Web Security Flashcards
what is OWASP?
- worldwide charitable organization focused on improving the security of application software.
Top 10 OWASP :
1. Cross-Site Scripting (XSS)
- malicious scripts are injected into trusted websites.
Top 10 OWASP :
2. Injection Flaws
- allow attackers to relay malicious code through the Web application to another system.
Top 10 OWASP :
3.malicious file execution
- occurs when websites and web applications are not properly validated
Top 10 OWASP:
4. Insecure Direct Object Reference
- occurs when a developer exposes a reference to an internal implementation object
Top 10 OWASP:
5. Cross-Site Request Forgery
- is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Top 10 OWASP:
6. Information Leakage and Improper Error Handling
- Applications can unintentionally leak information about their configuration, internal workings…etc
Top 10 OWASP:
7. Broken Authentication and Session Management
-includes all aspects of handling user authentication and managing active sessions.
Top 10 OWASP:
8. Insecure Cryptographic Storage
- Protecting sensitive data with cryptography
Top 10 OWASP:
9. Insecure Communications
- SSL must be used for all authenticated connections, especially the Internet-accessible Web pages
Top 10 OWASP:
10. Failure to Restrict URL Access
- the only protection for a URL that links to that page are not presented to unauthorized users. However skilled or just plain lucky attacker may be able to find and access these pages.
Web attacks are classified into34 typesthat include:
- Abuse of functionality
- Buffer Overflow
- Content spoofing
- Brute force
Web weaknesses are classified into15 classes that include:
- Application Misconfiguration
- Information Leakage
- Directory Indexing
- Improper input handling
The to-do list for web application design
- Harden the network
- Document network security procedures
- Deploy encryption strategies
- Educate users
- Use preventative tools
What is a Website Security Audit?
-It compares the effectiveness of the organization’s security systems and protocols to a set of predetermined standards.