OWASP

Question 1

owasp 1: injection flaws

Answer 1

• SQL ldap trick interpreter into executing attackers unintended commands or accessing data

Question 2

owasp 2: Broken Authentication and session Management

Answer 2

App functions related to Auth and Session management not implemented correctly allows attacker to compromise passwords keys or session tokens or other to assume users identities. Password spraying, phishing, mit
Simply stated, broken authentication & session management allows a cybercriminal to steal a user’s login data, or forge session data, such as cookies

Question 3

owasp 3: Sensitive Data exposure

Answer 3

Inadequately protected data ie pii. Should be encrypted in transit Attacker steal and use.

Question 4

owasp 4: XML External Entities

Answer 4

(XXE) Attacker exploit vulnerable xml processors if they can include hostile content in XML exploiting code, dependencies or integrations. Older XML processors allow specification to an external entity, a URI that is dereferenced and evaluated during processing. This can be used to extract data, execute remote script, scan an internal system, perform dos, and other allows an attacker to interfere with an application’s processing of XML data

Question 5

owasp 5: Broken Access control

Answer 5

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. IDOR GET vs PUT, directory traversal, getting an admin page. Client side caching.

Question 6

owasp 6: Security Misconfiguration

Answer 6

Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Question 7

owasp 7: Cross Site Scripting

Answer 7

(XSS) XSS allows attackers to execute scripts in the victims browser that can hijack user sessions, deface websites, or redirect to malicious sites.

Question 8

owasp 8: Insecure Deserialization

Answer 8

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
goes from string back to binary

Question 9

owasp 9: Using components with known vulnerabilities

Answer 9

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. with known vulnerabilities

Question 10

not implemented correctly allows attacker to compromise passwords keys or session tokens or other to assume users identities. Password spraying, phishing, mitm

Answer 10

owasp 2: Broken Authentication and session Management

Question 11

Attacker exploit vulnerable xml processors if they can include hostile content in XML exploiting code, dependencies or integrations. Older XML processors allow specification to an external entity, a URI that is dereferenced and evaluated during processing. This can be used to extract data, execute remote script, scan an internal system, perform dos, and other allows an attacker to interfere with an application’s processing of XML data

Answer 11

owasp 4: XML External Entities

Question 12

trick interpreter into executing attackers unintended commands or accessing data

Answer 12

owasp 1: injection flaws

Question 13

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

Answer 13

owasp 9: Using components with known vulnerabilities

Question 14

the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

Answer 14

owasp 6: Security Misconfiguration

Question 15

leads to remote code execution. Even if no remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
goes from string back to binary

Answer 15

owasp 8: Insecure Deserialization

Question 16

Inadequately protected data ie pii. Should be encrypted in transit Attacker steal and use.

Answer 16

owasp 3: Sensitive Data exposure

Question 17

allows attackers to execute scripts in the victims browser that can hijack user sessions, deface websites, or redirect to malicious sites.

Answer 17

owasp 7: Cross Site Scripting

Question 18

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. IDOR GET vs PUT, directory traversal, getting an admin page. Client side caching.

Answer 18

owasp 5: Broken Access control