OWASP Top 10

• Broken Access Control
• Cryptographic Failures
• Injection

Insecure Design

• “Questions and answers” for password recovery
  • Answers can be social engineered
  • Solution: have a persona, e.g. Michale Jackson, so that info can be searched online
• Some cinema allows booking before requiring deposits
  • Bots can book tickets.
  • Anti-bot Solutions:
    • CAPTCHAS
    • API Request Limites
    • Relying on User-Agent — Everything in HTTP request is under attacker's control!
• Lack of a lockout mechanism
  • Example: Twitter was susceptible to brute force attack before 2009, but the lock out can be bypassed by changing country of origin.

Security Misconfiguration

• Missing patches
  • Equifax didn’t change the config to apply Apache patch, causing data breach.
• DEBUG flag in Django server configuration not turned to False.
  • Debug info can be returned.
  • File structure, Python version, server OS…

Vulnerable and Outdated Components

• Solution: Run Software Component Analysis (SCA) tools regularly
  • Dependabot
  • OWASP Dependency Checker
• Solution: Remove unused dependencies, unnecessary features, components, files
• Solution: Monitor libraries and components that are unmaintained.

Vulnerabilities in unused dependencies can still be exploited!

String input = ...
Class.forName(input)

All dependencies are loaded in CLASSPATH, which might be invoked with reflection! Class.forName() method in Java with Examples | Geeks for Geeks

Identification and Authentication Failures

• CWE-258 Use of hard-coded passwords

• CWE-384 Session fixation

• What is a Web Session? | Hazelcast

• SessionID may be retrieved by XSS vulnerabilities.

• Solution:

  • “This cookie should not be accessed by JavaScript”, which is implemented in web browser.
  • Set HttpOnly;Secure, so that the cookie is sent only in HTTPS connection.
  • Session ID should be long, hashed, randomly generated string.
  • Let session ID expire after a) preset time of inactivity; b) after a certain goal has been met

• Session Management Issues

  • Session IDs in the URL

Software and Data Integrity Failure

• Dependencies downloaded from untrusted sources
• Un-signed driver/firmware/dependencies
• Open source developer corrupts widely-used libraries, affecting tons of projects | The Verge

Security Logging and Monitoring Failures

• Accountability, visibility, incident alerts, forensics
• Auditable events are not logged
• Logs are not proactively monitored for suspicious activity
• Logs can be tampered with
• Logs may contain sensitive information

Server Side Request Forgery (SSRP)

• Solutions
  • Enable “deny by default” firewall, have an allow list for URLs.
  • Disable HTTP redirections