Web application security - the fast guide 1.1

Chapter 3 - Vulnerabilities and threat models P a g e | 57 3.8 OWASP Top 10: Broken Auth. Injection XSS Sensitive Data Exposure Insecure Direct Object References TOP 10 OWASP Security Misconfig. Unvalidate Redirect and forwards Cross-Site Request Forgery (CSRF) Missing Function Level Access Control. Using Components with Known Vulnerabiliti This list of vulnerabilities is a more practical approach based on the open web application security project that specify 10 main vulnerabilities constructed depending on 8 datasets from 7 firms that specialize in application security. The data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications. Ranking was done depending on exploitability, detectability, and impact estimates. 3.8.1 Injection: inserting a malicious input that can be interpreted as command or query, this can be done with SQL, operating system commands and LDAP. threating to access data without proper authorization. 3.8.2 Broken Authentication and Session Management since HTTP is stateless, connect less protocol it will need to use Session management to maintain state information. This can be exploited by attacker and steal or reuse information to gain unauthorized access. the other scenario is to gain access through breaking the authentication, an example about that is brute force attack.

Web application security - the fast guide 1.1 | Page 57