The OWASP Top Ten are the most critical security risks to web applications.
The list contains:
Injection is part of the OWASP Top Ten.
Injection an attack where a malicious actor injects code into an interpreter, usually through an input field.
It’s dangerous because it can allow attackers to gain access to or damage systems or sensitive data by tricking the interpreter into executing a command.
The code is an example of an innocent search for soap
combined with a dangerous SQL command.
SELECT product_name, product_cost FROMproduct_table WHERE product_name = 'soap' UNION SELECT username,password,NULL FROM user_table;-- -';
Broken Authentication is part of the OWASP Top 10.
Broken Authentication is improperly implemented authentication and session management.
It’s dangerous because it can allow attackers to compromise data or assume others’ identities.
Sensitive Data Exposure is part of the OWASP Top Ten.
Sensitive Data Exposure is improperly protecting, hiding, or encrypting sensitive data.
It’s dangerous because it can allow attackers to steal, modify, or delete data.
XML External Entities (XXE) is part of the OWASP Top Ten.
XXE is allowing outside users to upload potentially malicious XML documents without properly configuring or securing XML processor.
It’s dangerous because it can allow attackers access files, execute remote code, or execute Denial of Service attacks.
Broken Access Control is part of the OWASP Top Ten.
Broken Access Control is improperly implemented authorization.
It’s dangerous because it can allow attackers to access functions or data, like sensitive user data, they should not be able to access.
Security Misconfiguration is one of the OWASP Top Ten.
Security Misconfiguration refers to situations like:
It’s dangerous because it can allow attackers to easily access systems or sensitive data.
Cross-Site Scripting (XSS) is a part of the OWASP Top Ten.
XSS is when an application allows untrusted data, potentially user-supplied data, into a web page without proper validation or sanitization.
It’s dangerous because it can allow attackers to execute malicious scripts in a victim’s browser leading to hijacked sessions, or malicious page alterations or redirections.
The code is an example of some code that may be used as part of a XSS attack. It could be inserted into a URL.
<script>alert(1);</script>
Insecure Deserialization is part of the OWASP Top Ten.
Insecure Deserialization is when data from an untrusted source is deserialized into an object, potentially containing malicious code or data, within a program.
It’s dangerous because it can allow attackers to remotely execute code.
Using Components with Known Vulnerabilities is part of the OWASP Top Ten.
Using Components with Known Vulnerabilities is using vulnerable components while allowing those components to have the same privileges as the application.
This is dangerous because it can allow attackers who have breached those components to directly attack the application.
Insufficient Logging & Monitoring is part of the OWASP Top Ten.
Insufficient Logging & Monitoring is insufficient recording, reporting, and oversight of systems as well as ineffective incident response.
It’s dangerous because it allows attackers extra time to attack systems and cause harm.
One of the most important security principles is the CIA triad, which stands for Confidentiality, Availability, and Integrity.
In Cybersecurity, Confidentiality is the pillar of the CIA triad which refers to the principle that only those who should have access to information can access it.
In Cybersecurity, Integrity is the pillar of the CIA triad which refers to the principle that data is what we expect it to be.
In other words, data should not be able to be edited by unauthorized parties.
In Cybersecurity, Availability is the pillar of the CIA triad which refers to the principle that data is reliably available.
As a web developer, you should assume that by default, things are NOT safe. Vulnerabilities exist in all corners. In order for web applications to function, there are many parts that work with each other:
This means there are many points of attack.
Cyberattacks against websites are extremely common. An attack could result in:
Security is an important part of the development process and security considerations should be taken into account during the process, not after it is completed.