OWASP Top 10 (Web Application) Broken Access Control Cryptographic Failures

Violation of the principle of least privilege or deny by default, where Is any data transmitted in clear text? This concerns protocols such as
access should only be granted for particular capabilities, roles, or users,
but is available to anyone.
Bypassing access control checks by modifying the URL (parameter
@hackinarticles tampering or force browsing), internal application state, or the HTML
page, or by using an attack tool modifying API requests.
HTTP, SMTP, FTP also using TLS upgrades like STARTTLS. External
internet traffic is hazardous. Verify all internal traffic, e.g., between load
balancers, web servers, or back-end systems.
Are any old or weak cryptographic algorithms or protocols used either
by default or in older code?

Permitting viewing or editing someone else's account, by providing its
https://github.com/Ignitetechnologies unique identifier (insecure direct object references)
Accessing API with missing access controls for POST, PUT and DELETE.
https://in.linkedin.com/company/hackingarticles
Elevation of privilege. Acting as a user without being logged in or acting
as an admin when logged in as a user.
Metadata manipulation, such as replaying or tampering with a JSON
Web Token (JWT) access control token, or a cookie or hidden field
manipulated to elevate privileges or abusing JWT invalidation.
CORS misconfiguration allows API access from unauthorized/untrusted
origins.
Force browsing to authenticated pages as an unauthenticated user or to
privileged pages as a standard user.
Are default crypto keys in use, weak crypto keys generated or re-used,
or is proper key management or rotation missing? Are crypto keys
checked into source code repositories?
Is encryption not enforced, e.g., are any HTTP headers (browser)
security directives or headers missing?
Is the received server certificate and the trust chain properly validated?
Are initialization vectors ignored, reused, or not generated sufficiently
secure for the cryptographic mode of operation? Is an insecure mode of
operation such as ECB in use? Is encryption used when authenticated
encryption is more appropriate?
Are passwords being used as cryptographic keys in absence of a
password base key derivation function?
Is randomness used for cryptographic purposes that was not designed
to meet cryptographic requirements? Even if the correct function is
chosen, does it need to be seeded by the developer, and if not, has the
developer over-written the strong seeding functionality built into it with
a seed that lacks sufficient entropy/unpredictability?

Are deprecated hash functions such as MD5 or SHA1 in use, or are non-
cryptographic hash functions used when cryptographic hash functions
are needed?

Are deprecated cryptographic padding methods such as PKCS number

1 v1.5 in use?

Are cryptographic error messages or side channel information

exploitable, for example in the form of padding oracle attacks?

Security Misconfiguration Insecure Design Injection

Missing appropriate security hardening across any part of the
application stack or improperly configured permissions on cloud
services.
Unnecessary features are enabled or installed (e.g., unnecessary ports,
services, pages, accounts, or privileges).
Default accounts and their passwords are still enabled and unchanged.
Error handling reveals stack traces or other overly informative error
messages to users.
For upgraded systems, the latest security features are disabled or not
configured securely.
Establish and use a secure development lifecycle with AppSec
professionals to help evaluate and design security and privacy-related
controls
Establish and use a library of secure design patterns or paved road
ready to use components
Use threat modeling for critical authentication, access control, business
logic, and key flows
Integrate security language and controls into user stories
Integrate plausibility checks at each tier of your application (from
frontend to backend)
User-supplied data is not validated, filtered, or sanitized by the
application.
Dynamic queries or non-parameterized calls without context-aware
escaping are used directly in the interpreter.
Hostile data is used within object-relational mapping (ORM) search
parameters to extract additional, sensitive records.
Hostile data is directly used or concatenated. The SQL or command
contains the structure and malicious data in dynamic queries,
commands, or stored procedures.

The security settings in the application servers, application frameworks Write unit and integration tests to validate that all critical flows are
(e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to resistant to the threat model. Compile use-cases and misuse-cases for
secure values. each tier of your application.

The server does not send security headers or directives, or they are not Segregate tier layers on the system and network layers depending on
set to secure values. the exposure and protection needs

Segregate tenants robustly by design throughout all tiers

Limit resource consumption by user or service

Vulnerable and Outdated Components Identification and Authentication Failures

If you do not know the versions of all components you use (both client-
side and server-side). This includes components you directly use as well
as nested dependencies.
If the software is vulnerable, unsupported, or out of date. This includes
the OS, web/application server, database management system (DBMS),
applications, APIs and all components, runtime environments, and
libraries.
If you do not scan for vulnerabilities regularly and subscribe to security
bulletins related to the components you use.
Permits automated attacks such as credential stuffing, where the
attacker has a list of valid usernames and passwords.
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as "Password1"
or "admin/admin".
Uses weak or ineffective credential recovery and forgot-password
processes, such as "knowledge-based answers," which cannot be made
safe.

If you do not fix or upgrade the underlying platform, frameworks, and Uses plain text, encrypted, or weakly hashed passwords data stores.
dependencies in a risk-based, timely fashion. This commonly happens
Has missing or ineffective multi-factor authentication.
in environments when patching is a monthly or quarterly task under
change control, leaving organizations open to days or months of
Exposes session identifier in the URL.
unnecessary exposure to fixed vulnerabilities.
Reuse session identifier after successful login.
If software developers do not test the compatibility of updated,
upgraded, or patched libraries. Does not correctly invalidate Session IDs. User sessions or
authentication tokens (mainly single sign-on (SSO) tokens) aren't
properly invalidated during logout or a period of inactivity.

Security Logging and Monitoring Failures Software and Data Integrity Failures

Auditable events, such as logins, failed logins, and high-value Use digital signatures or similar mechanisms to verify the software or
transactions, are not logged. data is from the expected source and has not been altered.

Warnings and errors generate no, inadequate, or unclear log messages. Ensure libraries and dependencies, such as npm or Maven, are
consuming trusted repositories. If you have a higher risk profile,
Logs of applications and APIs are not monitored for suspicious activity. consider hosting an internal known-good repository that's vetted.

Logs are only stored locally.
Appropriate alerting thresholds and response escalation processes are
not in place or effective.
Penetration testing and scans by dynamic application security testing
(DAST) tools (such as OWASP ZAP) do not trigger alerts.
The application cannot detect, escalate, or alert for active attacks in real-
time or near real-time.
Ensure that a software supply chain security tool, such as OWASP
Dependency Check or OWASP CycloneDX, is used to verify that
components do not contain known vulnerabilities
Ensure that there is a review process for code and configuration
changes to minimize the chance that malicious code or configuration
could be introduced into your software pipeline.
Ensure that your CI/CD pipeline has proper segregation, configuration,
and access control to ensure the integrity of the code flowing through
the build and deploy processes.

Ensure that unsigned or unencrypted serialized data is not sent to

untrusted clients without some form of integrity check or digital
signature to detect tampering or replay of the serialized data

Server-Side Request Forgery

SSRF flaws occur whenever a web application is fetching a remote

resource without validating the user-supplied URL. It allows an attacker
to coerce the application to send a crafted request to an unexpected
destination, even when protected by a firewall, VPN, or another type of
network access control list (ACL).