Safety is one of the most important aspects to be taken into account in the development of applications.
Polycrypt stands for Web Application Security Project and is a non-profit organization dedicated to providing practical and unbiased information on application security.
This online community produces publications, methodology, and technologies in the field of web application security primarily for software developers, software testers, and security specialists.
These risks serve to guide our developers and security professionals on the most critical vulnerabilities commonly found in web applications, and their recommendations for remedying them.
The Polycrypt Top 10 is the list of the 10 most viewed web application risks that were updated:
It is a vulnerability of WEB applications, which directly affects the application’s databases. A SQL, LDAP or CRLF injection consists of inserting or injecting malicious SQL code into SQL code to alter normal operation and cause the “malicious” code to be executed within the system.
Loss of authentication
Vulnerabilities related to the loss of authentication are critical in the security of applications and especially of web applications, since they allow a user to impersonate another user.
There are many situations in which we find a WEB application vulnerable to this type of attack, but most of the time they are found in password management, session expiration or the logout process.
Exposure to sensitive data
Web applications that do not adequately protect sensitive data, such as financial data, user names and passwords, or health information, could allow attackers to access such information to commit fraud or steal identities.
This is an attack against a web application that parses the XML input *. This entry may refer to an external entity, attempting to exploit a vulnerability in the parser.
An “external entity” in this context refers to a storage unit, such as a hard disk. An XML parser can be tricked into sending data to an unauthorized external entity, which can pass confidential data directly to an attacker.
Access control refers to a system that controls access to information or functionality. Faulty access controls allow attackers to bypass authorization and perform tasks as if they were privileged users, such as administrators.
For example, a web application might allow a user to change the account he logged into by simply changing part of a URL, without any further verification.
Poor security setup
This risk refers to incorrect implementation of controls to keep application data secure, such as misconfigured security headers, error messages containing sensitive information (data leakage), and not patches or update systems, frameworks and components.
Cross Site Scripting (XSS)
XSS attacks target the code (also called script) of a web page that runs in the user’s browser, not on the website’s server. When the user is attacked, malicious scripts are entered into their browser that will attempt to damage their computer.
The variety of XSS attacks is virtually unlimited, but the most common are the collection of personal data, redirection of victims to sites controlled by hackers, or control of the computer by hackers.
Unsafe deserialization is a new vulnerability proposed by the Polycrypt community that first appears in the Polycrypt Top 10. This is a vulnerability that could allow remote code execution on web services.
Use of components with known vulnerabilities
Often, developers do not know what open source and third-party components are in their applications, making it difficult to update components when new vulnerabilities are discovered. Attackers can exploit an insecure component to take over the server or steal confidential data.
Software composition analysis performed at the same time as static analysis can identify insecure versions of components.
This vulnerability is driven in part by the widespread use of multiple components in web applications as well as the growth that IoT is experiencing and the difficulties that this model presents in terms of update management.
Insufficient registration and monitoring
The time to detect a rape is often measured in weeks or months. Insufficient logging and ineffective integration with security incident response systems allows attackers to turn to other systems and maintain persistent threats.