OWASP Top 10 Privacy Risks

The OWASP Top 10 Privacy Risks Project provides a list for privacy risks in web applications and related countermeasures, furthermore, it covers technological and organizational aspects that focus on real-life risks. The project provides tips on how to implement privacy by design in web applications with the aim of helping developers and web application providers to better understand and improve privacy. The version used in this section is v2.0, 2021.

Control-Requirement Mapping

Definition	Requirements
P1. Web application vulnerabilities	155. Application free of malicious code 176. Restrict system objects 184. Obfuscate application data 261. Avoid exposing sensitive information 266. Disable insecure functionalities
P2. Operator-sided data leakage	176. Restrict system objects 186. Use the principle of least privilege 224. Use secure cryptographic mechanisms 261. Avoid exposing sensitive information 300. Mask sensitive data 362. Assign MFA mechanisms to a single account 035. Manage privilege modifications
P3. Insufficient data breach response	266. Disable insecure functionalities 313. Inform inability to identify users
P4. Consent on everything	189. Specify the purpose of data collection 310. Request user consent 312. Allow user consent revocation
P5. Non-transparent policies, terms and conditions	315. Provide processed data information 331. Guarantee legal compliance
P6. Insufficient deletion of personal data	144. Remove inactive accounts periodically 315. Provide processed data information 317. Allow erasure requests 360. Remove unnecessary sensitive information
P7. Insufficient data quality	173. Discard unsafe inputs 176. Restrict system objects 229. Request access credentials 318. Notify third parties of changes
P8. Missing or insufficient session expiration	114. Deny access with inactive credentials 335. Define out of band token lifespan 358. Notify upcoming expiration dates 369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions 027. Allow session lockout 028. Allow users to log out 031. Discard user session data
P9. Inability of users to access and modify data	316. Allow rectification requests 317. Allow erasure requests
P10. Collection of data not required for the user-consented purpose	189. Specify the purpose of data collection 310. Request user consent 315. Provide processed data information

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.