The OWASP Top 10: Your File Transfer’s Most Wanted List

September 04, 2025 MOVEit, Digital Experience, Security and Compliance

Beware the dangers of these 10 digital offenders of the Open Web Application Security Project. The MOVEit Cloud Web Application Firewall (WAF) functionality can help bring them to justice.

In the shadowy world of cybersecurity threats, certain criminals stand out for their persistence, ingenuity and the sheer damage they cause. The Open Web Application Security Project (OWASP) tracks the most notorious of these digital offenders, publishing their “Top 10 Most Wanted” list to warn organizations of the dangers lurking in the web application underworld.

For those responsible for secure file transfers, these cybercriminals pose an especially serious threat. Your file transfer systems are prime targets, handling sensitive data that’s valuable to these digital bandits. Today we’re going to profile each of these notorious characters and show you how the new MOVEit Cloud Web Application Firewall (WAF) functionality can help bring them to justice.

Let’s dive into the rogues’ gallery of web application security threats.

🚨 Criminal #1: Broken Access Control 🚨

ALIASES: Privilege Escalation, Unauthorized Access, Forced Browsing

RAP SHEET: Moved to the #1 most wanted position in 2021. While OWASP tested 94% of applications for this vulnerability, it was actually found in only 3.81% of them on average. However, it had the most occurrences in the dataset with over 318k instances, making it responsible for billions in digital theft annually.

M.O.: Broken Access Control exploits weaknesses in how applications restrict what authorized users can do. It bypasses rules that should limit who can see, modify or delete data. This criminal ignores “RESTRICTED ACCESS” signs and wanders freely into areas containing sensitive information.

LAST SEEN: Sneaking past file transfer permissions to access files belonging to other users. Has been caught manipulating URL parameters to access secure documents without authentication.

THREAT TO FILE TRANSFERS: This criminal can bypass your file transfer security to view, download, modify or delete files belonging to others. It can manipulate authorization tokens to impersonate other users or access admin functions.

ARREST RECORD: MOVEit Cloud WAF functionality establishes rigorous checkpoints to capture this criminal in action. It enforces proper access controls by:

  • Filtering out suspicious URL manipulation attempts
  • Blocking attempts to bypass authentication
  • Preventing unauthorized API access attempts
  • Enforcing proper session management

🚨 Criminal #2: Cryptographic Failures 🚨

ALIASES: Sensitive Data Exposure, Data Breach Enabler, Encryption Evader

RAP SHEET: Previously known as “Sensitive Data Exposure,” Cryptographic Faiures work by exploiting weak or missing encryption, ultimately exposing sensitive information.

M.O.: This sophisticated criminal targets applications that fail to properly encrypt sensitive data. It thrives when systems transmit clear-text data, use outdated encryption algorithms or improperly store encryption keys.

LAST SEEN: Intercepting unencrypted file transfers on public Wi-Fi networks. Frequently lurks in systems using outdated SSL/TLS protocols and harvests credentials transmitted in plain text.

THREAT TO FILE TRANSFERS: For file transfer systems, this criminal can expose file contents during transmission, compromise stored credentials and leak metadata about who’s sharing what with whom.

ARREST RECORD: MOVEit Cloud helps mitigate this threat through multiple lines of defense:

  • Encryption for files, both at rest and in transit
  • Support for TLS 1.3
  • Secure encryption key management practices
  • Auditor-certified PCI-DSS and HIPAA-compliant implementations
  • Regular security updates to address emerging cryptographic vulnerabilities

🚨 Criminal #3: Injection 🚨

ALIASES: SQL Injection, XSS (Cross-Site Scripting), Command Injection, CRLF Injection

RAP SHEET: A long-time offender, Injection has dropped from the #1 to #3 position but remains extremely dangerous. This criminal now encompasses various injection techniques, including the notorious Cross-Site Scripting (XSS).

M.O.: Injection smuggles malicious code into trusted channels. It tricks applications into executing unauthorized commands by disguising them as legitimate user input data, exploiting poor input validation.

LAST SEEN: Inserting malicious SQL into file metadata fields to extract user credentials. Injecting script tags into file name fields to execute unauthorized JavaScript when administrators view file listings.

THREAT TO FILE TRANSFERS: File transfer systems often handle metadata, file names, user data and configuration options—all prime targets for injection attacks. Successful attacks can manipulate data, steal credentials or even execute commands on the server.

ARREST RECORD: The MOVEit Cloud WAF is particularly effective against injection with:

  • Anomalous behavior detection using flexible and generic protections
  • ModSecurity rules, specifically designed to detect injection patterns
  • Real-time filtering of HTTPS traffic to block injection attempts before they reach the application

🚨 Criminal #4: Insecure Design 🚨

ALIASES: Architectural Flaws, Design Defects, Security Blind Spots

RAP SHEET: A newer addition to the Most Wanted list, this criminal focuses on fundamental design flaws rather than implementation bugs.

M.O.: Unlike other cybercriminals that exploit coding errors, Insecure Design targets flawed security architecture at the conceptual level. It looks for systems where security wasn’t built in from the beginning but rather added as an afterthought.

LAST SEEN: Exploiting file transfer systems where security controls were implemented inconsistently across features, leaving gaps in protection.

THREAT TO FILE TRANSFERS: File transfer systems with insecure design might allow users to bypass workflow approvals, lack proper segregation between tenants in multi-tenant environments or fail to implement a proper defense-in-depth strategy.

ARREST RECORD: MOVEit Cloud was built with security at its core:

  • Defense-in-depth architecture with multiple security layers
  • Third-party tested to identify potential design weaknesses
  • Compliance-ready configuration
  • WAF implemented as an integral part of the security architecture, not just a bolt-on solution

🚨 Criminal #5: Security Misconfiguration 🚨

ALIASES: Default Settings, Unnecessary Features, Improper Hardening

RAP SHEET: This prolific criminal moved up to position #5 in 2021. OWASP tested 90% of applications for this vulnerability and found it in 4.5% of them on average, with over 208k occurrences in their dataset.

M.O.: Security Misconfiguration thrives on human error and convenience. It targets default installations, unnecessary features left enabled, incomplete configurations and error messages that reveal too much information.

LAST SEEN: Exploiting file transfer servers with default admin credentials, outdated libraries and debug modes left enabled in production.

THREAT TO FILE TRANSFERS: File transfer systems with security misconfigurations may expose sensitive error details, use default credentials, have unnecessary features enabled that expand the attack surface or lack proper hardening.

ARREST RECORD: The MOVEit Cloud managed approach helps mitigate this threat through:

  • Expert configuration and hardening by Progress security professionals
  • Compliance-enabling default security settings
  • Regular configuration reviews and updates
  • WAF rules to detect and help block attempts to exploit common misconfigurations

🚨 Criminal #6: Vulnerable and Outdated
Components 🚨

ALIASES: Dependency Exploitation, Legacy Liability, Patch Procrastination

RAP SHEET: This criminal moved up from the #9 to #6 position in 2021, exploiting organizations that fail to maintain their software dependencies.

M.O.: This patient criminal waits for vulnerabilities to be discovered in common libraries and components. Once vulnerabilities are public, it targets systems that haven’t been updated, exploiting known security flaws.

LAST SEEN: Exploiting outdated file transfer plugins, unpatched open-source libraries and abandoned dependencies with known security vulnerabilities.

THREAT TO FILE TRANSFERS: File transfer systems often rely on numerous components for encryption, compression, authentication and other functions. Each outdated component presents an opportunity for exploitation.

ARREST RECORD: MOVEit Cloud provides continuous support through:

  • Regularly updated components managed by Progress
  • Automated vulnerability scanning for all dependencies
  • Rapid patch deployment when vulnerabilities are discovered
  • Bug bounty program with 100+ high-reputation researchers
  • Flexible and generic WAF rules that can help mitigate certain component vulnerabilities even before patches are applied

🚨 Criminal #7: Identification and Authentication Failures 🚨

ALIASES: Broken Authentication, Credential Stuffing, Session Hijacking

RAP SHEET: Previously known as “Broken Authentication,” Identification and Authentication Failures slid down from position #2 but remain a serious threat.

M.O.: This identity thief exploits weak passwords, poorly implemented authentication systems and insecure session management. It uses stolen credentials to gain unauthorized access.

LAST SEEN: Performing credential stuffing attacks on file transfer login pages, stealing session tokens via cross-site scripting and exploiting “remember me” functionality.

THREAT TO FILE TRANSFERS: Authentication is the front door to your sensitive file transfers. When compromised, attackers can impersonate legitimate users, access sensitive files and potentially escalate to administrative privileges.

ARREST RECORD: MOVEit Cloud provides robust support via:

  • Multi-factor authentication options
  • Active Directory/LDAP integration
  • Single sign-on functionality
  • WAF monitoring for suspicious authentication patterns and blocking credential stuffing attacks

According to Progress, this helps organizations strengthen their security posture and address various compliance requirements.

🚨 Criminal #8: Software and Data Integrity Failures 🚨

ALIASES: Supply Chain Attacks, Unsigned Code, Insecure CI/CD

RAP SHEET: A newer entrant to the Most Wanted list, focusing on the integrity of code and data throughout their lifecycle.

M.O.: This saboteur targets the software supply chain, looking for opportunities to insert malicious code into trusted applications or updates. It thrives when organizations fail to verify the integrity of code and data.

LAST SEEN: Compromising update mechanisms to deliver malicious payloads, tampering with data in transit due to missing integrity checks and exploiting unsigned code.

THREAT TO FILE TRANSFERS: File transfer systems that don’t verify the integrity of transferred files or updates to the system itself are vulnerable to tampering that could lead to data theft or system compromise.

ARREST RECORD: MOVEit Cloud maintains strict integrity controls through:

  • File integrity checks
  • WAF monitoring for signs of tampering with system components
  • User account types and ad-hoc file sharing options to promote more secure collaboration
  • Cryptographic tamper-evident logging

🚨 Criminal #9: Security Logging and Monitoring Failures 🚨

ALIASES: Blind Spots, Audit Deficiency, Detection Delays

RAP SHEET: Previously known as “Insufficient Logging & Monitoring,” this criminal specializes in operating in the shadows, undetected.

M.O.: This elusive suspect thrives on invisibility. It targets systems with inadequate logging, monitoring and incident response capabilities, allowing other attacks to proceed undetected.

LAST SEEN: Disabling log systems during file exfiltration, performing attacks during monitoring gaps and exploiting systems that lack alerting for suspicious file access patterns.

THREAT TO FILE TRANSFERS: Without proper logging and monitoring, unauthorized access to file systems can go undetected for months. By the time a breach is discovered, sensitive data may already be long gone.

ARREST RECORD: MOVEit Cloud implements comprehensive surveillance, including:

  • Tamper-evident logging of all file activities
  • Retention of logs for compliance and forensic purposes
  • Customized notifications when a file is delivered, not delivered and more
  • Access control and user authentication

🚨 Criminal #10: Server-Side Request Forgery
(SSRF) 🚨

ALIASES: Server Proxy, Internal Network Exposer, Cloud Metadata Abuser

RAP SHEET: The newest addition to the OWASP Top 10, SSRF has become increasingly dangerous in cloud environments.

M.O.: This trickster manipulates servers into making unexpected requests to internal resources that should be inaccessible from the outside. It abuses trusted server functionality to reach restricted systems.

LAST SEEN: Forcing file transfer servers to connect to internal network resources, accessing cloud provider metadata services to steal credentials and accessing admin interfaces not exposed to the internet.

THREAT TO FILE TRANSFERS: File transfer systems that fetch remote resources based on user input could be tricked into accessing internal systems or leaking sensitive data.

ARREST RECORD: The MOVEit Cloud WAF provides specialized protection with:

  • Detecting the injection of unknown, off-domain URLs
  • HTTP header filtering to prevent request header manipulation
  • Regular testing for SSRF vulnerabilities

Citizen’s Guide to Security: Spotting and Reporting Suspicious Activity

While the MOVEit Cloud WAF works to apprehend these digital criminals, vigilant users form an important part of the security ecosystem. Here’s how you can help keep your file transfers secure:

  1. Watch for unusual file activity: Unexpected changes to file permissions, strange new files or files disappearing could indicate a security breach.
  2. Be suspicious of unusual login patterns: Login attempts at odd hours or from unexpected locations may signal compromised credentials.
  3. Report error messages: Detailed error messages that reveal system information should be reported to administrators.
  4. Keep an eye on performance: Sudden slowdowns or resource usage spikes might indicate an attack in progress.
  5. Verify email requests for sensitive files: Confirm unusual file requests through a separate channel before sending sensitive data.
  6. Monitor automation workflows: Unexpected changes to automated file transfer tasks could indicate compromise.
  7. Check file integrity: If a file seems corrupted or modified, report it immediately.
  8. Verify security certificates: Be wary of certificate warnings when accessing file transfer systems.

Partnering with the Experts: MOVEit Cloud WAF

With the recent addition of Web Application Firewall functionality, MOVEit Cloud now provides an even more robust defense against the OWASP Top 10 criminals. Built on ModSecurity engine and open-source rule sets, the WAF is designed to block malicious web traffic before it infiltrates your systems.

This new layer of protection is fully managed by Progress experts, eliminating the burden of maintaining a separate WAF service while helping organizations address their security and compliance needs.

Combined with existing MOVEit Cloud security capabilities—including encryption, tamper-evident logging of file activities, access controls and integrity checking—the WAF functionality offers robust protection for your organization’s most sensitive file transfers.

MOVEit Transfer MFT server customers can also make use of this functionality with MOVEit WAF, launched July 2025. Be among the first to try the fully equipped WAF and load balancing solution built exclusively for MOVEit Transfer on-premises deployments.

Don’t let your file transfers become the victim of these cybersecurity criminals. With MOVEit Cloud, you’re partnering with the experts to keep the OWASP Top 10 Most Wanted where they belong—behind bars and away from your critical data.

Start Free Trial

Adam Bertram

Adam Bertram is a 25+ year IT veteran and an experienced online business professional. He’s a successful blogger, consultant, 6x Microsoft MVP, trainer, published author and freelance writer for dozens of publications. For how-to tech tutorials, catch up with Adam at adamtheautomator.com, connect on LinkedIn or follow him on X at @adbertram.