OWASP TOP 10
Insufficient Logging and Monitoring
A lot of web apps are not taking enough steps to detect data breaches.
Broken Access Control Prevention
Access controls can be secured by ensuring that a web app uses authorization tokens and sets tight controls on them. Every privileged request that a user makes will require that the authorization token be present.
XML External Entities (XEE)
Attack against web app that parses XML input. Input references an external entity, attempting to exploit a vulnerability in the parser. An XML Parser can be duped it to sending data to an unauthorized external entity.
Broken Access Control
Broken Access Controls allow attackers to bypass authorization and perform tasks as though they were privileged users such as admins. Ex: A web app could allow a user to change which account they are logged in as simply by changing part of a url, without any other verification.
Using Components with Known Vulnerabilities Prevention
Component Developers offer security patches to plug up known vulnerabilities. Don't always have the most updated, so developers should remove unused components from their projects, as well as make sure they are receiving components from a trusted source.
Sensitive Data Exposure Prevention
Data exposure risk can be minimized by encrypting all sensitive data as well as disabling the caching of any sensitive information. Additionally, web app devs should take care to ensure that they are not unnecessarily storing any sensitive data.
XSS Prevention
Esacping untrusted HTTP requests and validating and/or sanitizing user-generated content. Web Dev frameworks like ReactJS and Ruby on Rails provide built in XSS protection.
XEE Prevention
Have web apps accept less complex types of data (JSON), or patch XML parsers and disable the user of external entities in an XML application.
Sensitive Data Exposure
If web application don't protect sensitive data, attackers can gain access to that data and sellor utilize it for nefarious purposes. (Man-in-the-middle attack).
Insufficient Logging and Monitoring Prevention
Implement logging and monitoring (penetration testing) as well as incident response plans to ensure that they are made aware of attacks on their applications.
Injection Prevention
Injection attacks can be prevented by validating and/or sanitizing user-submitted data. In addition a database admin can set controls to minimize the amount of info an injection attack can expose.
Injection
Injection attacks happen when untrusted data is sent to a code interpreter through a form input or some other data submission to a web application. Ex: Attacker enters SQL database code into a form that expects plaintext username. If form input not properly secured, then SQL code is executed.
OWASP Top 10
Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XEE), Broken Access Control, Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components With Known Vulnerabilities, Insufficient Logging and Monitoring
Security Misconfiguration
Most common vulnerability on the list and often the result of using default configurations or displaying excessively verbose errors. Ex: App could show a user overly-descriptive errors which may reveal vulnerabilities in the application.
Insecure Deserialization Prevention
Prohibit the deserialization of data from untrusted sources and monitor deserialization.
Security Misconfiguration Prevention
Remove any unused features in the code and ensure that error messages are more general.
Broken Authentication Prevention
Requiring 2-factor authentication along with limiting or delaying repeated login attempts.
Using Components with Known Vulnerabilities
Some attackers look for vulnerabilities in common components (common libraries and frameworks). Finding a vulnerability in a popular component could lead to an exploitable vulnerability on hundreds of thousands of sites.
Insecure Deserialization
Targets web apps which frequently serialize and deserialize data. Attack tampers with the contents of data before they are deserialized (deserializing data from untrusted sources).
Broken Authentication
Vulnerabilities in authentication (login) systems can give attackers access to user accounts and even the ability to compromise an entire system using an admin account. Ex: Attacker can take a list containing thousands of known username/password combos obtained during a data breach and use a script to try all those combinations on a login system to see if there are any that work.
Cross-Site Scripting (XSS)
When web apps allow users to add custom code into a url path or onto a website that will be seen by other users. Can be exploited to run malicious JS code on a victim's browser. Ex: Attacker could send an email to a victim that appears to be from a trusted bank, with a link to that bank's website. Link could have some bad JS code tagged onto the end of the url. If bank's site not properly protected against XSS, then code will be run in victim's web browser when they click on the link.