How the Latest OWASP Top 10 Maps to PCI 6.6

Posted on by

See details on how Cenzic has mapped its SmartAttacks to the latest OWASP Top 10 and PCI 6.6

Here are more details on our updates to the  SmartAttack library to ensure compliance with the latest OWASP Top 10 and PCI 6.6.  The table below lists the SmartAttacks that now correspond to both the OWASP 2010 Top 10 and PCI 6.6.

OWASP Top 10 2010

PCI 6.6

Cenzic SmartAttacks

1. A1 – Injection

PCI 6.5.1
  • Blind SQL Injection
  • SQL Disclosure
  • SQL Error Message
  • Unix Command Injection
  • Windows Command Injection
  • LDAP Exception
  • LDAP Injection

2.  A2 – Cross-Site Scripting

PCI 6.5.2
  • Cross-Site Scripting

3.  A3 – Broken Authentication & Session Management

PCI 6.5.3
  • Session ID Randomness
  • Login Redirect
  • Non-SSL Password
  • Password Auto-complete
  • Non-Masked Password
  • Cookie Vulnerabilities

4. A4 – Insecure Direct Object Reference

PCI 6.5.4
  • Frame Injection
  • Remote File Inclusion

5.  A5 – Cross-Site Request Forgery

 PCI 6.5.5
  • Cross-Site Request Forgery
6.  A6 – Security Misconfiguration PCI 6.5.6
  • Check HTTP Methods
  • Directory Browsing
  • Web Server Vulnerabilities
  • Application Exception
  • App Path Disclosure
  • Platform Path Disclosure

7. A7 – Insecure Cryptographic Storage

PCI 6.5.7

N/A

8. A8 – Failure to Restrict URL Access

PCI 6.5.7
  • File & Directory Discovery
  • Unix Relative Path
  • Windows Relative Path

9. A9 – Insufficient Transport Layer Protection

PCI 6.5.9
  • Browse HTTP from HTTPS List
  • Non-SSL Form
  • SSL Checks

10. A10 – Unvalidated Redirects & Forwards

PCI 6.5.10
  • Open Redirect
  • HTTP Response Splitting
  • Cross-Frame Scripting