Open Web Application Security Project (OWASP
) is a not-for-profit group that issues software tools and knowledge-based document on application security.
On OWASP website, all sorts of of Attacks
are listed. This gives us a guide line of how to make of application more secure.
Empty String Password
Password in Configuration File
Password Management: Hardcoded Password
Password Plaintext Storage
There're 10 common security risks (OWASP Top 10 ・2017
) (You can click each title for more detail):
This includes SQL script injection, also can happen in application code.
For example, when generating a dyamic SQL, a user
'select * from Customers where FirstName = ''' + @FirstName + '''
If a user passes in @FirstName = 'Bob'' or ''1=1', the query becomes,
'select * from Customers where FirstName = 'Bob' or '1=1'
This will expose all customer information to hackers.
This is mostly related to securely managing user login sessions. Problem can occur if user passwords or session ids are exposed, timeout and logout are not handled properly. (Broken Authentication
This is also known as data breach. To avoid, sensitive date need to be encryption at rest (Disk Encryption and Database encryption) or in transit (Encrypted connection to web server and database server).
Attackers can intercept xml files which may include sensitive data (like password) or resources pointing to sensitive data (like a WebAPI url that is not protected)
This is about authorization loophole, that allowed some users to access more data then they should. This includes following areas:
Forced Browsing Past Access Control Checks
Client Side Caching
This relates to security settings (Security setting, upgrade and patches) are not done properly or not updated. Also include expose sensitive data from application (like expose database schema in error message)
This occurs when untrusted data is used to abuse the logic of an application, and interrupt users to use it. Which in turn causes denial of service (DoS) attack.
This is to use another software component that's not secure. This is often a problem to use open source software.
Logging and monitoring should be in place to proactively prevent security attack.