OWASP TOP 10

Cross-site Request Forgery

• Make use of built-in protection.
• Rails includes CSRF, protect_from_forgery which is included in application_controller.rb by default.

Access Control - Missing Function Level Access Control

Check if users have access to parts of an application. A malicious user could see every account log as long as there is a valid session if this is not checked.

Base64.urlsafe_decode64.

What is OWASP? 2017

1. Injection
2. Broken Authentication
3. Sensitive data exposure
4. XML external entities
5. Broken access control (merged with missing function level access control)
6. Security misconfiguration
7. Cross-site scripting (merged with insecure direct object references)
8. Insecure deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring

Injection

untrusted data sent. query. unintended commands

1. Use safe API taht avoids interpreter. ORM
2. Whitelist input
3. escape special characters
4. LIMIT and others to prevent mass discoloser

Broken Authentication

Pass, key session token

1. MFA
2. No default CREDs
3. weak password checks 10,00 worse passwords
4. length complexity rotation policies with passwords
5. Haden recovery
6. Limit failed login atempts log and alert admins.
7. Use server side sessio manager. Random session ID high entrpy.

3. Api fail to protect

1. Classify data processed store dor transmited. Identify sensitive data
2. apply controls
3. Discard sensitive data PCI DSS compliant tokenizat
4. Encrypt senstive data at rest
5. Upd to date
6. Encrypt all intranist data. TLS, HTTP. Encryption
7. Disable aching for sensitive data
8. Store salt hashing delay factor
9. Config and setings config

4. XXE discloses internal files

1. Developer training
2. use JSOn and avoid serialzation
3. Upgraded XML processors. SOAP to V1.2 or higher
4. XML DTD processing
5. Positive server side vailid filter or sanitization
6. Verify XML XSL validates XML XSD validaton
7. SAST tools detect XXE
8. Virtual patching. Api sec gateways, firewalls.

OWASP Cheat Sheet XXE Prevention

5. Restrictions on what users can do. Trusted server side code.

1. Deny by default except public
2. access contrl once and reuse minize CORS
3. Model access enforece ownershp not Create,Read,Update,Delete date the dont own
4. Disable web server directory listing
5. Log access control failures
6. Rate limit API
7. Invlaidate JWT on server after logout
8. Dev and QA functional access

6. Insecure default config. cloud HTTP headers and verbose error messages..

1. Upgrade systems frameworks and libraries
2. Repeatable hardening process. Fast and easy to deploy another locked down environment. Automate process
3. Use minimal platform without uncessor features
4. Update configs. Cloud storage permission
5. Segmented app architecture
6. Send security dire

7. XSS no validation or escaping. Date using APi that creates HTML OR JS.

Separate data from untrusted content

1. escape XS frameworks
2. HTPP request content
3. Aplpy context-sensitive encoding
4. Content security policy.

8.

1. Signal signatures
2. strict type constraints
3. isolate adnr un code that deserilizes
4. log deserialization failures
5. restrict monitor connectivity

9.

1. remove unused dependencies
2. Inventory server and client side dependencies Automate process compostiion analysis
3. monitor unmanitained libraries. Patching

10

1. ensure input validation logged with user context. Held long enogh
2. FOrmat easily cosnumed
3. high value transactions audit trail
4. Monitoring and alerting
5. Incident response and recovery plan