Owasp vulnerabilities and remedies - rajansinghal/prep GitHub Wiki

1. Insufficient Logging & Monitoring

It is estimated that the time from attack to detection can take up to 200 days, and often longer. In the meantime, attackers can tamper with servers, corrupt databases, and steal confidential information.

  • Implementing logging and audit software
  • Establishing an effective monitoring system
  • Thinking like an attacker and use a pen testing approach

2. Using Components with known vulnerabilities

Developers using some opensource tools which has vulnerability

  • Remove all unused dependency
  • Always refer official source to download them

3. Lack of Resource and Rate limiting

APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user

leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force

4. Improper Assets Management

APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important

role to mitigate issues such as deprecated API versions and exposed debug endpoints.

Security Misconfiguration

using default, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers , unnecessary HTTP methods , permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

  • Using Dynamic application security testing (DAST)
  • Disabling the use of default passwords
  • Keeping an eye on cloud resources, applications, and servers

Injection

XSS vulnerability allows a hacker to inject malicious client-side scripts into a website as SQL, NoSQL, Command Injection, etc and then use the web application as an attack vector to hijack user sessions, or redirecting the victim to malicious websites.

  • Using appropriate response headers
  • Filtering the input and encoding the output
  • Using the content security policy
  • Applying a zero-trust approach to user input

1. Broken User Authentication

allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently i.e attacker impersonating as a valid user after compromising the token

  • Implementing multi-factor authentication
  • Protecting user credentials
  • Sending passwords over encrypted connections

2. Broken Object Level Authorization

APIs tend to expose endpoints that handle object identifiers, Object level authorization checks should be considered in every function

3. Broken Function Level Authorization

Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions attackers gain access to other users’ resources and/or administrative functions.