OWASP Top Ten Threats Flashcards
1
Q
Broken Authorization and how to avoid it.
A
Authenticated users without authorization perform horizontal privilege escalation.
Prevention:
- Enforce Least privilege
- Default deny
- Authorize every request
- Review authorization logic
- Prefer ABAC over RBAC
- Avoid IDOR (e.g. https:/mybank.com/?acct_id=901)
- Protect static resources (e.g. S3 buckets)
- Auth checks in right location (e.g. not in client side logic).
- Logging
- Unit and Integration testing
2
Q
XSS Prevention -Cheat Sheet
A
- RULE #0 - Never Insert Untrusted Data Except in Allowed Locations
- RULE #1 - HTML Encode Before Inserting Untrusted Data into HTML Element Content - this essentially turns special characters such as &, , “ and ‘ into encoded elements such as &, < etc..
- Other rules are similar but cover Java Script, CSS
3
Q
What is CSRF?
A
- Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
4
Q
How is CSRF different from XSS?
A
- XSS exploits a user’s trust in the web application
- CSRF exploits a web application’s trust in the user.
5
Q
How can CSRF be prevented?
A
- On the application side: Using random session tokens
and CAPTCHAs. - On the user side: logout of applications, do not browse at the same time as you use banking applications; do not click on links; do not store passwords in browsers.
6
Q
What is unvalidated redirect and forward?
A
Web application redirects user to a malicious website provided in untrusted input.
- User receives phishing email with link to a known page with a redirect parameter to attacker site.
- User clicks on link and is redirected to the attacker’s page.
Avoid it by avoidng redirects and forwards.
Train users - since such attempts are often linked with phishing emails.
7
Q
What are the OWASP top 10?
A
- Injection SQL/XML/LDAP
- Broken Auth & Session Management
- XSS
- IDOR
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Functional Level Access Control
- CSRF
- Components with known vulnerability
- Unvalidated fwds/requests.