Created
September 12, 2021 18:17
-
-
Save ffcommax/dc91a7eafdb32130e9290cc2c4672816 to your computer and use it in GitHub Desktop.
OWASP_Top10_2021
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| https://owasp.org/Top10/A00-about-owasp/ | |
| Broken_Access_Control | |
| Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Common access control vulnerabilities include: | |
| Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. | |
| Allowing the primary key to be changed to another user's record, permitting viewing or editing someone else's account. | |
| Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user. | |
| Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token, or a cookie or hidden field manipulated to elevate privileges or abusing JWT invalidation. | |
| CORS misconfiguration allows unauthorized API access. | |
| Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment