMEED, N., ALHETELAH, B., ALTHUBIANY, M., ALOTAIBI, O., & ALSAQER, S. (2022, December). “Testing and Exploiting Tools to Improve OWASP Top Ten Security Vulnerabilities Detection.”, In 2022 14th International Conference on Computational Intelligence and Communication Networks (CICN) (pp. 797-803). IEEE. doi: 10.1109/CICN56167.2022.10008360
• AL-TALAK, K., & ABBASS, O. (2021). “Detecting Server-Side Request Forgery (SSRF) Attack by using Deep Learning Techniques.”, International Journal of Advanced Computer Science and Applications, 12(12). 1-7. doi: 10.14569/IJACSA.2021.0121230.
• AYDIN, H., BARIŞKAN, M. A. & ÇETİNAYA, A. (2021). “Siber Güvenlik Kapsamında Enerji Sistemleri Güvenliğinin Değerlendirilmesi.”, Güvenlik Bilimleri Dergisi, 10 (1), 151-174. doi: 10.28956/gbd.941801
• AYDOĞDU, D. & GÜNDÜZ, M. S. (2016). “Web uygulama güvenliği açıklıkları ve güvenlik çözümleri üzerine bir araştırma.”, Uluslararasi Bilgi Güvenliği Mühendisliği Dergisi, 1–7. doi: https://doi.org/10.18640/ubgmd.56836.
• BACH-NUTMAN, M. (2020). “Understanding the top 10 owasp vulnerabilities.”, arXiv preprint arXiv:2012.09960, 1-4, doi: https://doi.org/10.48550/arXiv.2012.09960
• BARLETT, J. (2016). “Dark Net: İnternetin Yer Altı Dünyası.”, Konyalı, Y.(çev.). İstanbul: Timaş Yayınları, İstanbul
• DJEKI, E., DEGILA, J., BONDIOMBOUY, C., & ALHASSAN, M. H. (2022, April). “Preventive Measures for Digital Learning Spaces’ Security Issues.”, In 2022 IEEE Technology and Engineering Management Conference (TEMSCON EUROPE) (pp. 48-55). IEEE. doi: 10.1109/TEMSCONEUROPE54743.2022.9801945
• ERÇİN, M. S., & YOLAÇAN, E. (2022). “SQLi ve XSS Saldırı Tespitinde Kullanılan Yeni Bir Özellik Çıkarma Yöntemi.”, Uluslararası Bilgi Güvenliği Mühendisliği Dergisi, 8(1), 1-11.
• ESPINOZA, A. M., WOOD, R., FORREST, S., & TIWARI, M. (2022). “Back to the future: N-Versioning of Microservices.”, In 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks DSN, s. 415-427. IEEE. doi: 10.1109/DSN53405.2022.00049.
• FANG, Y., LI, Y., LIU, L. & HUANG C. (2018). “DeepXSS: Cross Site Scripting Detection Based on Deep Learning.”, In Proceedings of the 2018 International Conference on Computing and Artificial Intelligence, 47–51. doi: https://doi.org/10.1145/3194452.3194469.
• FEBRIANA, R. (2022). “Blackbox Testing Sistem Informasi Absensi Pegawai Karawang Dengan Metode Top 10 Owasp Attack.”, Jurnal Ilmiah Wahana Pendidikan, 8(12), 327-334. doi: https://doi.org/10.5281/zenodo.6945632
• GALVAO, P. L. (2022). “Analysis and Aggregation of Vulnerability Databases with Code-Level Data. (master thesis)”, Faculdade De Engenharia Da Universidade Do Porto, Portugal
• GARTNER, (2020). “Küresel Bilgi Güvenliği ve Risk Yönetimi Pazarı 2018-2024 Yılları Öngörü Raporu.”, Erişim tarihi: 27 Ocak 2023, https://tubitak.gov.tr/sites/default/files/18842/btypk_siberguv_rapor_20211027.pdf
• GRAMMATIKIS, P. R., SARIGIANNIDIS, P., DALAMAGKAS, C., SPYRIDIS, Y., LAGKAS, T., EFSTATHOPOULOS, G., & ARCE, A. (2021). “Sdn-based resilient smart grid: The sdn-microsense architecture.”, Digital, 1(4), 173-187. doi: https://doi.org/10.3390/digital1040013.
• GUPTA, C., SINGH, R. K., & MOHAPATRA, A. K. (2022). “An Approach for Verification of Secure Access Control Using Security Pattern.”, Wireless Communications and Mobile Computing, 2022, 1-2, doi: https://doi.org/10.1155/2022/1657627
• HAREFA, J., PRAJENA, G., ALEXANDER, A. M., DEWA, E. V. S., & YULIANDRY, S. (2021). “Sea waf: The prevention of sql injection attacks on web applications.”, Advances in Science. Technology and Engineering Systems, 6, 405-411. doi: 10.25046/aj060247
• HASSAN, M. M., NIPA, S. S., AKTER, M., HAQUE, R., DEEPA, F. N., RAHMAN, M., & SHARIF, M. H. (2018). “Broken authentication and session management vulnerability: a case study of web application.”, Int. J. Simul. Syst. Sci. Technol, 19(2), s.1-11.
• HIDAYAT, M. F., QUTHNI, A. D., DEFRIN, J. T., GAPILI, G., MONIAGA, J. V., & JABAR, B. A. (2022, November). “Infrastructure and Security for Supporting Smart City: A Systematic Literature Review.”, In 2022 2nd International Conference on Electronic and Electrical Engineering and Intelligent System (ICE3IS) (s. 242-245). IEEE. doi: 10.1109/ICE3IS56585.2022.10009974
• HUANG, Y., LI, Y. J., & CAI, Z. (2023). “Security and Privacy in Metaverse: A Comprehensive Survey.”, Big Data Mining and Analytics, 6(2), 234-247. doi: 10.26599/BDMA.2022.9020047.
• JABIYEV, B., MIRZAEI, O., KHARRAZ, A., & KIRDA, E. (2021). “Preventing server-side request forgery attacks.”, In Proceedings of the 36th Annual ACM Symposium on Applied Computing, s. 1626-1635. doi: https://dl.acm.org/doi/10.1145/3412841.3442036
• JEMAL, I., CHEIKHROUHOU, O., HAMAM, H., & MAHFOUDHI, A. (2020). “Sql injection attack detection and prevention techniques using machine learning.”, International Journal of Applied Engineering Research, 15(6), 569-580.
• KARA, İ. (2020). “Web Hackleme (Hacking) Saldirilari.", Ejovoc (Electronic Journal of Vocational Colleges), 10, 1-6.
• KARACAN, H. & SEVRİ, M. (2021). “A Novel Data Augmentation Technique and Deep Learning Model for Web Application Security.”, IEEE Access, 9, s. 150781-150797
• KARAKAYA, M. (2022). “Kurumsal güvenlik için siber tehditlerin incelenmesi ve saldırı senaryoları”, s.15-21.
• KOVALENKINAITE, G. K. (2023). “Vulnerability testing and analysis of educational institution websites within lithuania (Doctoral dissertation, Vilniaus Universitetas).”, s. 1-10.
• KUMI, S., LIM, C., LEE, S. G., OKTIAN, Y. O., & WITANTO, E. N. (2021). “Automatic Detection of Security Misconfigurations in Web Applications.”, In Proceedings of International Conference on Smart Computing and Cyber Security: Strategic Foresight, Security Challenges and Innovation (SMARTCYBER 2020) (pp. 91-99). Springer Singapore.
• LAKH, Y., NYEMKOVA, E., PISKOZUB, A., & YANISHEVSKYI, V. (2021). “Investigation of the Broken Authentication Vulnerability in Web Applications.”, In 2021 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Vol. 2, s. 928-931. IEEE. doi: 10.1109/IDAACS53288.2021.9660889.
• LATCHOUMI, T. P., REDDY, M. S., & BALAMURUGAN, K. (2020). “Applied machine learning predictive analytics to SQL injection attack detection and prevention.”, European Journal of Molecular & Clinical Medicine, 7(02), 1-11.
• LATHIFAH, A., AMRI, F. B., & ROSIDAH, A. (2022, September). “Security Vulnerability Analysis of the Sharia Crowdfunding Website Using OWASP-ZAP.”, In 2022 10th International Conference on Cyber and IT Service Management (CITSM) (pp. 1-5). IEEE. doi: 10.1109/CITSM56380.2022.9935837
• LIANG, J., ZHAO, W. & YE, W. (2017). “Anomaly-based Web Attack Detection: A Deep Learning Approach”, In Proceedings of the 2017 VI International Conference on Network, Communication and Computing, s.80-85.
• LOUREIRO, S. (2021). “Security misconfigurations and how to prevent them. Network Security”, 2021(5), 13-16. doi: 10.1016/S1353-4858(21)00053-2
• MANIKANTA, Y. V. N., & SARDANA, A. (2012, August). “Protecting web applications from SQL injection attacks by using framework and database firewall.”, In Proceedings of the International Conference on Advances in Computing, Communications and Informatics, s. 609-613.
• MARTINEZ, S., COSENTINO, V., & CABOT, J. (2017). “Model-based analysis of Java EE web security misconfigurations.”, Computer Languages, Systems & Structures, 49, 36-61.
• MONGA, M., PALEARI, R., & PASSERINI, E. (2009, May). “A hybrid analysis framework for detecting web application vulnerabilities.”, In 2009 ICSE Workshop on Software Engineering for Secure Systems, s. 25-32. IEEE.
• NADAR, V. M., CHATTERJEE, M., & JACOB, L. (2018). “A defensive approach for CSRF and broken authentication and session management attack.”, In Ambient Communications and Computer Systems, 577-588. Springer, Singapore. doi: https://doi.org/10.1007/978-981-10-7386-1_49.
• PRIYAWATI, D., ROKHMAH, S., & UTOMA, I. C. (2022). “Website Vulnerability Testing and Analysis of Website Application Using OWASP.”, International Journal of Computer and Information System (IJCIS), 3(3), 142-147. doi: https://doi.org/10.29040/ijcis.v3i3.90
• PRIAMBODO, D. F., RIFANSYAH, A. D., & HASBI, M. (2023). “Penetration Testing Web XYZ Berdasarkan OWASP Risk Rating.”, Teknika, 12(1), 33-46. doi: https://doi.org/10.34148/teknika.v12i1.571.
• RAHMAN, A., SHAMIM, S. I., BOSE, D. B., & PANDITA, R. (2023). “Security Misconfigurations in Open Source Kubernetes Manifests: An Empirical Study.”, ACM Transactions on Software Engineering and Methodology. doi: https://doi.org/10.1145/3579639
• SAVUNMA SANAYİİ BAŞKANLIĞI, (2020). BTYPK tarafından 08.06.2020 tarihli Resmi Yazı ile talep edilen 2009-2020 Nisan sonu arasında destek kararı verilen projelere ilişkin görüş yazısı (Belirtilen projeler, Ar-Ge projesi, Teknoloji Kazanım Yükümlülüğü Projesi ve Sanayii Katılımı/Offset (SK/O) KATEGORİ-C ve Hizmet Projesi kapsamlarında desteklenmiştir.)
• SCHOLTE, T., BALZAROTTI, D., & KIRDA, E. (2012). “Have things changed now? An empirical study on input validation vulnerabilities in web applications.”, Computers & Security, 31(3), s. 344-356.
• SMITH, K. J. (2022). “Exploring Information Technology Professional’s Perspectives on Controlling Security Misconfigurations in the United States: A Generic Qualitative Inquiry (Doctoral dissertation)”, Capella University, United States of America. s. 15-22.
• SHAHID, J., HAMEED, M. K., JAVED, I. T., QURESHI, K. N., ALI, M., & CRESPI, N. (2022). “A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions.”, Applied Sciences, 12(8), 4077. doi: https://doi.org/10.3390/app12084077
• SONG, L., & GARCIA-VALLS, M. (2022). “Improving Security of Web Servers in Critical IoT Systems through Self-Monitoring of Vulnerabilities.”, Sensors, 22(13), 5004. doi: https://doi.org/10.3390/s22239501.
• OWASP. (2023). Erişim tarihi: 15 Ocak 2023, https://owasp.org/www-project-top-ten/. 2022
• TEKEREK, A. (2021). “A Novel Architecture for Web-Based Attack Detection Using Convolutional Neural Network.”, Computers & Security, 100, 102096.
• OWASP Top 10:2021. (2021). Erişim Tarihi: 22 Şubat 2023, https://owasp.org/Top10/
• TÜBİSAD-DELOITTE, 2021, Bilgi ve İletişim Teknolojileri Sektörü 2020 Pazar Verileri, Erişim: https://www.tubisad.org.tr/tr/images/pdf/tubisad_bit_2020_raporu_tr.pdf, Eylül, 2021.
• TORRANO-GIMENEZ, C., NGUYEN, H. T., ALVAREZ, G., PETROVIC, S. & FRANKE, K. (2011). “Applying Feature Selection to Payload-Based Web Application Firewall.”, In 2011 Third International Workshop on Security and Communication Networks (IWSCN), s. 75-81.
• VAN DER POEL, L. (2022). “Towards automated discovery of access control vulnerabilities (master thesis)”, Delft University of Technology, Sweden, s. 19-36.
• VARTOUNI, A. M., TESHNEHLAB, M. & KASHI, S. S. (2019). “Leveraging Deep Neural Networks for Anomaly‐Based Web Application Firewall.”, IET Information Security, 13(4), s.352-361.
• WICHERS, D. Owasp top-10 2013. OWASP Foundation, Erişim: https://owasp.org/www-project-top-ten Ocak, 2023.