OWASP Top 10
At the end of every year OWASP releases top 10 security exploits of the year. This helps security analysts find security loopholes in the applications they have deployed or are about to deploy.
This year's list of OWASP top 10 is :-
1) Injection
Injection attacks allow an attacker to input dangerous code in an application which causes data leakage or a crash in the application. Injection like SQL, NoSql etc. have been discovered years ago, yet it still needs to be fixed in many applications across the internet,
2) Broken Authentication
Not enabling secure authentication methods may allow an attacker to gain access to one's account allowing him to gain access to a lot of personal data.
3) Sensitive Data Exposure
Some API's pass or do not encrypt sensitive data while they request it. This allows an attacker to gain access to the data by various methods like sniffing the API.
(More on https://vapthacker.blogspot.in/2018/02/api-sniffing-using-fiddler.html)
4) XML External Entities (XXE)
Entities are defined within DOCTYPE header in XML documents. They can be allowed to access remote data or remote access , thus making it one of the most dangerous vulnerability.
5) Broken Authentication Control
Sometimes, once the user has logged in is allowed to do various operations like changing email, password etc. In case if cookies are not verified , a user may modify some data in the request allowing him to access or modify someone's else data.
6) Security Misconfiguration
Security Configuration can be anything ranging from non encrypted cookies to HTTP requests or HTTP headers. They can allow an attacker to gain sensitive data.
7) Cross Site Scripting
Cross-Site Scripting (XSS) is a type of injection which allows users to run custom scripts on trusted website. On giving a url to the users, it might allow one to showcase a custom page on a trusted website or redirect a user, allowing him to steal his cookies and do session hijacking.
(More on : https://vapthacker.blogspot.in/2018/02/cross-site-scripting.html)
8) Insecure Deserialization
An object is converted to binary code while being sent to the server. At the server side, it is again converted back and this method is known as deserialization. If the object is not checked at the server side, an attacker me send his own code allowing him remote exploitation.
9) Using Components with Known Vulnerabilities
Many bugs are reported in various websites but still some companies rarely update their softwares and servers. Tools such as metasploit allow an attacker to perform attack using already known vulnerabilities.
10) Insufficient Logging&Monitoring
As quoted of OWASP "Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring."
Follow us on Facebook:- Facebook.com/VAPTHacker
LinkedIn:- https://www.linkedin.com/in/rohankalra97/
Twitter:- https://twitter.com/rohankalra97
Comments
Post a Comment