Reverse OWASP TOP 10 Flashcards
Broken Access Control
This occurs when restrictions on what authenticated users can do aren’t properly enforced. Attackers can exploit these weaknesses to access unauthorized functionality or data.
Cryptographic Failures
this category focuses on failures related to protecting data in transit and at rest. It includes issues like weak encryption, misconfigured cryptographic modules, or not encrypting sensitive data.
Injection
Injection flaws, such as SQL, NoSQL, command, or LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. This can allow attackers to execute unintended commands or access data.
Insecure Design
A newer category in the OWASP Top 10, Insecure Design emphasizes the need for secure design patterns and threat modeling in the development process. It covers architectural weaknesses that cannot be fixed by simply adding security controls later.
Security Misconfiguration
This vulnerability arises from insecure default configurations, incomplete configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages that provide sensitive information to attackers.
Vulnerable and Outdated Components
Often referred to as “Using Components with Known Vulnerabilities,” this risk is about using libraries, frameworks, and other software modules that have known security issues, which attackers can exploit if not properly updated or patched.
Identification and Authentication Failures
this category involves issues with managing user identities and sessions. Weak password policies, insecure session management, and improper implementation of multi-factor authentication fall under this category.
Software and Data Integrity Failures
This category deals with failures related to code and data integrity. It includes issues where software updates, critical data, or even CI/CD pipelines are not properly protected, allowing unauthorized modifications.
Security Logging and Monitoring Failures
Without proper logging and monitoring, it’s challenging to detect and respond to breaches or attacks. This category emphasizes the importance of comprehensive logging, alerting, and monitoring systems to identify suspicious activities early.
Server-Side Request Forgery (SSRF)
SSRF vulnerabilities occur when a server fetches a remote resource without validating the user-supplied URL