OWASP Top 10 Vulnerabilities

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Ways to Prevent Security Misconfigurations

A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. Automate this process in order to minimize the effort required to set up a new secure environment.

Known Vulnerabilities

Attackers look for vulnerabilities in components that are pieces of software that help developers avoid redundant work and provide needed functionality

Ways to Prevent XSS

Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.

Ways to Prevent Broken Authentication

Implement multi-factor authentication (MFA), weak password checks, limit failed login attempts, and Ensure registration, credential recovery, and API pathways are hardened against account enumeration attacks by using the same messages for all outcomes.

Sensitive Data Exposure

It consists of compromising data that should have been protected such as passwords, credentials, and other personal information.

DOM XSS

JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs. Includes attacks against the user's browser such as malicious software downloads, keylogging, and other client-side attacks.

Ways to Prevent Using Components with Known Vulnerabilities

Monitor sources like Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. Obtain components only from official sources. Use virtual patch

Ways to Prevent Insufficient Logging and Monitoring

OWASP recommends that web developers should implement logging and monitoring as well as incident response plans to ensure that they are made aware of attacks on their applications.

Ways to Prevent Sensitive Data Exposure

Obtain an SSL certificate to protect data in transit and encrypt all sensitive data to protect data at rest

Ways to Prevent Injection Flaws

Separation of data from the web application logic and settings to limit data exposure in case of successful injection attacks

Stored XSS

The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered high or critical risk.

Reflected XSS

The attacker includes HTML code within a link to a web address knowing the linked page will fail to sanitize the included HTML code, which is often seen on pages that display the query that a user entered.

Ways to Prevent Broken Access Control

Use deny by default, implement access control mechanisms more than once throughout the application,

Insufficient Logging and Monitoring

Web applications are not taking enough steps to detect data breaches. The average discovery time for a breach is around 200 days after it has happened. This gives attackers a lot of time to cause damage before there is any response.

XML External Entities (XXE)

a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

Broken Authentication

can allow an attacker to use manual and/or automatic mediums to try to gain control over any account he/she wants in a system - or even worse - to gain complete control over the system.

Cross-Site Scripting

occur when web applications allow users to add custom code into a url path or onto a website that will be seen by other users. This vulnerability can be exploited to run malicious JavaScript code on a victim's browser. For example, an attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank's website. This link could have some malicious JavaScript code tagged onto the end of the url. If the bank's site is not properly protected against cross-site scripting, then that malicious code will be run in the victim's web browser when they click on the link.

Insecure Deserialization

the result of deserializing data from untrusted sources, and can result in serious consequences like DDoS attacks and remote code execution attacks.

Ways to Prevent Insecure Deserializaton

While steps can be taken to try and catch attackers, such as monitoring deserialization and implementing type checks, the only sure way to protect against insecure deserialization attacks is to prohibit the deserialization of data from untrusted sources.

Broken Access Control

allow attackers to bypass authorization and perform tasks as though they were privileged users such as administrators. For example a web application could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.

Ways to Prevent XML External Entity Attacks

have web applications accept a less complex type of data, such as JSON**, or at the very least to patch XML parsers and disable the use of external entities in an XML application.

Security Misconfigurations

the most common vulnerability on the list, and is often the result of using default configurations or displaying excessively verbose errors. For instance, an application could show a user overly-descriptive errors which may reveal vulnerabilities in the application.

Injection Flaw

when an attacker sends invalid data to the web application with the intention to make it do something different from what the application was designed/programmed to do.


Ensembles d'études connexes

Respiratory System NCLEX questions

View Set

2. The Head and Crown of Creation

View Set

Mental Health - Chapter 11 Childhood and Neurodevelopmental Disorders

View Set

Personal Financial Planning - Exam 1 - Wiley

View Set

The Movement I: Renaissance Architecture

View Set

Nama surat Al-Qur'an dan arti [31-40]

View Set

The Big Bang Theory, Formation of the Solar System, Structure of the Sun, Discerning Earth's History, and Geologic Time Midterm study guide

View Set