OWASP – This stands for the Open Web Application Security Project. OWASP is a non-profit organization that, every 3-4 years, publishes a list of the top 10 vulnerabilities and provides guidance on how to protect against them. Additionally, this organization also publishes the API Top 10 vulnerabilities.
Here are the top 10 vulnerabilities:
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery (SSRF)
Let’s understand each vulnerability in detail:-
1. Broken Access Control – Broken Access Control occurs when users can do or see more than they are supposed to in an application. In simple terms, it means accessing resources that should not be available to a user. This is known as Broken Access Control.
Let’s understand with a real-time example:- Suppose we are using a particular website or application as a regular user, and somehow we gain access to the admin account. This situation falls under Broken Access Control.
one of the most classic examples of broken access control is IDOR or insecure direct object reference. This is when an application fails to secure access beyond a user’s scope. if I have an application that uses an ID number for a resource, say a user profile or even a shopping cart or something like that, as a URL parameter and I can change that URL parameter as a user and access other users’ data, we have an example of insecure direct object reference.
2. Cryptographic Failures – Cryptographic failures is a huge category. It is any misuse or lack of use of cryptographic security solutions, and these can in fact be a little tricky to exploit. Web applications require cryptography to provide confidentiality for their users at many levels.
When you access your email account using your browser, you want the communication between you and the server to be encrypted. This ensures that any eavesdropper trying to capture your network packets won’t be able to read the content of your emails. Encrypting the network traffic between the client and server is called encrypting data in transit.
Let’s understand with a real-time example:- Suppose you are using an e-commerce website to purchase goods. The website stores your credit card information so that you don’t have to enter it every time you make a purchase. However, instead of encrypting your credit card information before storing it in the database, the website stores it in plaintext. This is a cryptographic failure.
3. Injection –
Discover more from Upcoming Hackers
Subscribe to get the latest posts sent to your email.