OWASP - alexanderteplov/computer-science GitHub Wiki
OWASP top 10 (The Open Web Application Security Project)
Top 10 list
Injection (SQL, NoSQL, LDAP, OS) occurs when untrusted data is sent to an interpreter as part of a command or query. Filtering and validating untrusted input, escaping special characters are effective protective measures.
Broken authentication incorrect implementation of authentication or session management. To avoid, use multi-factor authentication, strong passwords, properly store and don't exposure credentials, limit, delay and log login attempts, limit session lifetime, use strong session IDs, rotate them on login.
Sensitive Data Exposure revealing such data as financial, healthcare, PII. With such data, attackers may conduct credit card fraud, identity theft, or other crimes. To protect: first, classify data processed, stored or transmitted, second, don't store them unnecessarily, third encrypt them properly either at rest or in transit.
XML External Entities (XEE) Many older or poorly configured XML processors evaluate external entity references within XML documents. Protection golden rule - avoid XML =) If it's not the case keep XML processors up-to-date, disable evaluation of external entities, implement whitelisting server-side input validation, use special tools.
Broken Access Control (Broken Authorization) It's typically wrong implemented, forgotten or incomplete control of authorized user's privileges. Use the following advices: with the only exception of public APIs deny all by default, implement access control mechanism, restrict access on OS level, log failures, invalidate tokens on a server.
Security Misconfiguration This is commonly a result of insecure default configurations, incomplete or incorrect configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. To avoid simply don't do this shit, automate configuring environments, use different credentials, do not install any unnecessary features, keep all up-to-date, use automated control of configuration integrity.
Cross-Site Scripting XSS occurs whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. Protective measures: using frameworks that automatically escape XSS by design, escaping untrusted HTTP request data, applying context-sensitive encoding, enabling a CSP.
Insecure Deserialization Insecure deserialization often leads to remote code execution or replay attacks, injection attacks, and privilege escalation attacks. The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
Using Components with Known Vulnerabilities Applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts. Avoid weird stuff from untrusted sources which you often do not need and if you can't - keep it up-to-date and use automated tools to validate the sources.
Insufficient Logging & Monitoring lack of logging and monitoring allows attackers to do their job. All red flags should be logged in a manageable manner, the monitoring system should be able to react in real-time. It's good to use protection frameworks for such purposes.
XSS
reflected - a script is injected to URL or HTML form, a malicious link is often gotten from a trusted sender via email or messenger (server is unaware of filtering input)
stored - an application or API stores unsanitized user input that is viewed at a later time by another user or an administrator. Stored XSS is often considered a high or critical risk.
DOM - this kind of injection is very similar to the reflected, but instead of relying on server unawareness of filtering input, it exploits client-side not validated input