Key Concepts

Review core concepts you need to learn to master this subject

Security Principle: CIA Triad

Web Attacks & Damages

OWASP Top Ten

Injection

Broken Authentication

Sensitive Data Exposure

XML External Entities (XXE)

Broken Access Control

See more

Security Principle: CIA Triad

One of the most important security principles is the CIA triad, which stands for Confidentiality, Availability, and Integrity.

OWASP Top 10
Lesson 1 of 1
  1. 1
    Introduction
    The OWASP Top Ten is a project maintained by the Open Web Application Security Project (OWASP). OWASP is a respected authority in the field of web security…
    Start
  2. 2
    Injection
    A hacker stares at a textbox on their screen, finger hovering over the enter key. In the input box is a malicious query. They hit the enter key, and the website freezes for a moment before disp…
    Start
  3. 3
    Broken Authentication
    The owners of the website made an effort to secure it, but security is only as strong as its weakest link. In this case, the weakest link was a “temporary” admin account that was created for use on…
    Start
  4. 4
    Sensitive Data Exposure
    When data breaches happen, that’s not the end of the story. The stolen information gets sold and resold on the dark web, often ending up in sets of personal information known as fullz. Fullz cont…
    Start
  5. 5
    XML External Entities (XML)
    Computers take things very literally; give them an instruction and they’ll follow it exactly, even when it’s not actually what you wanted. Servers are computers that have been instructed to respond…
    Start
  6. 6
    Broken Access Control
    We know not to trust user input, but the website doesn’t necessarily know not to trust user input. The webpages themselves were made securely, but none of the engineers ever bothered to ask “Isn’t …
    Start
  7. 7
    Security Misconfiguration
    All the security software in the world won’t protect you if it isn’t properly configured. When the attacker started trying injection attacks, the alarms remained silent. When the attacker opened a …
    Start
  8. 8
    Cross-Site Scripting (XSS)
    When a malicious hacker found a cross-site scripting vulnerability in a popular social media platform, they couldn’t pass up the opportunity: They crafted a self-sharing post that would rapidly spr…
    Start
  9. 9
    Insecure Deserialization
    If there’s only one thing you take away from this lesson, let it be “Don’t trust user input”. Especially if that user input will interact directly with your server. Serialization is the process of…
    Start
  10. 10
    Using Components with Known Vulnerabilities
    When it comes to vulnerabilities, the unknown is scary, but sometimes it’s the known you have to worry about. If an attacker wants to attack you with a new vulnerability, the attacker first has to …
    Start
  11. 11
    Insufficient Logging and Monitoring
    In security, knowledge is power. Knowing what’s going on within a system is important for detecting, preventing, and responding to attacks. Early detection can mean the difference between an incide…
    Start
  12. 12
    Review
    In summary, the OWASP Top Ten consists of: * Injection: An attacker “injects” malicious code into an interpreter, usually through an input field, in order to gain access to information or damage a …
    Start