Page 28 - GiGW3
P. 28
4. Focus areas
Risks associated with non-conformity S13. The impact of XSS is moderate for reflected and DOM XSS and severe for stored XSS, with
remote code execution on the victim’s browser, such as stealing credentials, sessions, or delivering
with security guidelines 4.3.1 malware to the victim.
S14. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to
date have relied on exploiting known vulnerabilities in components.
S15. Most successful attacks start with vulnerability probing. Allowing such probes to continue can
S1. Malicious users can deface the website.
raise the likelihood of a successful exploit to nearly 100%.
S2. Any harmful actor may get access to confidential information.
S3. The availability of the website/app can be hampered.
S4. The malicious user may change/modify the content on the website.
S5. Security failures typically lead to unauthorised information disclosure, modification, or
destruction of all data or performing a business function outside the user's limits.
S6. A file upload flaw allows an attacker to retrieve the password database. Security of web
applications determine the protection needs of data in transit and at rest. Attackers can steal such
information for example, passwords, credit card numbers, health records, personal information and
business secrets require extra protection, mainly if that data falls under privacy laws, Personal data
protection bill etc.
S7. An attacker monitors network traffic (e.g., at an insecure wireless network), downgrades
connections from HTTPS to HTTP, intercepts requests and steals the user's session cookie. The
attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or
modifying the user's private data. Instead of the above they could alter all transported data, e.g., the
recipient of a money transfer.
S8. Almost any source of data can be an injection vector, environment variables, parameters,
external and internal web services and all types of users. Injection flaws occur when an attacker can
send hostile data to an interpreter.
S9. Attackers have to gain access to only a few accounts, or just one admin account to
compromise the system. Depending on the domain of the application, this may allow money
laundering, social security fraud and identity theft, or disclose legally protected highly sensitive
information.
S10. Security flaws can be used to extract data, execute a remote request from the server, scan
internal systems, perform a denial-of-service attack, as well as execute other attacks. The business
impact depends on the protection needs of all affected applications and data.
S11. Attackers acting as users or administrators, or users using privileged functions, can create,
access, update or delete every record.
S12. Security misconfiguration frequently gives attackers unauthorised access to some system
data or functionality. Occasionally, such flaws result in a complete system compromise.
28
