Q:: =============================================
A:: =============================================
A non-profit organization providing free resources on web application security.
Example: OWASP offers tools like ZAP (Zed Attack Proxy) for security testing.
Q:: =============================================
A:: =============================================
A regularly updated list of the most critical web application security risks.
Example: "Broken Access Control" was the top risk in the 2021 edition.
Q:: =============================================
A:: =============================================
The most critical web application security risk, involving unauthorized access to resources or actions.
Example: A regular user accessing admin functions by modifying the URL.
Q:: =============================================
A:: =============================================
To enforce user permissions and prevent unauthorized actions.
Example: Ensuring only HR staff can access employee salary information.
Q:: =============================================
A:: =============================================
Granting users only the minimum permissions necessary for their tasks.
Example: Giving a content editor rights to edit articles but not system settings.
Q:: =============================================
A:: =============================================
By manipulating requests, URLs, or application state.
Example: Changing a user ID in a URL to access another user's profile.
Q:: =============================================
A:: =============================================
Exposing internal implementation objects without access checks.
Example: Accessing order #123 by changing URL from order/789 to order/123.
Q:: =============================================
A:: =============================================
To prevent unauthorized data modification or deletion.
Example: Ensuring only account owners can delete their own posts.
Q:: =============================================
A:: =============================================
Gaining higher-level permissions than intended.
Example: A regular user accessing admin features by modifying a cookie.
Q:: =============================================
A:: =============================================
By altering tokens or hidden fields to gain unauthorized access.
Example: Modifying a JWT token to change user roles or permissions.
Q:: =============================================
A:: =============================================
Improper setup of Cross-Origin Resource Sharing, allowing unauthorized access.
Example: A misconfigured API accepting requests from any origin, not just trusted ones.
Q:: =============================================
A:: =============================================
Attempting to access restricted pages by guessing URLs.
Example: A user trying to access "/admin" pages without proper authentication.
Q:: =============================================
A:: =============================================
In trusted server-side code or server-less API.
Example: Implementing user role checks in backend PHP code, not in JavaScript.
Q:: =============================================
A:: =============================================
Deny access by default, except for public resources.
Example: Requiring authentication for all pages except the homepage and login page.
Q:: =============================================
A:: =============================================
Implement once and reuse throughout the application.
Example: Creating a central authorization service used by all app modules.
Q:: =============================================
A:: =============================================
Log failures and trigger alerts for administrators.
Example: Sending an email to admins after 5 failed access attempts in 1 minute.
Q:: =============================================
A:: =============================================
To minimize harm from automated attacks and prevent abuse.
Example: Limiting API calls to 100 per hour per user.
Q:: =============================================
A:: =============================================
Invalidate on the server; use short-lived JWTs for stateless sessions.
Example: Deleting session data from the server when a user logs out.
Q:: =============================================
A:: =============================================
To ensure correct implementation and detect unauthorized access attempts.
Example: Writing unit tests to verify admin functions are inaccessible to regular users.
Q:: =============================================
The application uses unverified data in a SQL call that is accessing account information:
pstmt.setString(1, request.getParameter("acct"));
ResultSet results = pstmt.executeQuery( );An attacker simply modifies the browser's 'acct' parameter to send whatever account number they want. If not correctly verified, the attacker can access any user's account.
https://example.com/app/accountInfo?acct=notmyacct
A:: =============================================
A01 Broken Access Control
Q:: =============================================
An attacker simply forces browsing to target URLs. Admin rights are required for access to the admin page.
https://example.com/app/getappInfo
https://example.com/app/admin_getappInfo
- If an unauthenticated user can access either page, it's a flaw.
- If a non-admin can access the admin page, this is a flaw.
A:: =============================================
A01 Broken Access Control
Q:: =============================================
A:: =============================================
Security issues related to cryptography, often leading to data exposure.
Example: Using outdated encryption algorithms like MD5 for password storage.
Q:: =============================================
A:: =============================================
Sensitive information like passwords, credit card numbers, and personal data.
Example: Encrypting social security numbers before storing in a database.
Q:: =============================================
A:: =============================================
It's vulnerable to interception, especially over external networks.
Example: Sending login credentials over HTTP instead of HTTPS.
Q:: =============================================
A:: =============================================
They may have known vulnerabilities, making data easier to compromise.
Example: Using DES encryption, which is now considered insecure.
Q:: =============================================
A:: =============================================
To prevent unauthorized access and ensure cryptographic integrity.
Example: Regularly rotating encryption keys and securely storing them.
Q:: =============================================
A:: =============================================
In all data transmissions, both external and internal.
Example: Using TLS for communication between web servers and databases.
Q:: =============================================
A:: =============================================
They should be properly validated to prevent man-in-the-middle attacks.
Example: Checking certificate expiration dates and trusted certificate authorities.
Q:: =============================================
A:: =============================================
To ensure unique encryption results, even for identical data.
Example: Using a unique IV for each AES encryption operation.
Q:: =============================================
A:: =============================================
It can lead to weak encryption if not properly processed.
Example: Directly using a user's password to encrypt files, instead of deriving a key.
Q:: =============================================
A:: =============================================
To prevent predictability in security-critical operations.
Example: Using a cryptographically secure random number generator for session tokens.
Q:: =============================================
A:: =============================================
They may leak information useful for attacks.
Example: A padding oracle attack exploiting detailed decryption error messages.
Q:: =============================================
A:: =============================================
In OWASP resources like ASVS Crypto, Data Protection, and SSL/TLS sections.
Example: Consulting ASVS V7 for proper key management practices.
Q:: =============================================
A:: =============================================
Classify data and identify sensitive information.
Example: Categorizing customer data as public, internal, or confidential.
Q:: =============================================
A:: =============================================
To reduce the risk and impact of potential data breaches.
Example: Deleting credit card details after a transaction is completed.
Q:: =============================================
A:: =============================================
To protect data even if physical storage is compromised.
Example: Encrypting stored passwords in case the database is stolen.
Q:: =============================================
A:: =============================================
To prevent sensitive data from being stored in insecure locations.
Example: Setting 'Cache-Control: no-store' for pages with personal info.
Q:: =============================================
A:: =============================================
To ensure appropriate protection levels for different data types.
Example: Using multi-factor authentication for accessing financial records.
Q:: =============================================
A:: =============================================
They lack modern security features and encryption.
Example: Using SFTP instead of FTP for file transfers.
Q:: =============================================
A:: =============================================
To make password recovery from hashes extremely difficult.
Example: Using bcrypt instead of MD5 for password storage.
Q:: =============================================
A:: =============================================
Authenticated encryption, ensuring both confidentiality and integrity.
Example: Using AES-GCM instead of AES-CBC for data protection.
Q:: =============================================
A:: =============================================
Generated randomly and stored securely as byte arrays.
Example: Using a hardware security module (HSM) to generate and store keys.
Q:: =============================================
A:: =============================================
To ensure they're functioning correctly and providing intended protection.
Example: Using third-party security audits to verify TLS configurations.
Q:: =============================================
An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL injection flaw to retrieve credit card numbers in clear text.
A:: =============================================
A02 Cryptographic Failures
Q:: =============================================
A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades connections from HTTPS to HTTP, intercepts requests, and steals the user's session cookie. The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above they could alter all transported data, e.g., the recipient of a money transfer.
A:: =============================================
A02 Cryptographic Failures
Q:: =============================================
The password database uses unsalted or simple hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes. Hashes generated by simple or fast hash functions may be cracked by GPUs, even if they were salted.
A:: =============================================
A02 Cryptographic Failures
Q:: =============================================
A:: =============================================
Vulnerabilities allowing attackers to insert malicious code into applications.
Example: SQL injection attack manipulating a database query.
Q:: =============================================
A:: =============================================
Improper handling of user-supplied data in queries or commands.
Example: Directly concatenating user input into an SQL query.
Q:: =============================================
A:: =============================================
Queries separating data from SQL commands, preventing injection.
Example: Using prepared statements in Java with JDBC.
Q:: =============================================
A:: =============================================
By manipulating search parameters to access unauthorized data.
Example: Modifying an ORM query to bypass filters and access all records.
Q:: =============================================
A:: =============================================
SQL, NoSQL, OS command, LDAP, and Expression Language injection.
Example: OS command injection in a file upload feature.
Q:: =============================================
A:: =============================================
Through source code review and automated security testing.
Example: Using SAST tools to analyze code for potential SQL injection points.
Q:: =============================================
A:: =============================================
Escape them using the specific syntax for that interpreter.
Example: Using MySQLi's real_escape_string() for MySQL queries in PHP.
Q:: =============================================
A:: =============================================
They can't be safely escaped, allowing potential schema manipulation.
Example: Allowing users to specify table names in a custom report builder.
Q:: =============================================
A:: =============================================
Use SQL controls like LIMIT to restrict query results.
Example: Adding "LIMIT 1000" to queries to cap the number of returned records.
Q:: =============================================
An application uses untrusted data in the construction of the following vulnerable SQL call:
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";A:: =============================================
A03 Injection
Q:: =============================================
Similarly, an applicationβs blind trust in frameworks may result in queries that are still vulnerable, (e.g., Hibernate Query Language (HQL)):
Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'");In both cases, the attacker modifies the βidβ parameter value in their browser to send: ' UNION SLEEP(10);--. For example:
http://example.com/app/accountView?id=' UNION SELECT SLEEP(10);--
This changes the meaning of both queries to return all the records from the accounts table. More dangerous attacks could modify or delete data or even invoke stored procedures.
A:: =============================================
A03 Injection
Q:: =============================================
A:: =============================================
A category of security risks resulting from missing or ineffective security controls in software design.
Example: A banking app allowing unlimited login attempts without lockouts.
Q:: =============================================
A:: =============================================
Design flaws are in the system's architecture; implementation flaws are in the code.
Example: Designing a system without access controls vs. incorrectly coding access checks.
Q:: =============================================
A:: =============================================
Yes, through implementation errors, but they're easier to fix than design flaws.
Example: A well-designed authentication system with a bug in password hashing.
Q:: =============================================
A:: =============================================
Lack of risk assessment and security planning in early development stages.
Example: Not considering potential data breaches when designing a user database.
Q:: =============================================
A:: =============================================
By involving security experts from project inception to completion.
Example: Having security reviews at each stage of an agile development process.
Q:: =============================================
A:: =============================================
A collection of pre-approved, secure software components that developers can use.
Example: A library containing a properly implemented password hashing function.
Q:: =============================================
A:: =============================================
By identifying potential threats to critical aspects of the application early in development.
Example: Analyzing possible attacks on a new payment processing feature.
Q:: =============================================
A:: =============================================
To ensure security is considered from the beginning of the development process.
Example: Including "verify user identity" in a story about account creation.
Q:: =============================================
A:: =============================================
Validations at each tier of the app to ensure inputs and processes are correct and secure.
Example: Checking if a user's age input is within a reasonable range.
Q:: =============================================
A:: =============================================
Separating application layers based on their exposure and protection needs.
Example: Isolating the database server from direct internet access.
Q:: =============================================
A:: =============================================
By preventing denial of service and ensuring fair usage across users or services.
Example: Setting a maximum number of API calls per user per minute.
Q:: =============================================
A credential recovery workflow might include βquestions and answers,β which is prohibited by NIST 800-63b, the OWASP ASVS, and the OWASP Top 10. Questions and answers cannot be trusted as evidence of identity as more than one person can know the answers, which is why they are prohibited. Such code should be removed and replaced with a more secure design.
A:: =============================================
A04 Insecure Design
Q:: =============================================
A cinema chain allows group booking discounts and has a maximum of fifteen attendees before requiring a deposit. Attackers could threat model this flow and test if they could book six hundred seats and all cinemas at once in a few requests, causing a massive loss of income.
A:: =============================================
A04 Insecure Design
Q:: =============================================
A retail chainβs e-commerce website does not have protection against bots run by scalpers buying high-end video cards to resell on auction websites. This creates terrible publicity for the video card makers and retail chain owners and enduring bad blood with enthusiasts who cannot obtain these cards at any price. Careful anti-bot design and domain logic rules, such as purchases made within a few seconds of availability, might identify inauthentic purchases and reject such transactions.
A:: =============================================
A04 Insecure Design
Q:: =============================================
A:: =============================================
Vulnerabilities resulting from improper configuration of application components.
Example: Using default credentials on a production database server.
Q:: =============================================
A:: =============================================
To reduce vulnerabilities by properly configuring all components of the application.
Example: Disabling unnecessary services on a web server.
Q:: =============================================
A:: =============================================
Improper permission settings can allow unauthorized access to resources.
Example: Accidentally making an S3 bucket publicly readable.
Q:: =============================================
A:: =============================================
To reduce the attack surface and minimize potential vulnerabilities.
Example: Disabling unused modules in a content management system.
Q:: =============================================
A:: =============================================
They may reveal sensitive information that aids attackers in exploiting vulnerabilities.
Example: A database error exposing table names and query structure.
Q:: =============================================
A:: =============================================
To protect against newly discovered threats and vulnerabilities.
Example: Enabling HTTP Strict Transport Security (HSTS) on a web server.
Q:: =============================================
A:: =============================================
All components including servers, frameworks, libraries, and databases.
Example: Configuring proper access controls in a MySQL database.
Q:: =============================================
A:: =============================================
They instruct the client's browser to enable specific security controls.
Example: Using the X-Frame-Options header to prevent clickjacking attacks.
Q:: =============================================
A:: =============================================
It patches known vulnerabilities and adds new security features.
Example: Updating a WordPress installation to fix a known SQL injection flaw.
Q:: =============================================
A:: =============================================
A standardized method to quickly deploy secure environments across development, QA, and production.
Example: Using automated scripts to apply security settings on all new servers.
Q:: =============================================
A:: =============================================
A design that separates components or tenants to limit the impact of potential breaches.
Example: Using separate databases for different customer groups in a SaaS application.
Q:: =============================================
A:: =============================================
It reduces the risk of security issues when moving from development to production.
Example: Using the same firewall rules in development and production environments.
Q:: =============================================
A:: =============================================
By isolating applications and their dependencies, reducing the impact of potential breaches.
Example: Running different microservices in separate Docker containers.
Q:: =============================================
A:: =============================================
They provide a way to control network access to cloud resources, enhancing security.
Example: Using AWS security groups to limit database access to specific application servers.
Q:: =============================================
The application server comes with sample applications not removed from the production server. These sample applications have known security flaws attackers use to compromise the server. Suppose one of these applications is the admin console, and default accounts weren't changed. In that case, the attacker logs in with default passwords and takes over.
A:: =============================================
A05 Security Misconfiguration
Q:: =============================================
Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds and downloads the compiled Java classes, which they decompile and reverse engineer to view the code. The attacker then finds a severe access control flaw in the application.
A:: =============================================
A05 Security Misconfiguration
Q:: =============================================
The application server's configuration allows detailed error messages, e.g., stack traces, to be returned to users. This potentially exposes sensitive information or underlying flaws such as component versions that are known to be vulnerable.
A:: =============================================
A05 Security Misconfiguration
Q:: =============================================
A cloud service provider (CSP) has default sharing permissions open to the Internet by other CSP users. This allows sensitive data stored within cloud storage to be accessed.
A:: =============================================
A05 Security Misconfiguration
Q:: =============================================
A:: =============================================
Software elements with known security flaws or lacking necessary updates.
Example: Using an old version of jQuery with a known XSS vulnerability.
Q:: =============================================
A:: =============================================
To identify and address potential vulnerabilities quickly.
Example: Maintaining a list of all npm packages and their versions used in a project.
Q:: =============================================
A:: =============================================
By regularly scanning for vulnerabilities and subscribing to security bulletins.
Example: Using tools like OWASP Dependency-Check in your CI/CD pipeline.
Q:: =============================================
A:: =============================================
By testing the compatibility and security of updated libraries.
Example: Running a full test suite after updating a critical framework.
Q:: =============================================
A:: =============================================
Unused dependencies, features, components, files, and documentation.
Example: Removing unused modules from a content management system.
Q:: =============================================
A:: =============================================
By monitoring them closely and considering virtual patching when updates aren't possible.
Example: Using a Web Application Firewall to mitigate a vulnerability in a legacy library.
Q:: =============================================
Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws can be accidental (e.g., coding error) or intentional (e.g., a backdoor in a component). Some example exploitable component vulnerabilities discovered are:
-
CVE-2017-5638, a Struts 2 remote code execution vulnerability that enables the execution of arbitrary code on the server, has been blamed for significant breaches.
-
While the internet of things (IoT) is frequently difficult or impossible to patch, the importance of patching them can be great (e.g., biomedical devices).
There are automated tools to help attackers find unpatched or misconfigured systems. For example, the Shodan IoT search engine can help you find devices that still suffer from Heartbleed vulnerability patched in April 2014.
A:: =============================================
A06 Vulnerable and Outdated Components
Q:: =============================================
A:: =============================================
Weaknesses in systems that verify user identity and manage user sessions.
Example: A website that doesn't lock accounts after multiple failed login attempts.
Q:: =============================================
A:: =============================================
To prevent unauthorized access and protect against identity-related attacks.
Example: Ensuring only authorized users can access sensitive financial data.
Q:: =============================================
A:: =============================================
An attack using stolen username/password pairs to gain unauthorized access.
Example: Using leaked email/password combinations to try logging into various websites.
Q:: =============================================
A:: =============================================
They can often be guessed or obtained through social engineering.
Example: Using "mother's maiden name" as a security question, which might be publicly available.
Q:: =============================================
A:: =============================================
It allows anyone with database access to see users' passwords.
Example: Storing user passwords as clear text in a database file.
Q:: =============================================
A:: =============================================
A security system requiring two or more forms of identification to grant access.
Example: Requiring both a password and a fingerprint scan to log in.
Q:: =============================================
A:: =============================================
It can lead to session hijacking and unauthorized access.
Example: Having a URL like "example.com/account?sessionid=1234", which can be easily copied.
Q:: =============================================
A:: =============================================
It can allow unauthorized users to take over authenticated sessions.
Example: Not generating a new session ID after a user logs in, potentially allowing old IDs to remain valid.
Q:: =============================================
A:: =============================================
Systematically trying many passwords to gain unauthorized access.
Example: A program that tries every possible 4-digit PIN on a locked phone.
Q:: =============================================
A:: =============================================
To prevent easy unauthorized access to newly deployed systems.
Example: Changing the default 'admin/admin' credentials on a new router before use.
Q:: =============================================
A:: =============================================
By preventing users from choosing easily guessable passwords.
Example: Rejecting '123456' as a password during account creation.
Q:: =============================================
A:: =============================================
Focusing on length over complexity and avoiding frequent mandatory changes.
Example: Encouraging passphrases like "correct-horse-battery-staple" instead of "P@ssw0rd!".
Q:: =============================================
A:: =============================================
By providing consistent responses regardless of whether an account exists.
Example: Showing "If an account exists, a reset email has been sent" for all reset attempts.
Q:: =============================================
A:: =============================================
To prevent brute force attacks without causing denial of service.
Example: Implementing a 30-second delay after 5 failed login attempts.
Q:: =============================================
A:: =============================================
By comparing against lists of common passwords and using entropy calculations.
Example: Using a password strength meter that checks against a database of breached passwords.
Q:: =============================================
A:: =============================================
To prevent unauthorized access through weak password reset mechanisms.
Example: Sending a time-limited reset link to a pre-registered email address instead of asking security questions.
Q:: =============================================
A:: =============================================
By implementing rate limiting and consistent error responses.
Example: Limiting login API calls to 10 per minute per IP address.
Q:: =============================================
Credential stuffing, the use of lists of known passwords, is a common attack. Suppose an application does not implement automated threat or credential stuffing protection. In that case, the application can be used as a password oracle to determine if the credentials are valid.
A:: =============================================
A07 Identification and Authentication Failures
Q:: =============================================
Most authentication attacks occur due to the continued use of passwords as a sole factor. Once considered best practices, password rotation and complexity requirements encourage users to use and reuse weak passwords. Organizations are recommended to stop these practices per NIST 800-63 and use multi-factor authentication.
A:: =============================================
A07 Identification and Authentication Failures
Q:: =============================================
Application session timeouts aren't set correctly. A user uses a public computer to access an application. Instead of selecting "logout," the user simply closes the browser tab and walks away. An attacker uses the same browser an hour later, and the user is still authenticated.
A:: =============================================
A07 Identification and Authentication Failures
Q:: =============================================
A:: =============================================
Issues related to code and data that can be tampered with due to insufficient verification.
Example: An application accepting software updates without verifying their source.
Q:: =============================================
A:: =============================================
By introducing vulnerabilities or malicious code into the application.
Example: Using a compromised npm package that steals user data.
Q:: =============================================
A:: =============================================
They can allow unauthorized code changes or malicious injections during deployment.
Example: An attacker accessing an unsecured Jenkins server to inject malware into builds.
Q:: =============================================
A:: =============================================
It may apply unverified updates, potentially distributing malware.
Example: A fake update server tricking applications into installing malicious code.
Q:: =============================================
A:: =============================================
Converting serialized data to objects without proper security checks.
Example: A Java application deserializing user-supplied data without validation, allowing code execution.
Q:: =============================================
A:: =============================================
By verifying the authenticity and integrity of software or data.
Example: Verifying a downloaded software package's GPG signature before installation.
Q:: =============================================
A:: =============================================
It helps catch malicious code or configuration changes before they're deployed.
Example: A team member spotting a suspicious API call during a pull request review.
Q:: =============================================
A:: =============================================
By adding integrity checks or digital signatures to detect tampering.
Example: Using HMAC to sign JSON Web Tokens before sending them to clients.
Q:: =============================================
Many home routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. Unsigned firmware is a growing target for attackers and is expected to only get worse. This is a major concern as many times there is no mechanism to remediate other than to fix in a future version and wait for previous versions to age out.
A:: =============================================
A08 Software and Data Integrity Failures
Q:: =============================================
Nation-states have been known to attack update mechanisms, with a recent notable attack being the SolarWinds Orion attack. The company that develops the software had secure build and update integrity processes. Still, these were able to be subverted, and for several months, the firm distributed a highly targeted malicious update to more than 18,000 organizations, of which around 100 or so were affected. This is one of the most far-reaching and most significant breaches of this nature in history.
A:: =============================================
A08 Software and Data Integrity Failures
Q:: =============================================
A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing the user state and passing it back and forth with each request. An attacker notices the "rO0" Java object signature (in base64) and uses the Java Serial Killer tool to gain remote code execution on the application server.
A:: =============================================
A08 Software and Data Integrity Failures
Q:: =============================================
A:: =============================================
Inadequacies in tracking and responding to security events and incidents.
Example: A system that doesn't log failed login attempts, making it hard to detect brute force attacks.
Q:: =============================================
A:: =============================================
To detect, escalate, and respond to active breaches quickly.
Example: Using log analysis to identify a data exfiltration attempt in real-time.
Q:: =============================================
A:: =============================================
To quickly understand and respond to potential security issues.
Example: A log message stating "User 'john_doe' failed login 5 times in 2 minutes" instead of just "Login error".
Q:: =============================================
A:: =============================================
Loss of critical data if the local system is compromised or fails.
Example: An attacker deleting local logs to cover their tracks after a successful intrusion.
Q:: =============================================
A:: =============================================
By ensuring monitoring systems can detect and alert on simulated attacks.
Example: Verifying that a web application firewall alerts on SQL injection attempts during a pentest.
Q:: =============================================
A:: =============================================
To minimize damage by enabling immediate response to security incidents.
Example: Automatically blocking an IP address when it starts a DDoS attack.
Q:: =============================================
A:: =============================================
To ensure logs are available for future forensic analysis if needed.
Example: Keeping authentication logs for 90 days to investigate potential past breaches.
Q:: =============================================
A:: =============================================
By using tamper-evident logging mechanisms and secure storage.
Example: Using blockchain technology to create an immutable audit log of system changes.
Q:: =============================================
A:: =============================================
All login attempts, access control, and server-side input validation failures with sufficient context.
Example: Logging failed login attempts with username, IP address, and timestamp.
Q:: =============================================
A:: =============================================
To ensure easy consumption by log management solutions for efficient analysis.
Example: Using the Common Log Format for web server logs to facilitate processing by various tools.
Q:: =============================================
A:: =============================================
By properly encoding log data to prevent manipulation of log content or systems.
Example: Escaping special characters in user input before including it in log messages.
Q:: =============================================
A:: =============================================
Mechanisms to prevent tampering or deletion of audit trails for critical operations.
Example: Using an append-only database table to store financial transaction logs.
Q:: =============================================
A:: =============================================
By implementing effective monitoring and alerting systems for quick incident detection and response.
Example: Setting up a SIEM system to correlate logs from various sources and generate alerts.
Q:: =============================================
A:: =============================================
To ensure a coordinated and effective approach to handling security incidents.
Example: Having a documented process for responding to a detected data breach, including roles and communication protocols.
Q:: =============================================
A:: =============================================
By encrypting sensitive log data and controlling access to log storage systems.
Example: Encrypting logs containing personal data before transmitting them to a central log server.
Q:: =============================================
A:: =============================================
Regular log reviews can help identify security issues and improve monitoring processes.
Example: Weekly reviews of failed login attempts to identify potential brute force attack patterns.
Q:: =============================================
A children's health plan provider's website operator couldn't detect a breach due to a lack of monitoring and logging. An external party informed the health plan provider that an attacker had accessed and modified thousands of sensitive health records of more than 3.5 million children. A post-incident review found that the website developers had not addressed significant vulnerabilities. As there was no logging or monitoring of the system, the data breach could have been in progress since 2013, a period of more than seven years.
A:: =============================================
A09 Security Logging and Monitoring Failures
Q:: =============================================
A major Indian airline had a data breach involving more than ten years' worth of personal data of millions of passengers, including passport and credit card data. The data breach occurred at a third-party cloud hosting provider, who notified the airline of the breach after some time.
A:: =============================================
A09 Security Logging and Monitoring Failures
Q:: =============================================
A major European airline suffered a GDPR reportable breach. The breach was reportedly caused by payment application security vulnerabilities exploited by attackers, who harvested more than 400,000 customer payment records. The airline was fined 20 million pounds as a result by the privacy regulator.
A:: =============================================
A09 Security Logging and Monitoring Failures
Q:: =============================================
A:: =============================================
An attack where an application is tricked into making unintended server-side requests.
Example: An attacker manipulating a URL parameter to make an internal API call to delete user data.
Q:: =============================================
A:: =============================================
Cloud architectures often have complex internal networks vulnerable to SSRF.
Example: An SSRF vulnerability allowing access to other customers' data in a multi-tenant cloud environment.
Q:: =============================================
A:: =============================================
The malicious requests often appear to come from legitimate internal sources.
Example: An SSRF attack mimicking normal API calls between microservices.
Q:: =============================================
A:: =============================================
By allowing attackers to access and exfiltrate sensitive internal data.
Example: Using SSRF to retrieve and leak customer information from an internal database.
Q:: =============================================
A:: =============================================
Proper validation can prevent malicious URLs from being processed.
Example: Whitelisting allowed domains for a URL fetching feature to prevent SSRF.
Q:: =============================================
A:: =============================================
It may allow access to the host system or other containers.
Example: An SSRF vulnerability in a container allowing access to the Docker socket on the host.
Q:: =============================================
A:: =============================================
It can allow attackers to move laterally between different services.
Example: Using SSRF in one microservice to attack another internal service not exposed externally.
Q:: =============================================
A:: =============================================
By isolating remote resource access functionality in separate networks.
Example: Placing web servers in a DMZ, separate from internal application servers.
Q:: =============================================
A:: =============================================
To ensure proper management and regular review of access controls.
Example: Assigning each firewall rule to a specific team or application owner.
Q:: =============================================
A:: =============================================
By providing visibility into potential SSRF attempts and anomalies.
Example: Logging all blocked requests to internal resources from web servers.
Q:: =============================================
A:: =============================================
To prevent exposure of sensitive information obtained through SSRF.
Example: Sanitizing error messages before sending them to the client.
Q:: =============================================
A:: =============================================
To prevent the application from being tricked into accessing malicious sites.
Example: Disabling automatic following of 3xx redirect responses in HTTP clients.
Q:: =============================================
A:: =============================================
By mitigating risks like DNS rebinding and TOCTOU race conditions.
Example: Verifying that the resolved IP address matches the expected domain.
Q:: =============================================
A:: =============================================
Attackers have techniques to bypass these measures.
Example: Using URL encoding to bypass a blacklist of prohibited characters.
Q:: =============================================
A:: =============================================
To reduce the attack surface exposed to potential SSRF attempts.
Example: Keeping only the web server on the front-end, moving application logic to separate servers.
Q:: =============================================
A:: =============================================
For scenarios with high protection needs and manageable user groups.
Example: Using a VPN for admin access to a high-security financial application.
Q:: =============================================
Port scan internal servers β If the network architecture is unsegmented, attackers can map out internal networks and determine if ports are open or closed on internal servers from connection results or elapsed time to connect or reject SSRF payload connections.
A:: =============================================
A10 Server Side Request Forgery (SSRF)
Q:: =============================================
Sensitive data exposure β Attackers can access local files or internal services to gain sensitive information such as file:///etc/passwd and http://localhost:28017/.
A:: =============================================
A10 Server Side Request Forgery (SSRF)
Q:: =============================================
Access metadata storage of cloud services β Most cloud providers have metadata storage such as http://169.254.169.254/. An attacker can read the metadata to gain sensitive information.
A:: =============================================
A10 Server Side Request Forgery (SSRF)
Q:: =============================================
Compromise internal services β The attacker can abuse internal services to conduct further attacks such as Remote Code Execution (RCE) or Denial of Service (DoS).
A:: =============================================
A10 Server Side Request Forgery (SSRF)
DECK INFO
TARGET DECK: Web Security::OWASP Top 10::OAOT - Anki owasp top 10 - owasp
FILE TAGS: #OWASP::#OWASP-Top-10::#Web-Security
Reference:
Related:
LIST
where file.name = this.file.name