Project Puchufy

OWASP Top 10 2021

,

Broken Access Control

Users can reach data or actions they shouldn’t like changing a URL to see another user’s info. Ensure checks are done on the server side, and use rule-based access checks.
Tools: Access test frameworks; role-based access checks; WAFs.

***

Cryptographic Failures

Sensitive data is not properly encrypted, perhaps sent over plain HTTP or stored in weak formats. Always use strong encryption (e.g. TLS), hash stored data, and avoid hardcoded keys.
Tools: TLS scanners, secret detection tools.

***

Injection

Malicious input tricks the application into running dangerous commands like SQL injection or cross-site scripting. Use parameterized queries and validate all inputs.
Tools: SAST/DAST tools (like SQLMap, OWASP ZAP).

***

Insecure Design

The application is built without considering security—for example, no threat model or protection built in. Prevent this by applying secure design patterns and planning early in development.
Tools: Threat modeling tools.

***

Security Misconfiguration

Settings like default passwords or unprotected server info are left open. Fix by configuring systems securely—remove defaults and minimize system exposure.
Tools: Configuration scanners, automated checks.

***

Vulnerable and Outdated Components

Using old or broken libraries can leave security holes. Regularly update dependencies and check for known vulnerabilities.
Tools: Dependency scanners like OWASP Dependency-Check or Snyk.

***

Identification & Authentication Failures

Weak login systems, missing multi-factor checks, or session issues make it easy to impersonate users. Ensure strong authentication and proper password/session handling.
Tools: Auth testing tools; session scanners.

***

Software & Data Integrity Failures

Data or code updates are done without checking if they’ve been tampered with. Always verify integrity—e.g., use checksums or code signing.
Tools: CI/CD integrity checks.

***

Security Logging & Monitoring Failures

Bad logging means attacks go unnoticed. Make sure all key actions are logged and alerts are set when something suspicious happens.
Tools: Log monitoring systems; SIEM tools.

***

Server-Side Request Forgery (SSRF)

The app retrieves info from URLs provided by users, possibly allowing attackers to access internal systems. Avoid fetching URLs directly from untrusted inputs.
Tools: Traffic filters, input validation.