Describe some common vulnerabilities listed in the OWASP IoT!
Weak, Guessable, or Hardcoded Passwords (I01): Devices use default or easy-to-guess passwords (e.g., "admin/admin"), making them easy targets for brute-force attacks.
Insecure Data Transfer and Storage: Lack of encryption or access control of sensitive data
Lack of Secure Updates (I04): Devices cannot verify updates or lack encryption during delivery, allowing attackers to push malicious firmware.
Describe some common vulnerabilities listed in the API Security!
Broken Object Level Authorization (API1): APIs fail to check if a user has permission to access specific data (e.g., accessing another user’s account by tampering with an ID in the URL).
Unrestricted Resource Consumption (API4): APIs allow excessive requests (e.g., spammy calls), leading to server overload or inflated costs (e.g., SMS billing).
Server-Side Request Forgery (SSRF) (API7): Attackers trick APIs into sending requests to internal systems (e.g., accessing sensitive cloud metadata).
Describe some common vulnerabilities listed in the Web Application Top 10!
Broken Access Control (A01): Users can perform actions outside their permissions (e.g., viewing another user’s private files).
Injection (A03): Untrusted data (e.g., user inputs) is executed as code (e.g., SQL, OS commands), leading to data breaches.
Security Misconfiguration (A05): Servers or apps use default settings, unnecessary features, or overly permissive access rights (e.g., leaving debug mode enabled).
Describe some common vulnerabilities listed in the CWE/SANS Top 25!
Out-of-bounds Write: Software writes data past the end of a memory buffer, potentially causing crashes.
Out-of-bounds Read: Software reads data past the end of a memory buffer, can cause undefined behaviour.
Failing to properly validate Input
Last changed2 months ago