OWASP Top 10 Flashcards

1
Q
  1. Broken Access Control
A

Violation of the principle of least privilege or deny by default.
Accessing API with missing controls.
Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references).
Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Broken Access Control Prevention
A

Access control is only effective if implemented server-side.
Log control failures.
Deny by default.
Implement access-control mechanisms once and reuse throughout the application.
Stateful session identifiers should be invalidated on the server after logout/timeout.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Cryptographic Failures
A

Protect data in transit and at-rest.
Make sure sensitive data is not transferred in cleartext.
Old or weak cryptographic algrorithms/protocols.
Proper key management and key rotation.
Source of randomness for cryptographic purposes.
Don’t use deprecated hash functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Cryptographic Failures Prevention
A

Classify data by sensitivity level. This is necessary for privacy laws and what data protection measures to implement.
Don’t store sensitive data if not necessary.
Encrypt all sensitive data at rest.
Encrypt all data in transit.
Proper cryptographic randomness used.
Proper key management and key rotation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Injection
A

User-supplied data is not validated or sanitized by the application.
Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
SQL injection, NoSQL Injection, XSS, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Injection Prevention
A

Server-side input validation
For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. Insecure Design
A

Missing or ineffective control design.
An insecure design cannot be fixed by a perfect implementation as by definition.
Get all technical/security requirements.
Evaluate threats - threat modeling
Run tests.
SDLC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. Security Misconfiguration
A

Unnecessary features or packages installed
Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
Default accounts and passwords used.
Error handling is overly informative.
Settings are not securely configured.
Software is out of date or vulnerable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. Vulnerable and Outdated Components
A

Vulnerable if:
Do not know all versions of all components you use
Software is vulnerable, out-of-date, or unsupported
Do not regularly scan for vulnerabilities
Do not secure components’ configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Identification and Authentication Failures
A

Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks.
- permits automated attacks such as credential stuffing
- permits brute-force attacks
- permits default, weak or well-known passwords
- uses weak account recovery methods
- improperly stores credentials
- exposes session identifier in the URL
- reuse session identifier after successful login
- does not correctly invalidate session IDs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Software and Data Integrity Failures
A

Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Security Logging and Monitoring Failures
A

Insufficient logging, detection, monitoring, and active response occurs any time:

Auditable events, such as logins, failed logins, and high-value transactions, are not logged.

Warnings and errors generate no, inadequate, or unclear log messages.

Logs of applications and APIs are not monitored for suspicious activity.

Logs are only stored locally.

Appropriate alerting thresholds and response escalation processes are not in place or effective.

Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.

The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Server Side Request Forgery
A

When an application requests a remote resource without validating the user-supplied URL. Allows an attacker to make a request to an unexpected destination.
- could lead to sensitive data exposure
- could map out internal networks
- compromise internal servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Insecure Design Prevention
A

Establish and use a secure development lifecycle.
Establish or use a library of secure design patterns.
Threat modeling.
Integrate security checks at each point in the SDLC.
Unit and integration tests.
Limit resource consumption by users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. Security Misconfiguration Prevention
A

Review and update configuration.
Segmented application architecture.
Automated process to verify configuration controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Vulnerable and Outdated Components Prevention
A

Remove unused dependencies and features
Continuously inventory the versions of client and server-side components
Obtain component only from official sources over secure links.
Monitor for libraries that are not maintained. Patch insecure versions.

17
Q
  1. Identification and Authentication Failures Prevention
A
  • multi-factor authentication
  • no default credentials
  • weak password checks
  • limit login requests for multiple failures
  • server-side session manager
  • same message for all outcomes
18
Q
  1. Software and Data Integrity Failures Prevention
A
  • digital signatures to verify software
  • ensure libraries and dependencies are coming from trusted sources
  • verify that components do not contain vulnerabilities
  • review process for code
19
Q
  1. Security Logging and Monitoring Failures Prevention
A
  • log suspicious events
  • logs are in a format that log management systems can easily ingest
  • high value transactions have an audit trail
  • monitoring and alerting on suspicious activities
  • incident response and recovery plan
20
Q
  1. Server Side Request Forgery Prevention
A

Defense in depth
Deny by default
Sanitize and validate user-supplied input
Do not send raw responses to clients
Disable HTTP redirections