owasp-top-10

# OWASP Top 10 - [Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/) - [Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/) - [[injection|Injection]] ## [Insecure Design](https://owasp.org/Top10/A04_2021-Insecure_Design/) - "**Questions and answers**" for password recovery - Answers can be social engineered - Solution: have a _persona_, e.g. Michale Jackson, so that info can be searched online - Some cinema allows booking **before requiring deposits** - Bots can book tickets. - Anti-bot Solutions: - [[captchas|CAPTCHAS]] - API Request Limites - Relying on `User-Agent` -- ==Everything in HTTP request is under attacker's control!== - Lack of a **lockout mechanism** - Example: [[twitter|Twitter]] was susceptible to brute force attack before 2009, but the lock out can be bypassed by changing country of origin. ## Security Misconfiguration - **Missing patches** - [[equifax|Equifax]] didn't change the config to apply [[apache|Apache]] patch, causing data breach. - **`DEBUG` flag** in [[django|Django]] server configuration not turned to `False`. - Debug info can be returned. - File structure, Python version, server OS... ## Vulnerable and Outdated Components - Solution: Run **Software Component Analysis** (SCA) tools regularly - [[dependabot|Dependabot]] - [OWASP Dependency Checker](https://dependencytrack.org) - Solution: **Remove unused** dependencies, unnecessary features, components, files - Solution: **Monitor** libraries and components that are unmaintained. Vulnerabilities in unused dependencies can still be exploited! ```java String input = ... Class.forName(input) ``` All dependencies are loaded in `CLASSPATH`, which might be invoked with [[oop-reflection|reflection]]! [`Class.forName()` method in Java with Examples | Geeks for Geeks](https://www.geeksforgeeks.org/class-forname-method-in-java-with-examples/) ## Identification and Authentication Failures - CWE-258 Use of hard-coded passwords - [CWE-384](https://cwe.mitre.org/data/definitions/384.html) Session fixation - [What is a Web Session? | Hazelcast](https://hazelcast.com/glossary/web-session/) - SessionID may be retrieved by [[xss|XSS vulnerabilities]]. - Solution: - "This [[cookie]] should not be accessed by [[js|JavaScript]]", which is implemented in web browser. - Set `HttpOnly;Secure`, so that the cookie is sent only in [[http|HTTPS]] connection. - Session ID should be long, hashed, randomly generated string. - Let session ID expire after a) preset time of **inactivity**; b) after a **certain goal has been met** - Session Management Issues - Session IDs in the URL ## Software and Data Integrity Failure - Dependencies downloaded from untrusted sources - Un-signed driver/firmware/dependencies - [Open source developer corrupts widely-used libraries, affecting tons of projects | The Verge](https://www.theverge.com/2022/1/9/22874949/developer-corrupts-open-source-libraries-projects-affected) ## Security [[log|Logging]] and Monitoring Failures - Accountability, visibility, incident alerts, forensics - **Auditable events** are not logged - Logs are not **proactively monitored** for suspicious activity - Logs can be **tampered** with - Logs may contain **sensitive information** ## [Server Side Request Forgery (SSRP)](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/) - Solutions - Enable "deny by default" firewall, have an allow list for URLs. - Disable HTTP redirections