Created
September 9, 2017 12:05
-
-
Save CamiloGarciaLaRotta/ce9d61bebe7f4202b530648f3a130400 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| +----+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| | # | Vulnerability | Explanation | How To Avoid | | |
| +----+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+ | |
| | 1 | Injection | Malicious SQL, OS, LDAP commands sent into an interpreter as input | Use parametrized queries | | |
| | 2 | Broken Auth. & Session Mgmt | Hardcoded cookies, sessiok tokens, plain text storage | Encrypt all account sensitive data, No credentials in URL, Sessions must timeout, Session ID's must be rotated | | |
| | 3 | XSS | Occurs when app updated webpage with user content without sanitation. Types: stored: injected script stored at server. Reflected: result of script exe returned to website | Use Content Security Policy, Never insert user data into DOM, use correct HTML encoding for special characters | | |
| | 4 | Broken Access Control | URL highjacking | Before giving access to any ressource, validate credentials of requesting user | | |
| | 5 | Security Misconfiguration | Outdated software stack, uneccessary features/ports enabled,default accours enabled | Besides correcting the configurations already described, error messages should not print stack trace to client | | |
| | 6 | Sensitive Data Exposure | Clear text or weak crypto storage/transmission of data | Salt + strong upt-to-date crypto algorithms, rotate algorithms, dont store unnecessary delicate data, no autocomplete in sensitive forms, use TSL | | |
| | 7 | Insuficient Attack Protection | Non Resilient security | Actively detect and respond to attacks. WAF and SIEM systems are useful | | |
| | 8 | CSRF | Malicious website with forget HTTP request takes advantage of browser automatically sending credentials like session cookies | samesite="strict", implement CSRF link tokens | | |
| | 9 | Using Components with known vulnerabilities | Self explanatory | Self explanatory | | |
| | 10 | Underprotected API | Not testing your API like you test the rest of your application | Ensure secured comm. between client and API, implement access control and input sanitation | | |
| +----+---------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment