Threat, Vulnerabilities and Mitigations: Web-Based Vulnerabilities

Question 1

What site can we check to see the top 10 Web-Based Vulnerabilities?

Answer 1

OWASP Top 10

The Open Web Application Security Project (OWASP) Foundation aims to help improve software security, and it categorizes threats and vulnerabilities. Check out the OWASP Top 10 with respect to web-application threats at https://owasp.org/www-project-top-ten/.

Question 2

What other web-application threats do we need to be concerned of?

Answer 2

HTTP server vulnerabilities
Content Management System (CMS) vulnerabilities
SQLi threats: Short for SQL injection
Cross-Site Scripting (XSS)

Question 3

What is HTTP server vulnerabilities

Answer 3

HTTP server vulnerabilities: Your server service is software, so therefore, it’s vulnerable to the same threats as other software. It’s important to understand what threats might affect your particular service:

Apache

NGINX

IIS

Question 4

What is Content Management System (CMS) vulnerabilities?

Answer 4

Content Management System (CMS) vulnerabilities: There any many threats to CMS, which form the foundation for most web apps. They also have plugins and themes that come from third parties, providing increased functionality and attack surface. CMS include:

Wordpress

Drupal

Joomla

Magento

Wix

Shopify

Question 5

What is SQLi threats: Short for SQL injection?

Answer 5

SQLi threats: Short for SQL injection, this is the injection of malicious code:

The injecting of TSQL characters through user input

Single-Quote (‘) character

Authentication Bypass

‘or 1=1 –

Error-based

Blind-based

Union based

Question 6

What is Cross-Site Scripting (XSS)?

Answer 6

Cross-Site Scripting (XSS): Injection of malicious scripts into otherwise safe websites:

Type 1 (Reflected)

Type 2 (Stored/Persistent)

Type 0 (DOM)

Client (Stored & Reflected): DOM-Based is considered “Client-Based”

Server (Stored & Reflected)