Mark As Completed Discussion
Home > DevOps/SDLC Cheat Sheets > DevOps and SDLC > Web Application Security Principles

5. Broken Access Control. Broken access control is when an attacker is able to get access to user accounts. The attacker is able to operate as the user or as an administrator in the system.

  • Example: An application allows a primary key to be changed. When the key is changed to another user’s record, that user’s account can be viewed or modified.
  • Solution: Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage. Rate limit API and controller access to minimize the harm from automated attack tooling. JWT tokens should be invalidated on the server after logout.

6. Security Misconfiguration. Security misconfigurations are when design or configuration weaknesses result from a configuration error or shortcoming.

  • Example: A default account and its original password are still enabled, making the system vulnerable to exploit.
  • Solution: Remove or do not install unused features and frameworks. Development, QA, and production environments should all be configured identically, with different credentials used in each environment.

7. Cross-Site Scripting (XSS). XSS attacks occur when an application includes untrusted data on a webpage. Attackers inject client-side scripts into this webpage.

  • Example: Untrusted data in an application allow for an attacker to ‘steal a user session’ and gain access to the system.
  • Solution: Use frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Escape untrusted HTTP request data based on the context in the HTML output. Enable a Content Security Policy (CSP) as a defense-in-depth mitigating control against XSS.

OWASP principles extended

8. Insecure Deserialization. Insecure Deserialization is a vulnerability where deserialization flaws allow an attacker to remotely execute code in the system.

  • Example: An application is vulnerable because it deserializes hostile objects that were supplied by an attacker.
  • Solution: Implement integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering. Log deserialization exceptions and failures. Restrict incoming and outgoing network connectivity from containers or servers that deserialize.

Programming Categories

  • Basic Arrays Interview Questions
  • Binary Search Trees Interview Questions
  • Dynamic Programming Interview Questions
  • Easy Strings Interview Questions
  • Frontend Interview Questions
  • Graphs Interview Questions
  • Hard Arrays Interview Questions
  • Hard Strings Interview Questions
  • Hash Maps Interview Questions
  • Linked Lists Interview Questions
  • Medium Arrays Interview Questions
  • Queues Interview Questions
  • Recursion Interview Questions
  • Sorting Interview Questions
  • Stacks Interview Questions
  • Systems Design Interview Questions
  • Trees Interview Questions

    • Popular Lessons

  • All Courses, Lessons, and Challenges
  • Data Structures Cheat Sheet
  • Free Coding Videos
  • Bit Manipulation Interview Questions
  • Javascript Interview Questions
  • Python Interview Questions
  • Java Interview Questions
  • SQL Interview Questions
  • QA and Testing Interview Questions
  • Data Engineering Interview Questions
  • Data Science Interview Questions
  • Blockchain Interview Questions
  • String Manipulation: Techniques and Best Practices
  • The Simple Reference to Graphs
  • Trees
  • Optimizing Azure Resources
  • Introduction to Algorithms in C++