Came online in 2001 and is a not-for-profit charitable organization.“OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. ““All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. They advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas.”
SQL Injection
Not using TLS
Improperly storing passwords
Sessions are visible and can be shared
- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites- Once inserted, a malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page
Insecure IDs
Path traversal (guessing urls)
File permissions (read only, rarely if ever marked executable)
Client-side caching (sensitive info should not be cached)
Router default admin password example
Stack traces turned on in production (Volvo example?)
Poorly secured user credentials
PII, PCI, Health Info, etc
Detect, Respond, Patch quickly
Palo Alto example, Traps example, Mimecast
- In a cross-site request forgery attack, the attacker tries to force/trick you into making a request which you did not intend. This could be sending you a link that makes you involuntarily change your password. A malicious link could look like that:
Apply security patches regularly and in a timely fashion
- Patch issued by Microsoft, even for versions of Windows that are no longer supported
- SMB / CIFS not necessary for most machines anyway. (disable unnecessary features)
- The use of APIs is growing and they need to be protected just as much as publicly facing site.
OWASP 10 is a good start, but there are many vulnerabilities to be concerned with. Be vigilant!