Basic questions based on different types of web application attacks like:

 Cross-Site Scripting (XSS),

Digital Signatures use case and importance
 Cross-Site Request Forgery (CSRF),

 Injection Attacks,  Public-Private Key Encryption Symmetric and Asymmetric Keys

 DDoS (Distributed Denial-of-Service),  Digital Signatures use case and importance

 Brute Force Attack etc.  Public-Private Key Encryption

 OWASP 10 Web-Security Risks

 Open Worldwide Application Security Project (OWASP)

The Open Worldwide

Application Security Project
(OWASP) is a nonprofit
foundation dedicated to
improving software security.
It operates under an “open
community” model, which
means that anyone can
participate in and contribute
to OWASP-related online
chats, projects, and more. For
everything from online tools
and videos to forums and
events, the OWASP ensures
that its offerings remain free
and easily accessible through
its website.
OWASP 10 Web-Security Risks
OWASP 10 Web-Security Risks
OWASP 10 Web-Security Risks
 1.Broken Access Control
What is access control?
Access control as the name implies is there to grant or restrict rights to certain users
on the application. If the access control is implemented the right way a regular user
should not be able to request and view documents that are only visible for
administrators. If an attacker finds a way to do this then he successfully bypasses
the access control. However, access control doesn’t restrain itself only to users. It
can also be found when it comes to processes or devices.
The 3 main types of access control
•Administrative access control
In this instance we are talking about the access controls put in place which are
defined to enforce the overall security policy. The main focus lies on two topics: The
personnel and the business practices. A few examples would be policies, hiring
procedures or background checks.

•Technical access control

Technical, also called logical access controls are the hardware and software based
access controls which are used to create an extra layer of protection for access
control systems or resources from unauthorized use. Typical ways of
implementation include things like passwords, yubi keys, smart cards, protocols
or firewalls. Those help tremendously in increasing the API security.

•Physical access control

Those are the types of access controls that have their focus on the non technical
side of things. For instance video cameras, security guards or locks that restrict
access to certain environments.
Broken Access Control
1. Broken Access Control
Broken access control is a lack of adequate authentication checks for users attempting to access restricted
resources. This vulnerability can occur when an application or system fails to implement proper access restrictions,
such as passwords, user roles, or permissions.
Examples include the absence of authorization restrictions, evading access control measures, incorrectly configuring
access control policies, and granting people access to system files or databases without the appropriate
authorizations.
Broken access control can have serious repercussions, including data breaches, identity theft, fraud, and
compliance issues.

Mitigation Methods for Broken Access Controls

There are several solutions to fix the broken access control vulnerability:
•RBAC (Role-Based Access Control) was one of the most significant methods for managing access and permissions
in your system. It allows you to give roles to users and controls the features and data to which every role has
access.
•Accounts that aren’t used or active enough should be deleted.
•Use trustworthy and secure authentication methods. Use various authentication methods, including biometric
authentication, OTP (one-time password), and multi-factor authentication.
•To ensure security, you must encrypt data when storing it (at rest) and transmitting it (in transit).
•Disable any additional access points that aren’t needed right now if there are any.
•Monitoring and auditing access logs regularly can help you identify any unusual behavior and swiftly address any
issues that arise.
•You can deal with any evolving hazards and vulnerabilities by continuously updating access procedures and
regulations.
2.Cryptographic Failures

It is a critical web application security vulnerability. Data contain sensitive information that requires additional
security, whether it is at rest or in transport. Companies governed by regulations like CCPA, PCI-DSS, HIPAA,
GDPR, etc., must consider this extremely crucial.
Utilization of outdated padding techniques, insufficient randomization for cryptographic processes, vulnerable
side-channel data or cryptographic warnings, storing information in plaintext, failure to utilize effective and
recent encryption algorithms, erroneous management of keys, etc., are a few examples of cryptographic failures.

Mitigation Methods for Cryptographic Failures

•Remove caching for responses containing sensitive information
•Use current and verified cryptographic protocols, activities, and algorithms.
•Typically, using digital signatures verifies the sender’s identity and assures data accuracy. Commonly employed
digital signature methods include HMAC, DSA, and RSA Signatures.
•Minimize/reduce the data surface area’s size.
•To ensure security, you must encrypt data both when storing it (at rest) and when transmitting it (in transit).
•When saving passwords, use strong adaptive and salted hashing functions.
•Regular vulnerability assessments and cryptographic system audits might help discover vulnerabilities and
ensure prompt remediation.
What is Injection?
Often developers will rely on certain techniques to make their web applications less static.This can include things like
CRUD actions in the database, Login actions via LDAP or OS commands. These are just a few examples of how a
developer can make a web application less static and they all have the same possibilities for vulnerabilities in them which arise when
user input is processed without sanitising it. This is when users with malicious intent can insert their own malicious input into these
processes which can lead to extremely bad consequences such as SQL injection or even OS command injection leading to remote
code execution.An attacker can potentially exploit injection vulnerabilities when injecting unauthorized data into the interpreter via
SQL, NoSQL, OS, or LDAP. This attack vector allows for the malicious injection of data to deceive the interpreter and force the
application to perform unintended actions, such as executing unexpected commands or gaining unauthorized access to data.
Injection attacks could impact any application that takes parameters as input. The extent of the application’s input validation controls
closely correlates with the possible threat level. Unauthorized access to data, damage to integrity and confidentiality, as well
as compromised system functionality can occur from this kind of activity.
Mitigation Methods for Injection
•SQL injections, XSS, and other types of injections are some
instances.
•Before running any user input against a database or other
backend components, make sure to validate and sanitize it.
•To further regulate and restrict the capacity of attackers to
exploit SQL injection vulnerabilities, organizations might limit the
code accessible to a database.
•Database administrators should enforce prepared statements
and parameterization, employ stored procedures, whitelist user
inputs, and minimize functionality.Remove the interpreter
completely using a secure API.
•Apply efficient server-side validation and an intrusion detection
method that identifies unreliable client-side behaviors
Types of Injection
Sql Injection-SQLi is a vulnerability type that arises when developers use things like SQL queries that get data to create their queries from the user's
input. If the developer does not properly sanitise this input, they run the risk of the user injection code that will terminate the SQL query after which they
can inject their own.
LDAP Injection-LDAP is a system that is often used in web applications to authenticate users but it comes with some deep pitfalls to which we need to
build bridges or we could be allowing malicious actors to intercept our LDAP queries and modify them to inject their own LDAP statements. This
problem is made worse by the fact that there is no one single great implementation of LDAP interfaces with easy and safe to use parameters.
XML Injection-At times we may need to generate XML input as a developer. This XML file can come in many different forms and does not have to be
limited to pure XML files in an upload functionality. We can see this issue manifest in several different ways ranging from SOAP calls that contain user
supplied input to XML files that will also use the user supplied input to generate the file. The attacker will attempt to input values that will disrupt the
structure of the generated XML file and attempt to insert their own values.

OS command Injection-OS commands can sometimes be directly executed from the code they are running. While this is a useful feature, it does have
its downsides and especially if user supplied input is used to run the command. This may lead to bad actors ending the command string and inserting
their own. The impact of this is usually quite severe as it will lead to remote code execution.
4.Insecure Design
When a design or architectural defect leads to a vulnerability that a malicious attacker may use, it is referred to as
insecure design in online applications. This scenario can be normally called a Missing or inadequate/poor control design.
This vulnerability category, comprising almost 262,000 occurrences, focuses on the dangers connected to weaknesses in an
application’s architecture. An ideal implementation will not be able to rectify insecure designs. Why? To reduce the risks, they need
security controls. Insecure configuration can adversely impact individuals or organizations by causing losses in money and
reputation. Systems and applications with insecure configurations are especially vulnerable to security threats, including
unauthorized access, denial of service, and data breaches.

Mitigation Methods for Insecure Design

•Distinguish between system and network layers tiers based on the requirement for visibility and protection.
•Reduce resource use by users and services.
•Develop and employ a secure development lifecycle with AppSec experts to assist in analyzing and creating security- and privacy-
related measures.
•Create a library of readily available secure design patterns or modules.
•For significant transactions, access control, business logic, and authentication, use threat modeling.
•Updating security patches for software can assist in preventing these vulnerabilities.
To protect your data against growing security risks, keeping up to date with the latest security mitigation methods and trends is of
utmost importance. Since researchers constantly discover new vulnerabilities.
6. Vulnerable and Outdated Components
Software frameworks or components that contain vulnerabilities or are no longer providers are referred to as
“vulnerable and out-of-date components” and consequently open to attack.
Many contemporary distributed web applications use open-source libraries and frameworks as part of their design. Any part that
has a known vulnerability develops into a weak point that can compromise the security of the entire application.
While the use of open-source components with known vulnerabilities is ranked low in terms of the complexity of security issues, it
occupies the top position in the OWASP Top 10 list when it comes to the frequency of vulnerabilities leading to authenticated
information breaches. This category has recorded over 30,000 incidents in recent years.
Mitigation Methods for Vulnerable and Outdated Components
•Updating all software components, including third-party libraries, to the most recent security fixes and patches is recommended.
You should check for security updates frequently and install them as soon as they become available.
•To ensure that all requirements are monitored and kept up-to-date, utilize a trusted dependency management solution. This may
assist in promptly identifying insecure and out-of-date components and replacing them with more secure ones.
•Address configuration management for all components incorporated into the organization’s frameworks.
•A robust vulnerability database that has been updated with threat intelligence data should be used for scanning.
•Automate patch management procedures as much as possible to minimize operational risks associated with patching. This
includes automating selecting, testing, and delivering appropriate patches.
What are Components With Known Vulnerabilities?
5. Security Misconfiguration
Any security control that is improperly configured, insecure, or inadequately written is a security misconfiguration.
Examples of this include insecure applications, incorrect technical communications, and incorrect modifications in
software configuration. This category, which comprises twenty-eight thousand CWE occurrences, is an immediate
consequence of the recent transition to highly customizable software. However, the more flexibility you must
configure your software, the simpler it is to make errors.
According to OWASP’s top 10 2022 statistics, misconfigurations are considered one of the primary triggers for the
listed vulnerabilities. This vulnerability is particularly widespread and frequent within the OWASP top 10
vulnerabilities. Several misconfigurations provoked the organization in grave danger for cybersecurity, including
considering insecure default settings into account, excessively affordable cloud storage services, incomplete or
outdated configurations, etc,

Mitigation Methods for Security Misconfiguration

•Use a process of security strengthening to protect your systems. Create and automate a method for deploying a
secure, distinct environment with the identical configuration as the original but with different login credentials.
•Using a minimal platform is sometimes preferable. Ignore any unwanted alarms, services, and functionalities.
•Include an activity requiring you to re-evaluate and regularly adjust the configurations for patches, updates, and
cloud storage privileges in your patch management process.
7. Identification and Authentication Failures
Cybercriminals can be capable of stealing and misusing login credentials, private keys, or session
credentials and temporarily or permanently mimic other individuals’ true identities and privileges if apps handle session management
or user authentication incorrectly. The vulnerability seriously compromises the security of the application and the resources it
accesses, and it additionally poses a serious risk to other network-connected resources and devices in the network.
Inadequate password management, automated or brute force attacks, improper access control, and user interactions can lead to
potential authentication and identification failure risks. These risks may include reused or publicly accessible sessions after logging in.
Mitigation Methods for Identification and Authentication Failures
•Practice multi-factor authentication
•Never use the default credentials when installing, especially for administrators.
•Install a secure sessions manager that produced session IDs with a time restriction.
•Keep track of unsuccessful login attempts and place restrictions and time limitations on them.
•Maximize the procedures involved in credential recovery, registration, and other aspects of authentication.
•Implement reliable and secure password managers.
8. Software and Data Integrity Failures
Software and data integrity problems occur when infrastructure and code do not have protection from
data security breaches. Untrusted sources, repositories, or content delivery networks (CDNs) are examples of
apps that utilize plugins, libraries, or modules. The potential risks of an unprotected pipeline can involve
unauthorized access, malicious code, and system compromise.
A lot of applications nowadays include automatic updates features that enable updates to be downloaded
without the need for integrity checks and applied to previously trusted apps. With this functionality, hackers
could have the opportunity able to launch and distribute their updates throughout all systems.

Mitigation of Software and Data Integrity Failures

•Use a digital signature or any other similar technology to verify the authenticity of applications, information,
and programs as well as their source.
•Verify the CI/CD pipeline’s integrity by implementing strict restrictions on access, appropriate configuration,
and necessary data segregation.
•Regular software and system updates will ensure that software and hardware are updated with the most
recent security patches and fixes for issues. This may minimize the possibility of confidentiality issues carried
on outdated applications.
•Data validation techniques will help in ensuring the data uploaded to the system is true and correct. This might
involve verifying inputs, comparing data with predetermined company regulations, cleaning up data, and
upholding standards for data quality.
•Examine the source code and configurations constantly for modifications.
•Verify to see if libraries and dependencies, such as Maven or npm, employ trustworthy repositories. If your risk
profile is greater, examine hosting an internal, authorized known-good source.
1.A hacker identifies the agency's insecure CI/CD pipeline and installs malicious code that gets
into production.
2.Customers unknowingly download malicious code from the agency's replacement servers.
3.The malicious replacement connects to the customer's environment and the hacker uses it to
gain access to the customer's network.
9. Insufficient Logging and Monitoring
The application’s weaknesses in identifying and reacting to security issues are the primary concern of this
OWASP Top 10 vulnerability for 2021. Attackers have an adequate chance to carry out their strategies given
that the standard time frame from attack-to-attack identification is 197 days. During this timeframe, cybercriminals
have plenty of time to cause damage to servers, modify databases, steal private information, and insert harmful code.

Mitigation of Insufficient Logging and Monitoring

•Employ readily accessible logging and auditing tools to identify unusual activity quickly.
•Make sure that the records are contextual and accessible in forms that allow forensic research and analysis.
•Implement security measures that prevent the manipulation of log data.
•Develop an approach for incident handling and recovery.
10. Server-Side Request Forgery (SSRF)
Another recent addition. A web security issue known as server-side request forgery (also known as SSRF) enables
an attacker to convince a server-side application to submit HTTP requests to any domain of their selection. OWASP
compiled this issue from the top 10 community survey responses. Server-side request forgery is the final one of the
top 10 OWASP vulnerabilities for 2021, with considerably more than 9,000 instances.
Due to this vulnerability, users can obtain information from remote resources through client-provided, unreliable
URLs. If unvalidated user inputs are received, even servers protected by firewalls or Virtual private networks are
vulnerable to these risks.

Mitigation of Server-Side Request Forgery

•Mandate proper verification and sanitization of input from users
•Functionalities for remote resource access, if any, must be differentiated in their impact.
•Using reject-by-default firewall procedures, prevent incoming traffic that is not legitimate.
•Don’t provide clients with poor responses.
Which of the following OWASP guidelines is primarily concerned with protecting sensitive data during storage and
transmission?
A) Broken Authentication
B) Sensitive Data Exposure
C) Security Misconfiguration
D) Broken Access Control
E) Cross-Site Scripting (XSS)
Correct Answer: B) Sensitive Data Exposure
Explanation: Sensitive Data Exposure is one of the OWASP Top 10 security risks and is specifically focused on the improper
handling of sensitive information such as passwords, credit card details, personal identification data, or health records. This OWASP
guideline emphasizes the importance of encrypting sensitive data both at rest (while being stored) and in transit (when being
transferred across networks) to prevent unauthorized access or disclosure. OWASP recommends using strong encryption algorithms
like AES and RSA, enforcing HTTPS connections, and ensuring proper key management techniques to safeguard sensitive information.
Sensitive data exposure can occur due to weak encryption, no encryption, or poorly implemented cryptographic mechanisms.
Attackers can exploit such vulnerabilities to steal data, leading to severe consequences such as identity theft, financial losses, or
reputational damage to organizations. Therefore, Sensitive Data Exposure is the most relevant OWASP guideline for securing data
during both storage and transmission.
•A) Broken Authentication: This option focuses on vulnerabilities in authentication mechanisms that could allow attackers to bypass
authentication controls and gain unauthorized access to accounts. While it is critical, this is unrelated to data protection during
transmission or storage, making it incorrect.
•C) Security Misconfiguration: This occurs when applications or servers are misconfigured, leaving them vulnerable to attacks.
Security misconfigurations could lead to various security issues but do not specifically address protecting sensitive data during
storage or transmission.
•D) Broken Access Control: This refers to weaknesses in access control policies that could allow unauthorized users to access
resources they should not have. This option focuses on controlling access to resources rather than securing the data during
transmission and storage.
•E) Cross-Site Scripting (XSS): This type of attack occurs when attackers inject malicious scripts into a trusted website or application. Although
dangerous, XSS vulnerabilities focus on client-side attacks rather than data protection or encryption of sensitive information.
According to the OWASP Top 10, what is the most effective defense against Cross-Site Request Forgery (CSRF)
attacks?
A) Input validation
B) Using CAPTCHA for user verification
C) Enforcing SameSite cookie attribute
D) Output encoding
E) Password hashing
Correct Answer: C) Enforcing SameSite cookie attribute
Explanation: The SameSite cookie attribute is one of the most effective defenses against Cross-Site Request Forgery (CSRF)
attacks, as per OWASP guidelines. A CSRF attack tricks an authenticated user’s browser into making unauthorized requests to a
web application, typically without the user's knowledge, exploiting the user's active session. The SameSite attribute restricts how
cookies are sent with cross-site requests, which helps mitigate the risk of a CSRF attack by ensuring that cookies (which maintain
session information) are not sent along with cross-origin requests, thus preventing unauthorized actions.
When a SameSite attribute is set to Strict or Lax, it limits the cookies from being sent in cross-site requests, thus greatly reducing the
chances of CSRF. This method is highly effective, simple to implement, and has been widely adopted by modern browsers. OWASP
recommends this technique in conjunction with anti-CSRF tokens, which further safeguard against this type of attack.
A) Input validation: While input validation is a crucial defense against many attacks, such as SQL Injection or Cross-Site Scripting
(XSS), it is not a primary defense against CSRF. CSRF attacks target authorized actions in the user's browser, not input from an
attacker, so this method is ineffective in preventing CSRF.
B) Using CAPTCHA for user verification: CAPTCHA can add a layer of protection against automated CSRF attacks, but it is not
the most effective or direct solution for CSRF prevention. CAPTCHAs can only slow down automated attacks and are not a robust
defense mechanism for this specific threat.
D) Output encoding: This is mainly used to prevent XSS attacks by encoding user-generated content before rendering it in the
browser. While essential for XSS prevention, output encoding does not defend against CSRF, which occurs at the level of requests
between different websites.
E) Password hashing: Password hashing is used to secure passwords, particularly in storage, by making them unreadable to
attackers. However, it is irrelevant to CSRF attacks, as these attacks do not target password storage but rather exploit authenticated
 Happy Learning!!!
You can ask your doubts, if any, through email to
[email protected].