OWASP
Top 10 - 2013
Colin Harrington
4/16/2014
SQL
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'";
http://example.com/app/accountView?id=' or '1'='1
"cp $filename /tmp/something;".execute()
A2: Broken Authentication
and Session Management
Session ID
Session Fixation
Timeout
Rotated on Login
http://example.com/sale/saleitems;
jsessionid=2P0OC2JDPXM0OQSNDLPSKHCJUN2JV
?dest=Hawaii
Account Management
Weak Account Management
Password recovery
SSO (Single Sign-On)
Unencrypted transports
A3: Cross-Site Scripting (XSS)
unescaped data
Javascript, DOM injection, etc.
A4: Insecure Direct Object References
Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?
Multi-tenancy
HIPPA
http://example.com/app/accountInfo?acct=notmyacct
Updating bad references.
A5: Security MISCONFIGURATION
-
Software
-
Firewall holes
-
Default accounts
-
Revealing Stacktraces
-
Insecure Configuration
A6: Sensitive Data Exposure
Clear text storage/transport
Unencrypted Payment Card Information
Transport MITM
A7: Missing Function Level Access Control
Lack of server-side Access Control
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
http://example.com/app/addRole/Admin
A8: Cross-Site Request Forgery (CSRF)
Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. If the user is authenticated, the attack succeeds.
<img src="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
A9: Using Components with Known Vulnerabilities
A10: Unvalidated Redirects and Forwards
Attacker links to unvalidated redirect and tricks victims into clicking it. Victims are more likely to click on it, since the link is to a valid site. Attacker targets unsafe forward to bypass security checks.
http://www.example.com/redirect.jsp?url=evil.com
https://www.owasp.org
Shamelessly paraphrased from:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013