Читать книгу CompTIA Pentest+ Certification For Dummies - Glen E. Clarke - Страница 41

Following is a summary of the 2017 version of the OWASP Top 10 Web Application Security Risks that you should be familiar with for the PenTest+ exam:

 A1:2017-Injection: The number one flaw found in web applications is injection flaws. Injection flaws occur when data is input into an application but the input is not sanitized or validated by the developer of the application.

 A2:2017-Broken Authentication: The second most common flaw in web application is flaws in authentication or session management. This may allow attackers to access passwords, keys, or session tokens.

 A3:2017-Sensitive Data Exposure: The third most common flaw in web applications is sensitive data exposure flaws that involve web applications or APIs not protecting sensitive data within the application. This could be financial data, healthcare data, or Personally Identifiable Information (PII) data. This could be due to a lack of encryption at rest and in transit, or other missing access control methods.

 A4:2017-XML External Entities (XXE): Poorly configured XML processors can use external entities to disclose internal files or internal file shares, and possibly perform remote code execution or denial of service (DoS) attacks.

 A5:2017-Broken Access Control: Many web applications do not enforce restrictions on what an authenticated user can do within the application. An attacker that exploits this flaw can gain access to sensitive information or perform undesired actions.

 A6:2017-Security Misconfiguration: Applications should have their default settings altered and security configuration settings reviewed as security misconfigurations is a common flaw in web applications.

 A7:2017-Cross-Site Scripting (XSS): XSS flaws occur when an application processes and displays untrusted data in a web application without validating the information. XSS flaws enable attackers to execute malicious code in a victim’s browser and possibly hijack the session.

 A8:2017-Insecure Deserialization: Insecure deserialization flaws may result in an attacker being able to perform remote code execution, replay attacks, injection attacks, and privilege escalation attacks.

 A9:2017-Using Components with Known Vulnerabilities: Components are libraries of code that an application may use. Your application may be following secure coding best practices, but once you call a third-party library, that component may be developed in an unsecure manner that exposes your application to security flaws.

 A10:2017-Insufficient Logging and Monitoring: Lack of logging and monitoring means that an application or system does not have the capabilities to detect and log breaches in security. Adequate logging and monitoring should be configured within an application or system to help determine the extent of a security breach during incident response.

For the PenTest+ exam, know the different categories of vulnerabilities listed in the 2017 Top 10 Web Application Security Risks document.