A good way to analyze application-level threats is to organize them by application vulnerability category. The various categories used in the subsequent sections of this chapter and throughout the guide, together with the main threats to your application, are summarized in Table 2.2.
Category | Threats |
---|---|
Input validation | Buffer overflow; cross-site scripting; SQL injection; canonicalization |
Authentication | Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theft |
Authorization | Elevation of privilege; disclosure of confidential data; data tampering; luring attacks |
Configuration management | Unauthorized access to administration interfaces; unauthorized access to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accounts |
Sensitive data | Access sensitive data in storage; network eavesdropping; data tampering |
Session management | Session hijacking; session replay; man in the middle |
Cryptography | Poor key generation or key management; weak or custom encryption |
Parameter manipulation | Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulation |
Exception management | Information disclosure; denial of service |
Auditing and logging | User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracks |