L14
method of system development that incorporates security controls in every phase of the system’s lifecycle.
SSDLC
a comprehensive guide for testing the security of web applications. It is a project of the Open Web Application Security Project (OWASP) designed to help developers, testers, and security professionals identify and address security vulnerabilities in web applications.
OWASP Testing Guide
Open Worldwide Application Security Project
OWASP
attack describes when an attacker intercepts communications between two endpoints to capture their traffic.
On-Path attack
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
Input validation
An attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session.
Session high jacking
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords
password spraying
Coding methods to sanitize output created from user input.
Output Encoding
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
Structured Query Language injection (SQL injection)
A brute force attack in which stolen user account names and passwords are tested against multiple websites.
Credential stuffing
a software vulnerability where a program attempts to write more data to a buffer (a temporary storage area in memory) than it can hold, causing the excess data to overflow into adjacent memory space.
Buffer overflow
A malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site, designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones
cross-site scripting (XSS)
A software vulnerability where the authentication mechanism allows an attacker to gain entry, such as displaying cleartext credentials, using weak session tokens, or permitting brute force login requests.
Broken Authentication
a web server vulnerability that allows an attacker to access the operating system files of the system running the web application
Directory Traversal
The XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.
XML bomb (Billion Laughs attack)