\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{Cam (clucinvt)} \pdfinfo{ /Title (owasp-top-10-vulnerabilities.pdf) /Creator (Cheatography) /Author (Cam (clucinvt)) /Subject (OWASP Top 10 Vulnerabilities Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{220FA3} \definecolor{LightBackground}{HTML}{F1F0F9} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{OWASP Top 10 Vulnerabilities Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{Cam (clucinvt)} via \textcolor{DarkBackground}{\uline{cheatography.com/55263/cs/14762/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}Cam (clucinvt) \\ \uline{cheatography.com/clucinvt} \\ \uline{\seqsplit{camluc}.tech} \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Published 30th March, 2018.\\ Updated 30th March, 2018.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{4.72 cm} x{3.28 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{8.4cm}}{\bf\textcolor{white}{Cheatsheet version}} \tn % Row 0 \SetRowColor{LightBackground} Version & 1.0.0 \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} Last update & 3/30/2018 \tn % Row Count 2 (+ 1) % Row 2 \SetRowColor{LightBackground} OWASP version & 2017 \tn % Row Count 3 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{1. Injection}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Injection flaws are very prevalent, particularly in legacy code. Injection vulnerabilities are often found in SQL, LDAP, XPath, or NoSQL queries, OS commands, XML parsers, SMTP headers, expression languages, and ORM queries. \newline % Row Count 5 (+ 5) An application is vulnerable to attack when: \newline % Row Count 6 (+ 1) • User-supplied data is not validated, filtered, or sanitized by the application. \newline % Row Count 8 (+ 2) • Dynamic queries or non-parameterized calls without contextaware escaping are used directly in the interpreter. \newline % Row Count 11 (+ 3) • Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. \newline % Row Count 14 (+ 3) • Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.% Row Count 18 (+ 4) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{2. Broken authentication}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{There may be authentication weaknesses if the application: \newline % Row Count 2 (+ 2) • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. \newline % Row Count 5 (+ 3) • Permits brute force or other automated attacks. \newline % Row Count 7 (+ 2) • Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin". \newline % Row Count 9 (+ 2) • Uses weak or ineffective credential recovery and forgot password processes, such as "knowledge-based answers", which cannot be made safe. \newline % Row Count 12 (+ 3) • Uses plain text, encrypted, or weakly hashed passwords. \newline % Row Count 14 (+ 2) • Has missing or ineffective multi-factor authentication. \newline % Row Count 16 (+ 2) • Exposes Session IDs in the URL (e.g., URL rewriting). \newline % Row Count 18 (+ 2) • Does not rotate Session IDs after successful login. \newline % Row Count 20 (+ 2) • Does not properly invalidate Session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.% Row Count 24 (+ 4) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{3. Sensitive data exposure}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The first thing is to determine the protection needs of data in transit and at rest. For example, passwords, credit card numbers, health records, personal information and business secrets require extra protection, particularly if that data falls under privacy laws, e.g. EU's General Data Protection Regulation \newline % Row Count 7 (+ 7) (GDPR), or regulations, e.g. financial data protection such as PCI Data Security Standard (PCI DSS). For all such data: \newline % Row Count 10 (+ 3) • Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, and FTP. External internet traffic is especially dangerous. Verify all internal traffic e.g. between load balancers, web servers, or back-end systems. \newline % Row Count 15 (+ 5) • Is sensitive data stored in clear text, including backups? \newline % Row Count 17 (+ 2) • Are any old or weak cryptographic algorithms used either by default or in older code? \newline % Row Count 19 (+ 2) • Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? \newline % Row Count 22 (+ 3) • Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing? \newline % Row Count 25 (+ 3) • Does the user agent (e.g. app, mail client) not verify if the received server certificate is valid?% Row Count 28 (+ 3) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{4. XML External Entities (XEE)}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Applications and in particular XML-based web services or downstream integrations might be vulnerable to attack if: \newline % Row Count 3 (+ 3) • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor. \newline % Row Count 7 (+ 4) • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. As the exact mechanism for disabling DTD processing varies by processor, it is good practice to consult a reference such as the OWASP Cheat Sheet 'XXE Prevention'. \newline % Row Count 13 (+ 6) • If your application uses SAML for identity processing within federated security or single sign on (SSO) purposes. SAML uses XML for identity assertions, and may be vulnerable. \newline % Row Count 17 (+ 4) • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework. \newline % Row Count 21 (+ 4) • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack.% Row Count 24 (+ 3) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{5. Broken access control}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification or destruction of all data, or performing a business function outside of the limits of the user. Common access control vulnerabilities include: \newline % Row Count 7 (+ 7) • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. \newline % Row Count 10 (+ 3) • Allowing the primary key to be changed to another users record, permitting viewing or editing someone else's account. \newline % Row Count 13 (+ 3) • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user. \newline % Row Count 16 (+ 3) • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation \newline % Row Count 20 (+ 4) • CORS misconfiguration allows unauthorized API access. \newline % Row Count 22 (+ 2) • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE.% Row Count 26 (+ 4) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{6. Security misconfiguration}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{The application might be vulnerable if the application is: \newline % Row Count 2 (+ 2) • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. \newline % Row Count 5 (+ 3) • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges). \newline % Row Count 8 (+ 3) • Default accounts and their passwords still enabled and unchanged. \newline % Row Count 10 (+ 2) • Error handling reveals stack traces or other overly informative error messages to users. \newline % Row Count 12 (+ 2) • For upgraded systems, latest security features are disabled or not configured securely. \newline % Row Count 14 (+ 2) • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values. \newline % Row Count 18 (+ 4) • The server does not send security headers or directives or they are not set to secure values. \newline % Row Count 20 (+ 2) • The software is out of date or vulnerable% Row Count 21 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{7. Cross-Site Scripting (XSS)}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{There are three forms of XSS, usually targeting users' browsers: \newline % Row Count 2 (+ 2) Reflected XSS: The application or API includes unvalidated and unescaped user input as part of HTML output. A successful attack can allow the attacker to execute arbitrary HTML and JavaScript in the victim's browser. Typically the user will need to interact with some malicious link that points to an attacker controlled page, such as malicious watering hole websites, advertisements, or similar. \newline % Row Count 10 (+ 8) Stored XSS: The application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk. \newline % Row Count 14 (+ 4) DOM XSS: JavaScript frameworks, single-page applications, and APIs that dynamically include attacker-controllable data to a page are vulnerable to DOM XSS. Ideally, the application would not send attacker-controllable data to unsafe JavaScript APIs. \newline % Row Count 19 (+ 5) Typical XSS attacks include session stealing, account takeover, \newline % Row Count 21 (+ 2) MFA bypass, DOM node replacement or defacement (such as \newline % Row Count 23 (+ 2) trojan login panels), attacks against the user's browser such as \newline % Row Count 25 (+ 2) malicious software downloads, key logging, and other client-side \newline % Row Count 27 (+ 2) attacks.% Row Count 28 (+ 1) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{8. Insecure deserialization}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Applications and APIs will be vulnerable if they deserialize hostile or tampered objects supplied by an attacker. This can result in two primary types of attacks: \newline % Row Count 4 (+ 4) • Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization. \newline % Row Count 9 (+ 5) • Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed. \newline % Row Count 12 (+ 3) Serialization may be used in applications for: \newline % Row Count 13 (+ 1) • Remote- and inter-process communication (RPC/IPC) \newline % Row Count 15 (+ 2) • Wire protocols, web services, message brokers \newline % Row Count 16 (+ 1) • Caching/Persistence \newline % Row Count 17 (+ 1) • Databases, cache servers, file systems \newline % Row Count 18 (+ 1) • HTTP cookies, HTML form parameters, API authentication tokens% Row Count 20 (+ 2) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{9. Using components with known vulnerabilities}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{You are likely vulnerable: \newline % Row Count 1 (+ 1) • If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies. \newline % Row Count 5 (+ 4) • If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. \newline % Row Count 10 (+ 5) • If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use. \newline % Row Count 13 (+ 3) • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, which leaves organizations open to many days or months of unnecessary exposure to fixed vulnerabilities. \newline % Row Count 20 (+ 7) • If software developers do not test the compatibility of updated, upgraded, or patched libraries. \newline % Row Count 23 (+ 3) • If you do not secure the components' configurations% Row Count 25 (+ 2) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{10. Insufficient logging \& monitoring}} \tn \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Insufficient logging, detection, monitoring and active response occurs any time: \newline % Row Count 2 (+ 2) • Auditable events, such as logins, failed logins, and high-value transactions are not logged. \newline % Row Count 4 (+ 2) • Warnings and errors generate no, inadequate, or unclear log messages. \newline % Row Count 6 (+ 2) • Logs of applications and APIs are not monitored for suspicious activity. \newline % Row Count 8 (+ 2) • Logs are only stored locally. \newline % Row Count 9 (+ 1) • Appropriate alerting thresholds and response escalation processes are not in place or effective. \newline % Row Count 12 (+ 3) • Penetration testing and scans by DAST tools (such as OWASP ZAP) do not trigger alerts. \newline % Row Count 14 (+ 2) • The application is unable to detect, escalate, or alert for active attacks in real time or near real time. \newline % Row Count 17 (+ 3) You are vulnerable to information leakage if you make logging and alerting events visible to a user or an attacker% Row Count 20 (+ 3) } \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}