OWASP Top 10 Flashcards
What is the OWASP Top 10 member designated ‘A01’?
HINT: Roles
A01 is described as ‘Broken Access Control’.
This can relate to a vulnerability that breaks the bounds of what the system allows a typical user to do, such as accessing sensitive data they should not be able to.
What is the OWASP Top 10 member designated ‘A02’?
HINT: Keys
A02 is described as ‘Cryptographic Failures’.
This is not necessarily related to the failure of the chosen cryptographic scheme itself, but from general failures to implement these schemes, or even a lack thereof.
What is the OWASP Top 10 member designated ‘A03’?
HINT: User input
A03 is described as ‘Injection’.
This is a vulnerability which is caused by some form of user input exploit, such as a SQL injection on a database, or a number input causing a buffer overflow.
What is the OWASP Top 10 member designated ‘A04’?
HINT: Umbrella term
A04 is described as ‘Insecure Design’.
This is a very broad category, which essentially is used for when a developer did not consider something they should have, such as forgetting to use encryption to transmit sensitive data.
What is the OWASP Top 10 member designated ‘A05’?
HINT: 5 for S, S for…
A05 is described as ‘Security Misconfiguration’.
This may involve security not being properly configured on the server, such as failing to change the defaults of an Apache server, or important server logs being returned to users unintentionally.
What is the OWASP Top 10 member designated ‘A06’?
HINT: OpenSSL
A06 is described as ‘Vulnerable and Outdated Components’.
This is a vulnerability born from the use of components or libraries that may be outdated or have a known, exploitable vulnerability.
What is the OWASP Top 10 member designated ‘A07’?
A07 is described as ‘Identification and Authentication Failures’.
This is a vulnerability categorised by not identifying or properly authenticating users. This may include forgetting to put a restriction on a page displaying important data.
What is the OWASP Top 10 member designated ‘A08’?
HINT: Installs
A08 is described as ‘Software and Data Integrity Failures’.
This is a vulnerability where we have issues related to data transfer without verifying the integrity of the data. For example, if we run a script to install a software, if we don’t verify where it’s coming from, any user could intercept and send their own malicious code!
What is the OWASP Top 10 member designated ‘A09’?
HINT: Incorrect password failures
A09 is described as ‘Security Logging and Monitoring Failures’.
This is a vulnerability where we fail to log important information, or log unintended data. For example, if we log users’ passwords in plaintext on the server, even if they’re a failure there’s a high chance it’s only a couple of letters off.
What is the OWASP Top 10 member designated ‘A10’?
HINT: Not Injection For Sure
A10 is described as ‘Server Side Request Forgery’, and is a weird one.
This is an injection vulnerability with only one CWE, meaning there’s only one instance of it! However, it’s highlighted because it’s so dangerous.
It relates specifically to a problem where a user may trick the external web server into returning sensitive data from an internal web server using some form of injection trick. In the worst case, a hacker could even change the IP address of the entire backend!
