OWASP Top 10

Question 1

A10: Insufficient Logging & Monitoring

Answer 1

Monitoring (Logging) and Detection (IR)

Question 2

A9: Using Components with known vulnerabilities

Answer 2

Libraries, frameworks, & other software modules run w/same privilege as application. If a vulnerable component is exploited, such attacks facilitate serious data loss or server take over; .i.e. API running w/vulnerable components.

Question 3

A8: Insecure Deserialization

Answer 3

often leads to remote code execution; they can lead to replay, injection, and privilege escalation attacks.

Question 4

A7: XSS

Answer 4

When an application includes untrusted data w/out validation.

Question 5

A6: Security Misconfiguration

Answer 5

insecure default configuration, misconfiguration. (patched & updated)

Question 6

A5: Broken Access Control

Answer 6

Restriction on what authenticated allows to do are often not properly endorced.

Question 7

A4: XML External Entities (XXE)

Answer 7

Older or Poorly configured XML processors evaluate external entity reference within XML documents. External Entities can be used to disclose internal files.

Question 8

A3: Sensitive Data Exposure

Answer 8

Web App & API do not properly protect sensitive data in transit and at rest.

Question 9

A2: Broken Authentication

Answer 9

Authentication and session management is implemented incorrectly. Allows attacker to compromise passwords, keys, sessions or tokens.

Question 10

A1: Injection

Answer 10

SQL, NoSQL, OS, and LDAP occurs when untrusted data is sent to an interpreter as part of the command or query.