If a network architecture is unsegmented, attackers can use connection results or elapsed time to connect or reject SSRF payload connections to map out internal networks and determine if ports are open or closed on internal servers

occur whenever a web application is fetching a remote resource without validating the user-supplied URL. It allows an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall, VPN, or another type of network access control list (ACL)

The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.

Appropriate alerting thresholds and response escalation processes are not in place or effective.

Logs are only stored locally.

Logs of applications and APIs are not monitored for suspicious activity.

Warnings and errors generate no, inadequate, or unclear log messages.

Auditable events, such as logins, failed logins, and high-value transactions, are not logged.

known as Insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.

An insecure CI/CD pipeline can introduce the potential for unauthorized access, malicious code, or system compromise

where an application relies upon plugins, libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).

related to software updates, critical data, and CI/CD pipelines without verifying integrity.

Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity.

Reuse session identifier after successful login.

Exposes session identifier in the URL.

Has missing or ineffective multi-factor authentication.

Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).

Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.

Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".

Permits brute force or other automated attacks.

Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.

known as Broken Authentication includes Common Weakness Enumerations (CWEs) related to identification failures.

If you do not secure the components’ configurations (see A05:2021-Security Misconfiguration).

If software developers do not test the compatibility of updated, upgraded, or patched libraries.

If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion. This commonly happens in environments when patching is a monthly or quarterly task under change control, leaving organizations open to days or months of unnecessary exposure to fixed vulnerabilities.

If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components you use.

If the software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

If you do not know the versions of all components you use (both client-side and server-side). This includes components you directly use as well as nested dependencies.

relates to components that pose both known and potential security risks ()

The software is out of date or vulnerable.

The server does not send security headers or directives, or they are not set to secure values.

The security settings in the application servers, application frameworks (e.g., Struts, Spring, ASP.NET), libraries, databases, etc., are not set to secure values.

For upgraded systems, the latest security features are disabled or not configured securely.

Error handling reveals stack traces or other overly informative error messages to users.

Default accounts and their passwords are still enabled and unchanged.

Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges).

Missing appropriate security hardening across any part of the application stack or improperly configured permissions on cloud services.

exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system (2017)

CWE-522: Insufficiently Protected Credentials.

risks related to design and architectural flaws

Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.

Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records.

Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter.

User-supplied data is not validated, filtered, or sanitized by the application.

occurs when invalid data is sent by an attacker into a application in order to make the application do something it was not designed to do (2017)

Are cryptographic error messages or side channel information exploitable, for vulnerabilities in the form of padding oracle attacks?

Are deprecated cryptographic padding methods such as PKCS number 1 v1.5 in use?

Are deprecated hash functions such as MD5 or SHA1 in use, or are non-cryptographic hash functions used when cryptographic hash functions are needed?

Is randomness used for cryptographic purposes that was not designed to meet cryptographic requirements? Even if the correct function is chosen, does it need to be seeded by the developer, and if not, has the developer over-written the strong seeding functionality built into it with a seed that lacks sufficient entropy/unpredictability?

Are passwords being used as cryptographic keys in absence of a password base key derivation function?

Are initialization vectors ignored, reused, or not generated sufficiently secure for the cryptographic mode of operation? Is an insecure mode of operation such as ECB in use? Is encryption used when authenticated encryption is more appropriate?

Is the received server certificate and the trust chain properly validated?

Is encryption not enforced, e.g., are any HTTP headers (browser) security directives or headers missing?

Are default crypto keys in use, weak crypto keys generated or re-used, or is proper key management or rotation missing? Are crypto keys checked into source code repositories?

Are any old or weak cryptographic algorithms or protocols used either by default or in older code?

Is any data transmitted in clear text? This concerns protocols such as HTTP, SMTP, FTP also using TLS upgrades like STARTTLS. External internet traffic is hazardous. Verify all internal traffic, e.g., between load balancers, web servers, or back-end systems.

known previously as Sensitive Data Exposure occur when important stored or transmitted data is compromised (2017)

Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user.

CORS misconfiguration allows API access from unauthorized/untrusted origins.

Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation.

Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.

Accessing API with missing access controls for POST, PUT and DELETE.

Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object references)

Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application state, or the HTML page, or by using an attack tool modifying API requests.

Violation of the principle of least privilege or deny by default, where access should only be granted for particular capabilities, roles, or users, but is available to anyone.

a weakness that allows an attacker to gain access to user accounts (2017)

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

vulnerabilities

summary

"designed to support cybersecurity by providing a framework for threat modeling, penetration testing, defense development and similar cybersecurity exercises"

"focused on network defense and describes the operational phases in an adversary’s lifecycle, pre and post-exploit and details the specific tactics, techniques, and procedures (TTPs) that advanced persistent threats (APT) use to execute their objectives while targeting, compromising, and operating inside a network."

CWE Views

"focused on application security and describes the common attributes and techniques employed by adversaries to exploit known weaknesses in cyber-enabled capabilities"

about

CAPEC Views

about

2021 -Top 10

automated tools

Open Web Application Security Project(OWASP)