Resultado de búsqueda
Cross-Site Request Forgery. If an attacker can forge HTTP requests to your site, they may be able to trick your users into triggering unintended actions.
- OWASP Top 10
Each year OWASP (the Open Web Application Security Project)...
- Features
Learn about all the major vulnerabilities that threaten your...
- Enterprise
Enterprise - Hacksplaining
- Lessons
Lessons - Hacksplaining
- The Book
Hacksplaining is now a book! In partnership with Manning...
- Login
Login - Hacksplaining
- Logging and Monitoring
It's important to be able to observe your web application at...
- Session Fixation
Session Fixation. Websites with user accounts typically...
- OWASP Top 10
Learn about all the major vulnerabilities that threaten your stack and hack real vulnerable applications to see how the attacks work.
- Broken Access Control
- Cryptographic Failures
- Injection
- Insecure Design
- Security Misconfiguration
- Vulnerable and Outdated Components
- Identification and Authentication Failures
- Software and Data Integrity Failures
- Security Logging and Monitoring Failures
- Server-Side Request Forgery
Access control enforces policy such that users cannot act outside their intended permissions.Failures typically lead to unauthorized information disclosure, modification, or destruction ofall data or performing a business function outside the user's limits.
Many web applications and APIs do not properly protect sensitive datawith strong encryption. Attackers may steal or modify such weakly protecteddata to conduct credit card fraud, identity theft, or other crimes.Sensitive data must be encryption at rest and in transit, using a modern(and correctly configured) encryption algorithm.
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur whenuntrusted data is sent to an interpreter as part of a command or query.The attacker’s hostile data can trick the interpreter into executingunintended commands or accessing data without proper authorization.
Pre-coding activities are critical for the design of secure software. The design phaseof you development lifecycle should gather security requirements and model threats,and development time should be budgeted to allow for these requirements to be met.As software changes, your team should test assumptions and conditions for expected andfailure flows...
Your software is only as secure as you configure it to be. Using ad hoc configurationstandards can lead to default accounts being left in place, open cloud storage, misconfiguredHTTP headers, and verbose error messages containing sensitive information.Not only must all operating systems, frameworks, libraries, and applications besecurely configured...
Components, such as libraries, frameworks, and other software modules, runwith the same privileges as the application. If a vulnerable component isexploited, such an attack can facilitate serious data loss or server takeover.Applications and APIs using components with known vulnerabilities may undermineapplication defenses and enable various attack...
Application functions related to authentication and session managementare often implemented incorrectly, allowing attackers to compromisepasswords, keys, or session tokens, or to exploit other implementationflaws to assume other users’ identities temporarily or permanently.
Software and data integrity failures relate to code and infrastructure that does not protectagainst integrity violations. An example of this is where an application relies upon plugins,libraries, or modules from untrusted sources, repositories, and content delivery networks (CDNs).An insecure deployment pipeline can introduce the potential for unau...
Insufficient logging and monitoring, coupled with missing or ineffectiveintegration with incident response, allows attackers to further attack systems,maintain persistence, pivot to more systems, and tamper, extract, or destroydata. Most breach studies show time to detect a breach is over 200 days,typically detected by external parties rather than ...
Server-Side Request Forgery (SSRF) flaws occur whenever a web applicationfetches a remote resource without validating the user-supplied URL. It allowsan attacker to coerce the application to send a crafted request to an unexpecteddestination, even when protected by a firewall, VPN, or another type of networkaccess control list (ACL).
Hacksplaining. Learn about security vulnerabilities in a fun, simple, and direct way.
HacksPlaining es un portal de seguridad que se centra en la enseñanza de prácticas de seguridad para defenderse ante técnicas modernas de hackers.
Learn about different attacks, how to exploit and how to prevent them.
Hacksplaining is the best and most complete way for developers to learn about the security vulnerabilities that threaten your business! Our online exercises can keep your development team up to...
