Page 28 - GiGW3
P. 28

4.  Focus areas








             Risks associated with non-conformity                                                                                                                  S13. The impact of XSS is moderate for reflected and DOM XSS and severe for stored XSS, with

                                                                                                                                                                   remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering
             with security guidelines                                                                  4.3.1                                                       malware to the victim.


                                                                                                                                                                   S14. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to
                                                                                                                                                                   date have relied on exploiting known vulnerabilities in components.
                                                                                                                                                                   S15. Most successful attacks start with vulnerability probing. Allowing such probes to continue can
             S1. Malicious users can deface the website.
                                                                                                                                                                   raise the likelihood of a successful exploit to nearly 100%.
             S2. Any harmful actor may get access to confidential information.
             S3. The availability of the website/app can be hampered.

             S4. The malicious user may change/modify the content on the website.
             S5.  Security  failures  typically  lead  to  unauthorised  information  disclosure,  modification,  or
             destruction of all data or performing a business function outside the user's limits.
             S6.  A  file  upload  flaw  allows  an  attacker  to  retrieve  the  password  database.  Security  of  web
             applications determine the protection needs of data in transit and at rest. Attackers can steal such

             information for example, passwords, credit card numbers, health records, personal information and
             business secrets require extra protection, mainly if that data falls under privacy laws, Personal data
             protection bill etc.

             S7.  An  attacker  monitors  network  traffic  (e.g.,  at  an  insecure  wireless  network),  downgrades
             connections from HTTPS to HTTP, intercepts requests and steals the user's session cookie. The
             attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or
             modifying the user's private data. Instead of the above they could alter all transported data, e.g., the
             recipient of a money transfer.

             S8.  Almost any source of data can be an injection vector, environment variables, parameters,
             external and internal web services and all types of users. Injection flaws occur when an attacker can
             send hostile data to an interpreter.

             S9.  Attackers have to gain access to only a few accounts, or just one admin account to
             compromise the system. Depending on the domain of the application, this may allow money
             laundering, social security fraud and identity theft, or disclose legally protected highly sensitive
             information.
             S10. Security flaws can be used to extract data, execute a remote request from the server, scan

             internal systems, perform a denial-of-service attack, as well as execute other attacks. The business
             impact depends on the protection needs of all affected applications and data.
             S11. Attackers acting as users or administrators, or users using privileged functions, can create,

             access, update or delete every record.
             S12. Security  misconfiguration  frequently  gives  attackers  unauthorised  access  to  some  system
             data or functionality. Occasionally, such flaws result in a complete system compromise.






                                                             28
   23   24   25   26   27   28   29   30   31   32   33