Web apps and attack principles

GET vs POST

• GET parameters are stored in URL (query params)
• POST are not stored in URL
• Both can be encrypted using HTTPS
• GET parameters are less secure (visible in browser history/server logs)

OWASP top 10 attacks

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure [NEW]
4. XML External Entities (XXE) [NEW!]
5. Broken Access Control
6. Security Misconfiguration [Down from #5, still high enough]
7. Cross-Site Scripting (XSS) [Down from #3]
8. Insecure Deserialization [NEW!]
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring [NEW and interesting]

Advanced tracking