aboutsummaryrefslogtreecommitdiff
path: root/synopsis.tex
diff options
context:
space:
mode:
Diffstat (limited to 'synopsis.tex')
-rw-r--r--synopsis.tex60
1 files changed, 59 insertions, 1 deletions
diff --git a/synopsis.tex b/synopsis.tex
index d6b781d..a803351 100644
--- a/synopsis.tex
+++ b/synopsis.tex
@@ -208,7 +208,59 @@ rest. A non-profit organization called Open Web Application Security Project
(or just OWASP for short), which mission is to make software more secure,
publishes a compilation of these vulnerabilities every 3 years in a document
titled \textit{OWASP Top 10 - The Ten Most Critical Web Application Security
-Risks}.
+Risks}. It is a result of the work of OWASP, over 40 security companies and over
+500 individuals. It lists the most common weakness, describes each of them in
+details, with examples and ways of prevention. It also contains further advices
+for developers, security testers, organizations and application managers.
+
+The latest release of OWASP Top 10 lists these vulnerabilities as the most
+critical web application security risks:
+
+\begin{itemize}
+
+ \item \textbf{A1:2017 - Injection}
+ Allows the attacker to execute malicious code in the
+ application's back-end by tricking the interpreter with a
+ specially crafted message, e.g. SQL injection.
+ \item \textbf{A2:2017 - Broken Authentication}
+ Includes every weakness which would enable the attacker to get
+ into to the application without authentication, i.e. by
+ hijacking other user's session, guessing or brute-forcing
+ password, getting keys or bypassing the login completely.
+ \item \textbf{A3:2017 - Sensitive Data Exposure}
+ Exposing sensitive data because of weak protection, lack of
+ encryption, defective error handling or other behavior.
+ \item \textbf{A4:2017 - XML External Entities (XXE)}
+ Exploitation of older or poorly configured XML processors, which
+ could disclose specific files on the server by parsing an
+ external entity included in the XML message sent by the
+ attacker.
+ \item \textbf{A5:2017 - Broken Access Control}
+ Allows the attacker to use functionality available only to
+ privileged users without authorization or to access other users'
+ accounts and sensitive data.
+ \item \textbf{A6:2017 - Security Misconfiguration}
+ Insecure configuration of some components of the system, for
+ example by using default config files or enabling debugging
+ options, which give detailed error messages with information
+ useful to the attackers. This includes also neglect of patching
+ and updating the components.
+ \item \textbf{A7:2017 - Cross-Site Scripting (XSS)}
+ Focuses on attacking users of the application by making their
+ browser execute code which was previously uploaded to the
+ app. Could allow to hijack the victim's session or redirect it
+ to a malicious website.
+ \item \textbf{A8:2017 - Insecure Deserialization}
+ Flaws in deserialization algorithms allowing remote code
+ execution, replay attacks, injection attacks and privilege
+ escalation attacks.
+ \item \textbf{A9:2017 - Using Components with Known Vulnerabilities}
+ A weakness in one component could lead to compromisitation of
+ the whole system. Application is just as secure its weakest
+ link.
+ \item \textbf{A10:2017 - Insufficient Logging & Monitoring}
+
+\end{itemize}
\section{Conclusion}
@@ -223,6 +275,12 @@ Risks}.
John Wiley \& Sons Inc, ISBN: 978-1118026472, 2011.
\bibitem{owasptop10}
+ The OWASP Foundation
+ \textit{OWASP Top 10 - 2017 (The Ten Most Critical Web
+ Application Security Risk)}
+ \texttt{https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf}
+
+ \bibitem{lyndaowasptop10}
Caroline Wong.
\textit{Learning the OWASP Top 10}.
\texttt{https://lynda.com/IT-\allowbreak{}