OWASP Top 10 Flashcards
- Broken Access Control
Violation of the principle of least privilege or deny by default.
Accessing API with missing controls.
Permitting viewing or editing someone else’s account, by providing its unique identifier (insecure direct object references).
Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.
- Broken Access Control Prevention
Access control is only effective if implemented server-side.
Log control failures.
Deny by default.
Implement access-control mechanisms once and reuse throughout the application.
Stateful session identifiers should be invalidated on the server after logout/timeout.
- Cryptographic Failures
Protect data in transit and at-rest.
Make sure sensitive data is not transferred in cleartext.
Old or weak cryptographic algrorithms/protocols.
Proper key management and key rotation.
Source of randomness for cryptographic purposes.
Don’t use deprecated hash functions.
- Cryptographic Failures Prevention
Classify data by sensitivity level. This is necessary for privacy laws and what data protection measures to implement.
Don’t store sensitive data if not necessary.
Encrypt all sensitive data at rest.
Encrypt all data in transit.
Proper cryptographic randomness used.
Proper key management and key rotation.
- Injection
User-supplied data is not validated or sanitized by the application.
Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.
Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.
Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.
SQL injection, NoSQL Injection, XSS, etc.
- Injection Prevention
Server-side input validation
For any residual dynamic queries, escape special characters using the specific escape syntax for that interpreter.
- Insecure Design
Missing or ineffective control design.
An insecure design cannot be fixed by a perfect implementation as by definition.
Get all technical/security requirements.
Evaluate threats - threat modeling
Run tests.
SDLC
- Security Misconfiguration
Unnecessary features or packages installed
Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.
Default accounts and passwords used.
Error handling is overly informative.
Settings are not securely configured.
Software is out of date or vulnerable.
- Vulnerable and Outdated Components
Vulnerable if:
Do not know all versions of all components you use
Software is vulnerable, out-of-date, or unsupported
Do not regularly scan for vulnerabilities
Do not secure components’ configuration
- Identification and Authentication Failures
Confirmation of the user’s identity, authentication, and session management is critical to protect against authentication-related attacks.
- permits automated attacks such as credential stuffing
- permits brute-force attacks
- permits default, weak or well-known passwords
- uses weak account recovery methods
- improperly stores credentials
- exposes session identifier in the URL
- reuse session identifier after successful login
- does not correctly invalidate session IDs
- Software and Data Integrity Failures
Software and data integrity failures relate to code and infrastructure that does not protect against integrity violations. An example of this is where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs). An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise. Lastly, many applications now include auto-update functionality, where updates are downloaded without sufficient integrity verification and applied to the previously trusted application. Attackers could potentially upload their own updates to be distributed and run on all installations. Another example is where objects or data are encoded or serialized into a structure that an attacker can see and modify is vulnerable to insecure deserialization.
- Security Logging and Monitoring Failures
Insufficient logging, detection, monitoring, and active response occurs any time:
Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
Warnings and errors generate no, inadequate, or unclear log messages.
Logs of applications and APIs are not monitored for suspicious activity.
Logs are only stored locally.
Appropriate alerting thresholds and response escalation processes are not in place or effective.
Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.
The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.
- Server Side Request Forgery
When an application requests a remote resource without validating the user-supplied URL. Allows an attacker to make a request to an unexpected destination.
- could lead to sensitive data exposure
- could map out internal networks
- compromise internal servers
- Insecure Design Prevention
Establish and use a secure development lifecycle.
Establish or use a library of secure design patterns.
Threat modeling.
Integrate security checks at each point in the SDLC.
Unit and integration tests.
Limit resource consumption by users.
- Security Misconfiguration Prevention
Review and update configuration.
Segmented application architecture.
Automated process to verify configuration controls.