Skip to main content

OWASP Privacy Risks

logo

Summary

The OWASP Privacy Risks Project provides a list for privacy risks in web applications and related countermeasures, furthermore, it covers technological and organizational aspects that focus on real-life risks. The project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The version used in this section is OWASP Top 10 Privacy Risks version 2.0, 2021.

Definitions

DefinitionRequirements
P1. Web application vulnerabilities155. Application free of malicious code
176. Restrict system objects
184. Obfuscate application data
261. Avoid exposing sensitive information
266. Disable insecure functionalities
P2. Operator-sided data leakage035. Manage privilege modifications
176. Restrict system objects
186. Use the principle of least privilege
224. Use secure cryptographic mechanisms
261. Avoid exposing sensitive information
300. Mask sensitive data
362. Assign MFA mechanisms to a single account
P3. Insufficient data breach response266. Disable insecure functionalities
313. Inform inability to identify users
P4. Consent on everything189. Specify the purpose of data collection
310. Request user consent
312. Allow user consent revocation
P5. Non-transparent policies, terms and conditions315. Provide processed data information
331. Guarantee legal compliance
P6. Insufficient deletion of personal data144. Remove inactive accounts periodically
315. Provide processed data information
317. Allow erasure requests
360. Remove unnecessary sensitive information
P7. Insufficient data quality173. Discard unsafe inputs
176. Restrict system objects
229. Request access credentials
318. Notify third parties of changes
P8. Missing or insufficient session expiration023. Terminate inactive user sessions
027. Allow session lockout
028. Allow users to log out
031. Discard user session data
114. Deny access with inactive credentials
335. Define out of band token lifespan
358. Notify upcoming expiration dates
369. Set a maximum lifetime in sessions
P9. Inability of users to access and modify data316. Allow rectification requests
317. Allow erasure requests
P10. Collection of data not required for the user-consented purpose189. Specify the purpose of data collection
310. Request user consent
315. Provide processed data information
P12. Sharing of data with third party262. Verify third-party components
314. Provide processing confirmation
315. Provide processed data information
P14. Insecure data transfer024. Transfer information using session objects
181. Transmit data using secure protocols
338. Implement perfect forward secrecy
P15. Transfer or processing through third party161. Define secure default options
262. Verify third-party components
314. Provide processing confirmation
315. Provide processed data information
338. Implement perfect forward secrecy
P16. Misleading content189. Specify the purpose of data collection
P17. Collection without consent029. Cookies with security attributes
030. Avoid object reutilization
310. Request user consent
315. Provide processed data information
P20. Form field design issues174. Transactions without a distinguishable pattern
177. Avoid caching and temporary files