OWASP 2021 Archives - Prepaid Academy: Prepaid Program Management LLC

Scenarios-Prevention-Resources for Server-Side Request Forgery (SSRF)

Example Attack Scenarios Attackers can use SSRF to attack systems protected behind web application firewalls, firewalls, or network ACLs, using scenarios such as: Scenario #1: Port scan internal servers – …

[Continue Reading...]

Scenarios-Prevention-Resources for Security Logging and Monitoring Failures

Example Attack Scenarios Scenario #1: A children’s health plan provider’s website operator couldn’t detect a breach due to a lack of monitoring and logging. An external party informed the health …

[Continue Reading...]

Scenarios-Prevention-Resources for Software and Data Integrity Failures

Example Attack Scenarios Scenario #1 Update without signing: Many home routers, set-top boxes, device firmware, and others do not verify updates via signed firmware. Unsigned firmware is a growing target …

[Continue Reading...]

Scenarios-Prevention-Resources for Identification and Authentication Failures

Example Attack Scenarios Scenario #1: Credential stuffing, the use of lists of known passwords, is a common attack. Suppose an application does not implement automated threat or credential stuffing protection. …

[Continue Reading...]

Scenarios-Prevention-Resources for Vulnerable and Outdated Components

Example Attack Scenarios Scenario #1: Components typically run with the same privileges as the application itself, so flaws in any component can result in serious impact. Such flaws can be …

[Continue Reading...]

Scenarios-Prevention-Resources for Security Misconfiguration

Example Attack Scenarios Scenario #1: The application server comes with sample applications not removed from the production server. These sample applications have known security flaws attackers use to compromise the …

[Continue Reading...]

Scenarios-Prevention-Resources for Insecure Design

Example Attack Scenarios Scenario #1: A credential recovery workflow might include “questions and answers,” which is prohibited by NIST 800-63b, the OWASP ASVS, and the OWASP Top 10. Questions and …

[Continue Reading...]

Scenarios-Prevention-Resources for Injection

Example Attack Scenarios Scenario #1: An application uses untrusted data in the construction of the following vulnerable SQL call: String query = "SELECT \* FROM accounts WHERE custID='" + request.getParameter("id") …

[Continue Reading...]

Scenarios-Prevention-Resources for Cryptographic Failures

Example Attack Scenarios Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing a SQL …

[Continue Reading...]

Scenarios-Prevention-Resources for Broken Access Control

Example Attack Scenarios Scenario #1: The application uses unverified data in a SQL call that is accessing account information: pstmt.setString(1, request.getParameter("acct")); ResultSet results = pstmt.executeQuery( ); An attacker simply modifies …

[Continue Reading...]

Topic Category: OWASP 2021