OWASP Top 10 Web Application Security Risks Flashcards
Broken Access Control
Access control failures, users act outside of their intended permissions.
Ex: Bypassing AC checks, Elevation of privileges,
Includes:
Exposure of sensitive data, Path traversal, Cross-Site Request Forgery (CSRF)
Cryptographic failures
Failures related to cryptography (or lack thereof)
Ex: Hard-coded passwords
Broken crypto algorithms
Includes:
Data transmitted in clear text
Old. weak, deprecated protocols
Unsalted password hashes
Injection
Add unintended commands in the data sent to an interpreter (software component or system that interprets and executes code or commands
)
Insecure Design
Risks related to design and architectural flaws
Ex: Being able to buy with bots, need to identify onauthentic purcheses
Security Misconfiguration
When security options are not defined in a way that maximizes security, or when services are deployed with insecure default settings
Vulnerable and Outdated Components
Components with vulnerabilites
Identification and Authentication Failures
Is about sessions and authentication.
Easy to get wrong:
Session IDs exposed in URLs, Sessions don’t timeout, don’t delete tokens
Consequences: Uathorized access, session hijacking.
Countermeasures: Secure APIs, Multi-factor authentication, avoid default passwords
Software and Data Integrity Failures
Code and infrastructure that does not protect against integrity violations
Ex: An application that relies upon plugins, libraries or modules from untrusted sources
Countermeasures: Use digital signatures
Security Logging and Monotoring failures
Issues where a system is not properly recording or watching for security events, making it difficult to detect and respond to potential threats.
Server-Side Request Forgery
Happens when a website fetches information from another place on the internet without checking if it’s safe.
Countermeasures:
Sanitize and validate client-supplied data & disable HTTP redirections
