"Incorrect Password" error messages are a classic example of this type of vulnerability. If a hacker tries a random combination of Username-Password and an error message tells them that the password is incorrect, he knows that at least the username is correct. A brute force attacker now knows that an account exists and he only needs the right password. There are dozens of automated tools from the dark web that can try millions of password combinations for a hacker. Improper sessions management is also a severe risk. Think of an online bank account that keeps you logged in even after closing the browser.
Such vulnerabilities allow attackers to earn complete account access. In severe cases, hackers have stolen database records and sold them on the underground black market.
An attacker can inject malicious scripts into trusted websites and use this code to hijack browser sessions from users to initiate a man-in-the-middle attack.
The attacker can send anything to your server now while simultaneously redirecting users to dark parts of the web without them knowing about it. Such attacks can trouble your customers and business equally.
Hackers can deface your website, inject malware, phishing links and hijack user accounts.
In the latest version of OWASP Top 10, A4 represents two vulnerabilities from the previous list (2003 A4 & A7) combined into one.
Now if you change the digits '2340' to another set of digits allows you to view the account of another user, it's a huge opportunity for hackers.
The threat also arises when non-privileged users have access to admin privileges. After all, a junior-level developer should not be able to gain admin access to the server. Unfortunately, most companies do not bother ensuring that only authorized accounts access privileged information.
Such vulnerabilities lead to loss of data, ghost account creation and admin account hijacking.
Old sample apps, expired yet active features, default system passwords... hackers love all the additional information they can get. This vulnerability is about all of these loopholes.
Attackers look for small issues, combine them, and try to make something big out of them. They use default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system.
A5 can lead to complete loss of data through alteration, deletion and theft. Recovery is costly and highly unreliable, especially if the data gets encrypted.
If somehow your application is breached, how easy is it for hackers to find the data that they want? Consider database files, backups, financial transaction details, employment history and every piece of internal and external information. Don't store sensitive data unnecessarily and Discard it as soon as possible. If you have something, keep it encrypted.
Consider everything that comes with the loss of sensitive data. Loss of passwords, credit card information, addresses and bank statements bring serious repercussions in real-world scenarios.
This newest addition to this year's OWASP 10 asks a powerful question; Does your application detect and respond to both manual and automated attacks? Can it patch itself to ward off attackers in real-time? Your applications and APIs might be sanitizing inputs or rejecting wrong passwords, but can they reject automated inputs? If there is a critical vulnerability discovered, how soon can you patch it?
Attackers can use automated tools to send botnet and find out types of vulnerabilities in an application. Successful attempts lead to Injection and XSS exploits.
A compromised browser session is hijacked by a hacker to run rogue commands in a web application using CSRF. With a little help from phishing techniques (email or chat links), hackers trick users into changing email addresses, wiring money, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Rogue requests, fraudulent purchases, and money transfers - you will never be sure if it's a genuine request and customers will gradually lose trust in your website and brand.
Unknown chunks of code breed mysterious vulnerabilities. Developers use open source projects and often they don't even know what code library it came from where and with what vulnerability. Such components can weaken any application.
Unknown application codes bring unknown risks. XSS, injection risks, and business logic loopholes are just some of the examples. Such vulnerabilities might cause data breach, access control, defacement, and theft.
Most browser web applications are written in JavaScript and use APIs to get data but these APIs often contain numerous vulnerabilities. Attackers can reverse engineer the code or monitor the communication between browser and API with a tool to find vulnerabilities and to exploit them. Moreover, the architecture of most APIs is so complex that they require continuous automated testing and thorough penetration testing to find deep-seeded vulnerabilities.
The compromise risks everything an exploited API accesses. This type of attack can be used to steal information, send phishing emails, delete data, and so forth.
Find Vulnerabilities
Patch Vulnerabilities
Does the scanning solution include penetration testing without additional cost?