-
what is owasp top ten
the 10 most critical web application security risks at time of release
-
threat agents
where are these attacks going to come from
-
attack vector
how easy is it to perform the attack
-
weakness prevalence
how common is the weakness
-
weakness detectability
how easy is it to detect the weakness
-
technical impact
how severe will the attack be on the infrastructure
-
business impact
what will be the varied costs to the business if a successful attack takes place
-
3 primary defence approaches
- input validation - never trust the user
- access surface reduction - don't give functionality if they don't need
- classification and prioritization of threats
-
2 types of input validation
- blacklist validation - input that should not come from a user, then blocking it
- whitelist validation - input that should come from a user, then allowing it
-
STRIDE
- spoofing
- tampering
- repudiation
- information disclosure
- denial of service
- elevation of privilege
-
FIRST
- Forum of Incident Response and Security Teams
- ranks vulnerabilities on a scale of 1 to 10, ten being the highest
-
similarities to XSS and CSRF
- attack the victim's browser instead of the server
- take advantage of vulnerabilities to circumvent the SOP
-
XSS
- A3
- Cross-site scripting
- allows attackers to execute scripts in the victim's browser.
- occurs whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping
-
CSRF
- A8
- cross-site request forgery
- forces the users browser to send a forged HTTP request to a vulnerable web app.
- this includes cookies and automatic authentication information
-
skills
how technically skilled is this group of threat agents?
-
motive
how motivated is this group of threat agents
-
opportunity
what resources and opportunity is required for this group of threat agents?
-
awareness
how well know is this vulnerability to this group of threat agents?
-
intrusion detection
how likely is an exploit detected
|
|
