Web apps and attack principles
GET vs POST
- GET parameters are stored in URL (query params)
- POST are not stored in URL
- Both can be encrypted using HTTPS
- GET parameters are less secure (visible in browser history/server logs)
OWASP top 10 attacks
- Injection
- Broken Authentication
- Sensitive Data Exposure [NEW]
- XML External Entities (XXE) [NEW!]
- Broken Access Control
- Security Misconfiguration [Down from #5, still high enough]
- Cross-Site Scripting (XSS) [Down from #3]
- Insecure Deserialization [NEW!]
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring [NEW and interesting]
Advanced tracking