aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--synopsis.pdfbin167583 -> 165884 bytes
-rw-r--r--synopsis.tex57
2 files changed, 12 insertions, 45 deletions
diff --git a/synopsis.pdf b/synopsis.pdf
index 25d6747..0dff540 100644
--- a/synopsis.pdf
+++ b/synopsis.pdf
Binary files differ
diff --git a/synopsis.tex b/synopsis.tex
index d7b7776..7205165 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -231,51 +231,16 @@ The latest release of OWASP Top 10 lists these vulnerabilities as the most
critical web application security risks:
\begin{itemize}
- \item \textbf{A1:2017 - Injection} \\
- Allows the attacker to execute malicious code in the
- application's back-end by tricking the interpreter with a
- specially crafted message, e.g. SQL injection.
- \item \textbf{A2:2017 - Broken Authentication} \\
- Includes every weakness which would enable the attacker to get
- into to the application without authentication, i.e. by
- hijacking other user's session, guessing or brute-forcing
- password, getting keys or bypassing the login completely.
- \item \textbf{A3:2017 - Sensitive Data Exposure} \\
- Exposing sensitive data because of weak protection, lack of
- encryption, defective error handling or other behavior.
- \item \textbf{A4:2017 - XML External Entities (XXE)} \\
- Exploitation of older or poorly configured XML processors, which
- could disclose specific files on the server by parsing an
- external entity included in the XML message sent by the
- attacker.
- \item \textbf{A5:2017 - Broken Access Control} \\
- Allows the attacker to use functionality available only to
- privileged users without authorization or to access other users'
- accounts and sensitive data.
- \item \textbf{A6:2017 - Security Misconfiguration} \\
- The insecure configuration of some components of the system, for
- example by using default config files or enabling debugging
- options, which give detailed error messages with information
- useful to the attackers. This includes also neglect of patching
- and updating the components.
- \item \textbf{A7:2017 - Cross-Site Scripting (XSS)} \\
- Focuses on attacking users of the application by making their
- browser execute code which was previously uploaded to the
- app. Could allow to hijack the victim's session or redirect it
- to a malicious website.
- \item \textbf{A8:2017 - Insecure Deserialization} \\
- Flaws in deserialization algorithms allowing remote code
- execution, replay attacks, injection attacks and privilege
- escalation attacks.
- \item \textbf{A9:2017 - Using Components with Known Vulnerabilities} \\
- A weakness in one component could lead to a compromise of the
- whole system. An application is just as secure as its weakest
- link.
- \item \textbf{A10:2017 - Insufficient Logging \& Monitoring} \\
- An application needs to log what is happening inside it and its
- status needs to be monitored so, in case of a breach,
- the administrators could detect it, find a cause of it and fix
- the weakness.
+ \item \textbf{A1:2017 - Injection}
+ \item \textbf{A2:2017 - Broken Authentication}
+ \item \textbf{A3:2017 - Sensitive Data Exposure}
+ \item \textbf{A4:2017 - XML External Entities (XXE)}
+ \item \textbf{A5:2017 - Broken Access Control}
+ \item \textbf{A6:2017 - Security Misconfiguration}
+ \item \textbf{A7:2017 - Cross-Site Scripting (XSS)}
+ \item \textbf{A8:2017 - Insecure Deserialization}
+ \item \textbf{A9:2017 - Using Components with Known Vulnerabilities}
+ \item \textbf{A10:2017 - Insufficient Logging \& Monitoring}
\end{itemize}
Apart from these risks, there are also some additional weaknesses that need to
@@ -468,6 +433,8 @@ executed. Another way would be to completely prohibit usage of
\texttt{<script>}, \texttt{<link>} or \texttt{<iframe>} tags in HTML-enabled
forms.
+\newpage
+
\subsection{Security by design}
It is a good practice to create applications with security in mind from the very