Web application security - the fast guide 1.1 | Page 57
Chapter 3 - Vulnerabilities and threat models
P a g e | 57
3.8 OWASP Top 10:
Broken
Auth.
Injection
XSS
Sensitive
Data
Exposure
Insecure
Direct Object
References
TOP 10
OWASP
Security
Misconfig.
Unvalidate
Redirect and
forwards
Cross-Site
Request
Forgery
(CSRF)
Missing
Function
Level Access
Control.
Using
Components
with Known
Vulnerabiliti
This list of vulnerabilities is a more practical approach based on the open web
application security project that specify 10 main vulnerabilities constructed
depending on 8 datasets from 7 firms that specialize in application security. The
data spans over 500,000 vulnerabilities across hundreds of organizations and
thousands of applications. Ranking was done depending on exploitability,
detectability, and impact estimates.
3.8.1 Injection:
inserting a malicious input that can be interpreted as command or query, this
can be done with SQL, operating system commands and LDAP. threating to
access data without proper authorization.
3.8.2 Broken Authentication and Session Management
since HTTP is stateless, connect less protocol it will need to use Session
management to maintain state information. This can be exploited by attacker and
steal or reuse information to gain unauthorized access.
the other scenario is to gain access through breaking the authentication, an
example about that is brute force attack.