OWASP Top 10 2023

Question 1

A01

Answer 1

Broken Access Control

Question 2

A02

Answer 2

Cryptographic Failures

Question 3

A03

Answer 3

Injection

Question 4

A04

Answer 4

Insecure Design

Question 5

A05

Answer 5

Security Misconfiguration

Question 6

A06

Answer 6

Vulnerable and Outdated Components

Question 7

A07

Answer 7

Identification and Authentication Failures

Question 8

A08

Answer 8

Software and Data Integrity Failures

Question 9

A09

Answer 9

Security Logging and Monitoring Failures

Question 10

A10

Answer 10

Server Side Request Forgery (SSRF)

Question 11

Broken Access Control Description

Answer 11

Enforces policy such that users cannot act outside of their intended permissions.

Question 12

Broken Access Control prevention

Answer 12

Deny by default and log access failures

Question 13

Example broken access control

Answer 13

App uses unverified data in SQL call, url contains acct parameter and the user sends whatever account number they want to get info

Question 14

Cryptographic Failures Description

Answer 14

Determine protection needs of data in transit and at rest. Any old or weak cryptographic algorithms or protocols used either by default or in older code. Hard coded passwords.

Question 15

Cryptographic failures prevention

Answer 15

Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. Dont store sensitive data unnecessarily. Encrypt all sensitive data at rest. Up to date algorithms, protocols and keys. Strong hashing and encryption.

Question 16

Injection description

Answer 16

Injecting SQL, code, scripts into input

Question 17

Injection vulnerable to attack when

Answer 17

User-supplied data is not validated, filtered, or sanitized by the application.

Question 18

Injection how to prevent

Answer 18

Use safe API which avoids interpreter entirely and properly sanitize input.

Question 19

Cryptographic failures example

Answer 19

App encrypts credit card numbers in a database using auto encryption. However, the data is automatically decrypted when retrieved allowing a SQL injection flaw to retrieve cc numbers in clear text

Question 20

Injection example

Answer 20

App uses untrusted data in the construction of the SQL call, attacker modifies the id parameter to send a query that returns all the records from the accounts table

Question 21

Insecure design description

Answer 21

Related to design and architectural flaws with a call for more use of threat modeling, secure design patterns, and reference architectures. Shift left to pre coding

Question 22

Insecure design, secure design

Answer 22

Consistently evaluate threats and ensures that code is robustly designed and tested to prevent known attack methods. Threat modeling should be integrated into refinement sessions. Look for changes in data flows and access control. Secure Development Lifecycle, look at the SAMM

Question 23

Insecure design, how to prevent

Answer 23

Use secure development lifecycle, library of secure design patterns, threat modeling for critical authentication, access control, business logic, and key flows. Integrate security language and controls into user stories

Question 24

Insecure design, example attack

Answer 24

Password recovery might include questions and answers, this is not safe and should be removed.

Question 25

Security Misconfiguration description

Answer 25

Unnecessary features enabled, ports, services, accounts, privileges. Default accounts and their passwords are still enabled and unchanged.

Question 26

Security Misconfiguration how to prevent

Answer 26

Dev, QA, and prod should all be configured identically with different credentials. No unnecessary features, components, documentation, frameworks. Micro services application architecture provides effective and secure separation between components.

Question 27

Security Misconfiguration example

Answer 27

The app server comes with sample app not removed from the prod server. These have known security flaws and can compromise the server.

Question 28

Vulnerable and outdated components description

Answer 28

If you do not know the versions of all components you use. If software is vulnerable, unsupported, or out of date. If you do not scan for vulnerabilities regularly.

Question 29

Vulnerable and outdated components how to prevent

Answer 29

Path management to remove unused dependencies, unnecessary features, components, files, and documentation. Inventory of versions.

Question 30

Vulnerable and outdated components example

Answer 30

Components typically run with the same privileges as the application itself. Attacker finds unpatched systems and exploit them.

Question 31

Identification and authentication failures description

Answer 31

Confirmation of the users identity authentication and session management is critical to protect agains authentication related attacks. May be a weakness if permits automated attacks such as cred stuffing and brute force. Default or weak passwords. Missing multi factor authentication

Question 32

Identification and authentication failures how to prevent

Answer 32

Implement multi-factor authentication. Do not ship or deploy with any default credentials. Implement weak password checks.

Question 33

Identification and authentication failures example

Answer 33

Credential stuffing, use of known passwords is a common attack. App does not implement automated threat or credential stuffing protection the app can be used as a password oracle to determine if the credentials are valid

Question 34

Software and data integrity failures description

Answer 34

Relate to code and infrastructure that does not protect against integrity violations. App relies on plugins, libraries from untrusted sources, repos and CDN. CI/CD pipelines can introduce potential for unauthorized access.

Question 35

Software and data integrity failures how to prevent

Answer 35

Use digital signatures or similar mechanism to verify the software or data is from the expected source and has not been altered. Checksum. Ensure libraries and dependencies coming from trusted repositories. CI/CD pipeline has proper segregation, config, access control to ensure the integrity of the code flowing through the build and deploy processes.

Question 36

Software and data integrity failures example

Answer 36

SolarWinds Orion attack. Libraries used were compromised and sent malicious update to more than 18,000 orgs.

Question 37

Security logging and monitoring failures description

Answer 37

Omission of security relevant information, insertion of sensitive information into log file. Auditable events such as login failed logins are not logged. Warnings and errors generate no clear log messages.

Question 38

Security logging and monitoring failures how to prevent

Answer 38

Ensure all login, access control, and server-side input validation failures can be logged with sufficient context and held for forensic analysis. Ensure the logs are generated in a format that log management solutions can easily consume. Establish effective monitoring of logs and alerting such suspicious activities.

Question 39

Security logging and monitoring failures example

Answer 39

Health provider couldn’t detect a breach due to lack of monitoring and logging and was informed by third party of bread that modified thousands of sensitive health records.

Question 40

Server side request forgery SSRF description

Answer 40

Occurs when a web app is fetching a remote resource without validating the user supplied url. It allows the attacker to coerce the app to send a crafted request to an unexpected destination.

Question 41

Server side request forgery how to prevent

Answer 41

Implement these controls: network layer - segment remote resource access functionality in separate networks to reduce the impact, enforce deny by default firewall. From app layer: sanitize and validate all input, disable http

Question 42

Server side request forgery SSRF example

Answer 42

Port scan internal servers to map the network if unsegmented. Sensitive data exposure attackers can access local files or internal services to gain sensitive information.

Question 43

What is a threat?

Answer 43

Any potential danger or adverse action that could exploit a vulnerability in your systems. Ex. Malware, ransomware, phishing attacks. More specifically an adversary or attacker who has the opportunity, capability, and intent to bring a negative impact to your ops, assets, workforce, or customers.

Question 44

Threat example

Answer 44

Threat is any potential danger ex. Malware, ransomeware, phishing attacks

Question 45

What is a vulnerability

Answer 45

A weakness, flaw, or shortcoming in a system, infrastructure, database, software, process, or a set of controls that can be exploited by a threat actor

Question 46

Example of a vulnerability

Answer 46

An unlocked door is a vulnerability that can be exploited by a thief

Question 47

What is a risk

Answer 47

Likelihood and potential impact of a negative event occurring. Likelihood a vulnerability will be exploited by a threat.