INSECURE METHOD PARAMETER¶
This type of risk is a business specific injection type. In this case a custom injection may be performed if an untrusted input is accepted in a particular method. This particular method will then carry out an operation that is vulnerable to injection. There are several kinds of situation in which it could be used, i.e. custom-type storage system that has its own query language, access to a different backend that assumes trusted inputs, etc. Using this analyzer a method can be marked as vulnerable in order to detect and protect against any untrusted data that reaches the method. The developer uses a custom mark to identify the methods to be monitored.
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can read sensitive data from the database, modify data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. With SQL injection attacks, SQL commands are injected into data-plane input in order to execute predefined SQL commands.
BROKEN AUTHENTICATION AND SESSION MANAGEMENT¶
These types of weaknesses can allow an attacker to either capture or bypass the authentication methods used by a web application.
BRUTE FORCE LOGIN¶
An attacker tries to guess a correct password or the key which is typically created from the password making a brute-force attack.
Cross-site Scripting (XSS) attacks are a type of injection in which malicious scripts are injected into otherwise benign and trusted websites.
INSECURE DIRECT OBJECT REFERENCES¶
Parameter tampering is a form of Web-based attack in which certain parameters in the Uniform Resource Locator (URL), or form field data entered by a user on a web page, are changed without that user's authorization. This points the browser to a link, page or site other than the one the user intends (although it may look exactly the same to the casual observer).
An attacker may access default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain knowledge or unauthorized access to the system.
App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers could use the extra information provided by error messages.
SENSITIVE DATA EXPOSURE¶
These types of vulnerabilities allow attackers to obtain sensitive data such as credit card details, health/personal information or usernames and passwords.
FUNCTION LEVEL ACCESS CONTROL¶
This protection feature prevents OWASP A7 from being exploited. A7 risks could result from insufficient protection of sensitive request handlers within an application
- Can a user directly browse to a resource?
- Does the UI expose an unauthorized resource?
A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with a “dot-dot-slash (../)” sequence and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system including application source code or configuration and critical system files. It should be noted that access to files is limited by the system’s operational access c ontrol, such as in the case of locked or in-use files on the Microsoft Windows operating system.
OWASP A7 - 2017¶
This rule prevents any infected binary file being uploaded to the server by blocking its transfer.
This rule helps to block BOTs that are reputed to be malicious.
Malicious IPs are IPs that are reputed to be a source of attacks. This analyzer obtains malicious IPs from external sources, but additionally, it is able to detect attack patterns, including those IPs on a rejected IP list. Any IP present on those lists will be banned and the application protected against the attacker.
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed for.
There are many ways to make a service unavailable to legitimate users - by manipulating network packets, programming or resources handling vulnerabilities among others.
If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability
is exploited, or due to the way the service handles resources it uses.
This analyzer allows DOS rules to be configured in order to detect them and block the attacker if desired. .
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not data, since the attacker has no way of seeing the response to the forged request. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so on. If the victim is an administrative account, CSRF can compromise the entire web application.
Some vulnerable components (e.g., framework libraries) can be identified and exploited with automated tools, expanding the threat agent pool beyond targeted attackers to include chaotic actors.
UNVALIDATED REDIRECT FORWARDS¶
The application is using an untrusted input to craft a redirect/forward url.
Data which is untrusted also cannot be trusted to be well formed. Malformed or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized.