Madrid, February 2, 2004 - eSecurityPlanet.com has published -at
http://www.esecurityplanet.com/trends/article.php/3305981- a list drawn up
by Open Web Application Security Project (OWASP) of the ten most critical
web application vulnerabilities in 2004.
The ten flaws in the OWASP list are:
- Non-validated input. Attackers could use non-validated data to reach
backend components.
- Broken access control. Improper application of restrictions on
authenticated users could give attackers access to other accounts or use
unauthorized functions.
- Broken authentication and session management. Account credentials and
session tokens are not properly protected, allowing attackers to compromise
passwords, keys, session cookies or tokens, and assume the identities of
other users.
- Cross-site scripting. This allows the web application to be used to
transport an attack on the end user's browser, leading to the disclosure of
the end user's session token or spoof content to fool the user.
- Buffer overflows. Web application components written in languages that do
not properly validate input can crash and in some cases, be used to take
control of a process.
- Injection flaws. Web applications pass parameters when they access
external systems or the local OS. If malicious commands are embedded in the
parameters, the external system may execute those commands on behalf of the
Web application.
- Improper error handling. This can lead to attackers gaining detailed
system information or causing denial of service.
- Insecure storage. Web applications that use cryptographic functions to
protect information and credentials have proven difficult to code properly,
resulting in weak protection.
- Denial of service. As mentioned, attackers use up Web application
resources to the point where other legitimate users can no longer access or
use the application. Attackers can also block user accounts or cause
application failures.
- Insecure configuration management. Having a strong configuration standard
is critical.

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic