diff options
Diffstat (limited to 'synopsis.tex')
-rw-r--r-- | synopsis.tex | 60 |
1 files changed, 59 insertions, 1 deletions
diff --git a/synopsis.tex b/synopsis.tex index d6b781d..a803351 100644 --- a/synopsis.tex +++ b/synopsis.tex @@ -208,7 +208,59 @@ rest. A non-profit organization called Open Web Application Security Project (or just OWASP for short), which mission is to make software more secure, publishes a compilation of these vulnerabilities every 3 years in a document titled \textit{OWASP Top 10 - The Ten Most Critical Web Application Security -Risks}. +Risks}. It is a result of the work of OWASP, over 40 security companies and over +500 individuals. It lists the most common weakness, describes each of them in +details, with examples and ways of prevention. It also contains further advices +for developers, security testers, organizations and application managers. + +The latest release of OWASP Top 10 lists these vulnerabilities as the most +critical web application security risks: + +\begin{itemize} + + \item \textbf{A1:2017 - Injection} + Allows the attacker to execute malicious code in the + application's back-end by tricking the interpreter with a + specially crafted message, e.g. SQL injection. + \item \textbf{A2:2017 - Broken Authentication} + Includes every weakness which would enable the attacker to get + into to the application without authentication, i.e. by + hijacking other user's session, guessing or brute-forcing + password, getting keys or bypassing the login completely. + \item \textbf{A3:2017 - Sensitive Data Exposure} + Exposing sensitive data because of weak protection, lack of + encryption, defective error handling or other behavior. + \item \textbf{A4:2017 - XML External Entities (XXE)} + Exploitation of older or poorly configured XML processors, which + could disclose specific files on the server by parsing an + external entity included in the XML message sent by the + attacker. + \item \textbf{A5:2017 - Broken Access Control} + Allows the attacker to use functionality available only to + privileged users without authorization or to access other users' + accounts and sensitive data. + \item \textbf{A6:2017 - Security Misconfiguration} + Insecure configuration of some components of the system, for + example by using default config files or enabling debugging + options, which give detailed error messages with information + useful to the attackers. This includes also neglect of patching + and updating the components. + \item \textbf{A7:2017 - Cross-Site Scripting (XSS)} + Focuses on attacking users of the application by making their + browser execute code which was previously uploaded to the + app. Could allow to hijack the victim's session or redirect it + to a malicious website. + \item \textbf{A8:2017 - Insecure Deserialization} + Flaws in deserialization algorithms allowing remote code + execution, replay attacks, injection attacks and privilege + escalation attacks. + \item \textbf{A9:2017 - Using Components with Known Vulnerabilities} + A weakness in one component could lead to compromisitation of + the whole system. Application is just as secure its weakest + link. + \item \textbf{A10:2017 - Insufficient Logging & Monitoring} + +\end{itemize} \section{Conclusion} @@ -223,6 +275,12 @@ Risks}. John Wiley \& Sons Inc, ISBN: 978-1118026472, 2011. \bibitem{owasptop10} + The OWASP Foundation + \textit{OWASP Top 10 - 2017 (The Ten Most Critical Web + Application Security Risk)} + \texttt{https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf} + + \bibitem{lyndaowasptop10} Caroline Wong. \textit{Learning the OWASP Top 10}. \texttt{https://lynda.com/IT-\allowbreak{} |