The OWASP Top 10 Handbook

The OWASP Top 10 is a categorization of common vulnerabilities affecting applications. This book covers category one: broken access controls. Broken access controls is an umbrella category for several different ways hackers can gain control over accounts and applications using mistakes in authentication and authorization. You might think that you have authentication locked down in your application or API, but hackers often find bugs to bypass controls. Broken access controls are usually minor mistakes with huge consequences, and this book provides developers and application owners with basic examples to help them find their own vulnerabilities.

This book offers real-world examples and code to show developers or application owners how hackers gain access to accounts or unauthorized data using exploits on broken access controls. Python code is used in real-world example scenarios to test applications for common vulnerabilities, so developers can grasp the ease at which some broken access controls can be hacked. Application owners will get a better understanding of cybersecurity issues and the importance of hardened source code. All Python scripts are published on Github publicly for your convenience.

The ebook has seven chapters:

Introduction: A breakdown of several broken access control subcategories and an understanding of the OWASP Top 10.

Chapter 1 (Principle of Least Privilege): If you’re designing an application or need to create authorization rules, the Principle of Least Privilege is covered in this chapter to help you understand the best way to provide data access to customers and employees.

Chapter 2 (Modifying URL Parameters and IDOR): This chapter shows you examples of how to exploit query string parameters to gain access to data, escalate privileges, or gain unauthorized access to web pages.

Chapter 3 (Exploit URL Parameter Vulnerabilities to Gain Access to Files): URL parameters are often an unnoticed vulnerability, so this chapter shows you how to manipulate URL parameters to access sensitive files that contain data such as server configurations or application passwords.

Chapter 4 (Hacking APIs with Missing Authentication): APIs provide critical backend functionality, so this chapter covers testing of API endpoints to find missing authentication controls or other vulnerabilities.

Chapter 5 (CORS Misconfigurations): Understand CORS, pre-fetching, and how you can configure an API to allow authorized access from remote domains.

Chapter 6 (Bad Redirects and Authentication): Developers often use redirects to bring authenticated users to specific application pages, so we cover checking authorization controls on pages that could be abused by internal users.

Chapter 7 (Where to Go From Here?): Wrap-up and provide basic advice for the next steps. Protecting an application is a huge undertaking, so it’s usually best to hire a professional.

Informática e Tecnologia