- Introduction
- Vulnerabilities
- Introduction
- Collect Information
- Source code with sensitive information
- Use of software with known vulnerabilities
- Sensitive information sent insecurely
- Administrative credentials stored in cache memory
- Non-encrypted confidential information
- Use of an insecure channel
- Call interception
- User enumeration
- Insecure temporary files
- Sensitive information sent via URL parameters
- ViewState not encrypted
- Technical information leak
- Business information leak
- Exposed web services
- Missing secure obfuscation
- Automatic information enumeration
- Insecure encryption algorithm
- Exposed administrative services
- Sensitive information stored in logs
- Weak CAPTCHA
- Insecurely deleted files
- Sensitive data stored in client-side storage
- XS-Leaks
- Metadata with sensitive information
- Directory Listing
- Inject Unexpected
- SQL injection
- Remote command execution
- Reflected cross-site scripting (XSS)
- Stored cross-site scripting (XSS)
- XPath Injection
- HTML code injection
- Lack of data validation
- XML Injection (XXE)
- Code injection (CSV)
- Insecure deserialization
- Apache Lucene query injection
- NoSQL injection
- LDAP injection
- HTTP Parameter Pollution
- Deceptive Interactions
- Abuse Functionality
- Asymmetric denial of service
- Symmetric denial of service
- Insecure functionality
- Password change without identity check
- Lack of root detection
- Insecure service configuration
- Debugging enabled in production
- Insecure exceptions
- Errors without traceability
- Traceability loss
- Cached form fields
- Improper resource allocation
- Inappropriate coding practices
- Duplicate code
- Conditional statement without a default option
- Commented-out code
- Non-upgradable dependencies
- Account lockout
- Privacy violation
- Hidden fields manipulation
- Lack of protection against deletion
- Email uniqueness not properly verified
- Improper control of interaction frequency
- HTTP request smuggling
- Improper type assignation
- Unverifiable files
- Regulation infringement
- Improper dependency pinning
- Email Flooding
- Race condition
- Probabilistic Techniques
- Subvert Access
- Privilege escalation
- Authentication mechanism absence or evasion
- Cross-site request forgery
- Insecure object reference
- Improper authentication for shared folders
- Unrestricted access between network segments
- Insecure file upload
- Excessive privileges
- Improper authorization control for web services
- Insecurely generated cookies
- Insecure digital certificates
- Cracked weak credentials
- Anonymous connection
- Concurrent sessions
- Insecure session expiration time
- Unauthorized access to files
- Insecure session management
- Lack of multi-factor authentication
- Security controls bypass
- Lack of isolation methods
- Manipulate Data
- Manipulate System
- Protocol Manipulation
- Requirements
- Introduction
- Credentials
- Set a password regeneration mechanism
- Store hashed passwords
- Define unique data source
- Validate previous passwords
- Limit password lifespan
- Deny multiple password changing attempts
- Passphrases with at least 4 words
- Passwords with at least 20 characters
- Store passwords with salt
- Passwords with random salt
- Force temporary password change
- Change temporary passwords of third parties
- Define lifespan for temporary passwords
- Set minimum OTP length
- Define OTP lifespan
- Force re-authentication
- Change system default credentials
- Unique access credentials
- Remove inactive accounts periodically
- Prevent the use of breached passwords
- Store salt values separately
- Invalidate previous OTPs
- Notify upcoming expiration dates
- Proper generation of temporary passwords
- Define a password management tool
- Authentication
- Validate credential ownership
- Out of band transactions
- Proper authentication responses
- Avoid account lockouts
- Display access notification
- Authenticate using standard protocols
- Request access credentials
- Implement a biometric verification component
- Require equipment identity
- Define credential interface
- Establish authentication time
- Ascertain human interaction
- Establish safe recovery
- Request authentication
- Make authentication options equally secure
- Request MFA for critical systems
- Avoid knowledge-based authentication
- Define out of band token lifespan
- Assign MFA mechanisms to a single account
- Use of indistinguishable response time
- Authorization
- Session
- Terminate inactive user sessions
- Transfer information using session objects
- Manage concurrent sessions
- Encrypt client-side session information
- Allow session lockout
- Allow users to log out
- Cookies with security attributes
- Avoid object reutilization
- Discard user session data
- Avoid session ID leakages
- Use stateless session tokens
- Set a maximum lifetime in sessions
- Legal
- Privacy
- Specify the purpose of data collection
- Request user consent
- Demonstrate user consent
- Allow user consent revocation
- Inform inability to identify users
- Provide processing confirmation
- Provide processed data information
- Allow rectification requests
- Allow erasure requests
- Notify third parties of changes
- Respect the Do Not Track header
- Remove unnecessary sensitive information
- Data
- Restrict system objects
- Avoid caching and temporary files
- Use digital signatures
- Use mock data
- Transmit data using secure protocols
- Delete sensitive data securely
- Obfuscate application data
- Encrypt sensitive information
- Mask sensitive data
- Notify configuration changes
- Prioritize token usage
- Avoid deserializing untrusted data
- Keep client-side storage without sensitive data
- Avoid exposing technical information
- Remove sensitive data from client-side applications
- Source
- Reuse database connections
- Eliminate backdoors
- Application free of malicious code
- Source code without sensitive information
- Use the strict mode
- Use a secure programming language
- Obfuscate code
- Encode system outputs
- Define secure default options
- Avoid duplicate code
- Use optimized structures
- Close unused resources
- Initialize variables explicitly
- Use parameterized queries
- Remove commented-out code
- Encrypt connection strings
- Discard unsafe inputs
- Transactions without a distinguishable pattern
- Protect pages from clickjacking
- Declare dependencies explicitly
- Exclude unverifiable files
- Make critical logic flows thread safe
- Validate request parameters
- Avoid dynamic code execution
- Establish protections against overflows
- Avoid using generic exceptions
- Associate type to variables
- Keep low McCabe ciclomatic complexity
- Use of absolute paths
- System
- Files
- Do not deploy temporary files
- Parameters without sensitive data
- Define maximum file size
- Compare file format and extension
- Scan files for malicious code
- Validate file format
- Define an explicit content type
- Define an explicit charset
- Remove metadata when sharing files
- Manage the integrity of critical files
- Avoid storing sensitive files in the web root
- Use octet stream downloads
- Logs
- Record exceptional events in logs
- Avoid disclosing technical information
- Disable debugging events
- Record exact occurrence time of events
- Prevent log modification
- Avoid logging sensitive data
- Allow transaction history queries
- Allow session history queries
- Avoid excessive logging
- Register severity level
- Store logs based on valid regulation
- Use of log management system
- Emails
- Services
- Certificates
- Cryptography
- Protect system cryptographic keys
- Remove cryptographic keys from RAM
- Use pre-existent mechanisms
- Set minimum size of asymmetric encryption
- Set minimum size of symmetric encryption
- Set minimum size for hash functions
- Separate keys for encryption and signatures
- Uniform distribution in random numbers
- Use secure cryptographic mechanisms
- Disable insecure TLS versions
- Implement perfect forward secrecy
- Use initialization vectors once
- Assign unique keys to each device
- Replace cryptographic keys
- Use OAEP padding with RSA
- Use GCM Padding with AES
- Proper Use of Initialization Vector (IV)
- Architecture
- Components with minimal dependencies
- Control calls to interpreted code
- Store source code in a repository
- Define standard configurations
- Set maximum response time
- Disable insecure functionalities
- Avoid client-side control enforcement
- Control redirects
- Protect WSDL files
- Set a rate limit
- Use consistent encoding
- Include HTTP security headers
- Serve files with specific extensions
- Networks
- Hide SSID on private networks
- SSID without dictionary words
- Locate access points
- Manage access points
- Change access point IP
- Configure key encryption
- Restrict network access
- Change SSID name
- Allow access only to the necessary ports
- Access based on user credentials
- Filter website content
- Segment the organization network
- Verify sub-domain names
- Virtualization
- Devices
- Social
- Compliance