Skip to main content

OWASP Top 10 Privacy Risks

logo

Summary

The OWASP Top 10 Privacy Risks Project provides a list for privacy risks in web applications and related countermeasures, furthermore, it covers technological and organizational aspects that focus on real-life risks. The project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The version used in this section is v2.0, 2021.

Definitions

DefinitionRequirements
P1. Web application vulnerabilities
155. Application free of malicious code
176. Restrict system objects
184. Obfuscate application data
261. Avoid exposing sensitive information
266. Disable insecure functionalities
P2. Operator-sided data leakage
035. Manage privilege modifications
176. Restrict system objects
186. Use the principle of least privilege
224. Use secure cryptographic mechanisms
261. Avoid exposing sensitive information
300. Mask sensitive data
362. Assign MFA mechanisms to a single account
P3. Insufficient data breach response
266. Disable insecure functionalities
313. Inform inability to identify users
P4. Consent on everything
189. Specify the purpose of data collection
310. Request user consent
312. Allow user consent revocation
P5. Non-transparent policies, terms and conditions
315. Provide processed data information
331. Guarantee legal compliance
P6. Insufficient deletion of personal data
144. Remove inactive accounts periodically
315. Provide processed data information
317. Allow erasure requests
360. Remove unnecessary sensitive information
P7. Insufficient data quality
173. Discard unsafe inputs
176. Restrict system objects
229. Request access credentials
318. Notify third parties of changes
P8. Missing or insufficient session expiration
023. Terminate inactive user sessions
027. Allow session lockout
028. Allow users to log out
031. Discard user session data
114. Deny access with inactive credentials
335. Define out of band token lifespan
358. Notify upcoming expiration dates
369. Set a maximum lifetime in sessions
P9. Inability of users to access and modify data
316. Allow rectification requests
317. Allow erasure requests
P10. Collection of data not required for the user-consented purpose
189. Specify the purpose of data collection
310. Request user consent
315. Provide processed data information
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on