From 0fe827a5bb855dc3bcfb443eaaa468cd162576cc Mon Sep 17 00:00:00 2001 From: marcinzelent Date: Sun, 27 May 2018 18:01:26 +0200 Subject: Remove some text to fit 10 pages limit --- synopsis.pdf | Bin 167583 -> 165884 bytes synopsis.tex | 57 ++++++++++++--------------------------------------------- 2 files changed, 12 insertions(+), 45 deletions(-) diff --git a/synopsis.pdf b/synopsis.pdf index 25d6747..0dff540 100644 Binary files a/synopsis.pdf and b/synopsis.pdf differ diff --git a/synopsis.tex b/synopsis.tex index d7b7776..7205165 100644 --- a/synopsis.tex +++ b/synopsis.tex @@ -231,51 +231,16 @@ The latest release of OWASP Top 10 lists these vulnerabilities as the most critical web application security risks: \begin{itemize} - \item \textbf{A1:2017 - Injection} \\ - Allows the attacker to execute malicious code in the - application's back-end by tricking the interpreter with a - specially crafted message, e.g. SQL injection. - \item \textbf{A2:2017 - Broken Authentication} \\ - Includes every weakness which would enable the attacker to get - into to the application without authentication, i.e. by - hijacking other user's session, guessing or brute-forcing - password, getting keys or bypassing the login completely. - \item \textbf{A3:2017 - Sensitive Data Exposure} \\ - Exposing sensitive data because of weak protection, lack of - encryption, defective error handling or other behavior. - \item \textbf{A4:2017 - XML External Entities (XXE)} \\ - Exploitation of older or poorly configured XML processors, which - could disclose specific files on the server by parsing an - external entity included in the XML message sent by the - attacker. - \item \textbf{A5:2017 - Broken Access Control} \\ - Allows the attacker to use functionality available only to - privileged users without authorization or to access other users' - accounts and sensitive data. - \item \textbf{A6:2017 - Security Misconfiguration} \\ - The insecure configuration of some components of the system, for - example by using default config files or enabling debugging - options, which give detailed error messages with information - useful to the attackers. This includes also neglect of patching - and updating the components. - \item \textbf{A7:2017 - Cross-Site Scripting (XSS)} \\ - Focuses on attacking users of the application by making their - browser execute code which was previously uploaded to the - app. Could allow to hijack the victim's session or redirect it - to a malicious website. - \item \textbf{A8:2017 - Insecure Deserialization} \\ - Flaws in deserialization algorithms allowing remote code - execution, replay attacks, injection attacks and privilege - escalation attacks. - \item \textbf{A9:2017 - Using Components with Known Vulnerabilities} \\ - A weakness in one component could lead to a compromise of the - whole system. An application is just as secure as its weakest - link. - \item \textbf{A10:2017 - Insufficient Logging \& Monitoring} \\ - An application needs to log what is happening inside it and its - status needs to be monitored so, in case of a breach, - the administrators could detect it, find a cause of it and fix - the weakness. + \item \textbf{A1:2017 - Injection} + \item \textbf{A2:2017 - Broken Authentication} + \item \textbf{A3:2017 - Sensitive Data Exposure} + \item \textbf{A4:2017 - XML External Entities (XXE)} + \item \textbf{A5:2017 - Broken Access Control} + \item \textbf{A6:2017 - Security Misconfiguration} + \item \textbf{A7:2017 - Cross-Site Scripting (XSS)} + \item \textbf{A8:2017 - Insecure Deserialization} + \item \textbf{A9:2017 - Using Components with Known Vulnerabilities} + \item \textbf{A10:2017 - Insufficient Logging \& Monitoring} \end{itemize} Apart from these risks, there are also some additional weaknesses that need to @@ -468,6 +433,8 @@ executed. Another way would be to completely prohibit usage of \texttt{