OWASP Top 10 Flashcards

1
Q

Injection

Threat Agents / Attack Vectors

A

Almost any source of data can be an injection vector:

  • environment variables
  • parameters
  • external and internal web services
  • all types of users

Injection vulnerabilities are often found in:

  • SQL queries
  • LDAP queries
  • XPath queries
  • NoSQL queries
  • OS commands,
  • XML parsers
  • SMTP headers
  • expression languages
  • ORM queries.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Injection

When does this occur?

How can these vectors be found?

A

Injection flaws occur when an attacker can send hostile data to an interpreter.

Scanners and fuzzers can help attackers find injection flaws.

Injection flaws are easy to discover when examining code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Injection

Remote File Inclusion

A

Occurs when an application can be forced into reading a file from a remote location and including it in a response or, in more severe cases, executing the file as code on the server.

The problem is due to the fact that many scripting languages do not discriminate between local and remote resources, and will automatically adjust to the protocol specified in the resource location string.

If external input is used to construct this location string, it may be able to change the file that gets included, or the location from where the file is fetched.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Injection

Prevent Remote File Inclusion

A

Never directly pass user input to “file include” commands. It is recommended to use an indirect reference map instead.

Apply whitelist validation against all user controllable input such as form parameters, cookies, and HTTP headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authentication

Forceful Browsing

A

This vulnerability occurs when an application allows access to restricted content by default and prevents access by hiding user interface elements.

It is easy to guess or enumerate hidden web pages or links. If no further access checks are performed, an attacker can “forcefully browse” to these pages and gain access without authorization or authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authentication

Prevent Forceful Browsing

A

A core principle in secure access control is to deny access by default, and only allow access after an access check succeeds.

Ensure all relevant pages, routes, and endpoints require proper authentication and access checks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

XML External Entity (XXE)

Attack

A

A type of attack against an application that parses XML input.

This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This attack may lead to:

  • Disclosure of confidential data
  • Denial of service
  • Server-side request forgery
  • Port scanning from the perspective of the machine where the parser is located
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

XML External Entity (XXE)

A

A type of custom XML entity whose defined values are loaded from outside of the DTD (document type definition) in which they are declared.

External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

XML External Entity (XXE)

Prevent XXE Injection

A

Developers should apply application-wide filters or sanitization on all user-provided input. Consider GET and POST parameters, Cookies and other HTTP headers.

Always apply allowlist (whitelist) input validation.

XML parsers should disable support for external entities, or DTDs completely.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Insecure Deserialization

How can this be prevented?

A

Sanitize the data of a serialized object as untrusted user input through filtering or validation.

Implement integrity checks such as digital signatures on any serialized object.

Isolate and run code that deserializes in a low privilege environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Insecure Deserialization

How does an attacker use it?

A

It is used to abuse the logic flow of an application, execute arbitrary code, or inflict a denial of service (DoS) when it is being deserialized.

The attack occurs when a serialized object is loaded, deserialized by the application and the data is used without validation.

Depending on how the application uses the serialized object, an attack could result in SQL injection, XSS, or remote code execution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Insecure Deserialization

What is serialization?

A

When data structures or object states are translated into a format that can be stored (a series of bytes).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Insecure Deserialization

What is deserialization?

A

When a data structure is extracted from a series of bytes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Insufficient Logging and Monitoring

A

The lack of recording proper historical information about events that happened inside an application.

The application does not log auditable events, such as logins, failed logins, and high-value transactions.

Warnings and errors generate inadequate, unclear, or no log messages at all.

The application is unable to detect, escalate, or alert for active attacks in real-time.

Penetration testing and vulnerability scans do not trigger alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Insufficient Logging and Monitoring

How can this be prevented?

A

Ensure all failures are properly logged with sufficient user context.

Log entries should be held for a sufficient time to allow thorough forensic analysis.

Ensure that logs are generated in a format that can be easily consumed by a centralized log management solution.

Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.

Make sure you have effective monitoring and alerting so suspicious activities are detected and handled in a timely fashion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can you safely render user input containing HTML content?

A

Cross-Site Scripting (XSS)

Whenever user input is dynamically rendered with HTML content it must be added as a text node.

User input should not be rendered using innerHTML()