Web Application Security

Injection :   What ? Untrusted user input is interpreted by server and executed What is impact ? Data modified and stolen. How to prevent it ? - Reject invalid/untrusted input - Use latest frameworks - Hire penetration testers

Broken Authentication and session management   What it is ? Incorrectly build auth and session management which allow attackers to impersonate other users. Impact ? Attacker can take identity of victim. How to prevent? Don't develop your own authentication scheme

Cross Site Scripting (XSS)   What it is ? Untrusted user input is interpreted by Browser and executed. What is the impact ? Hijack user sessions, deface websites and change content How to prevent it ? Escape untrusted data use latest UI framework.

Broken Access Control   What it is ? Restrictions on what authenticated users are allowed to do are not properly enforced.  Impact ? Attackers can access data, view sensitive files and modify data How to prevent it ? - Check access rights to UI level and server level for the requests to resources. - Deny access by default  

Security Misconfiguration   What it is ? Human mistake of misconfigurating the system Impact ? Depends on misconfiguration. worst misconfiguration can result in loss of data. How to prevent it ? - Force change of default credentials - Least privilege to system - Static code that scan code for default settings - Keep patching, updating and testing the system - Regularly audit system deployment in production.

Sensitive Data Exposure   What it is ? Sensitive data is exposed eg, social security number, passwords, health records. Impact ? Data that is lost, corrupted or exposed have serious implications on business continuity. How to prevent it ? - Always obscure data. - update cryptographic algorithm - use salted encryption on storage of passwords