Web application security - the fast guide 1.1 | Page 6

3.5.6
Elevation of privileges: .......................................................................................... 53
3.6 Threats and vulnerabilities models - DREAD ............................................................ 53
3.7 Threats and vulnerabilities models - CVSS ................................................................ 54
3.8 OWASP Top 10: .................................................................................................................... 57
3.8.1 Injection: ...................................................................................................................... 57
3.8.2 Broken Authentication and Session Management ................................... 57
3.8.3 Insecure Direct Object References: ................................................................. 58
3.8.4 Cross-Site Scripting (XSS): ................................................................................... 58
3.8.5 Security Misconfiguration: .................................................................................. 58
3.8.6 Sensitive Data Exposure: ...................................................................................... 58
3.8.7 Missing Function Level Access Control: ........................................................ 58
3.8.8 Cross-Site Request Forgery (CSRF): ............................................................... 58
3.8.9 Using Components with Known Vulnerabilities: ..................................... 58
3.8.10 Invalidated Redirects and Forwards: ............................................................. 59
3.9
QUIZ.......................................................................................................................................... 60
Chapter 4
Be the attacker .......................................................................................................... 65
4.1 Be the Attacker .................................................................................................................... 66
4.2 Attackers categories .......................................................................................................... 66
4.3 Attacking process ................................................................................................................ 67
4.4 Mapping .................................................................................................................................. 68
4.5 Mapping infrastructure .................................................................................................... 68
4.6 Information about servers ............................................................................................... 69
4.7 Attack Mapping-Information about Intermediaries .............................................. 70
4.8 Mapping Application ......................................................................................................... 71
4.8.1 Mapping functionalities and contents: .......................................................... 71
4.8.2 Hidden content spidering: ................................................................................... 72
4.9
Other source of public information: ....................................................