Security

Frontend (FE)

Type	Definition	Impact	Prevention
Clickjacking	Manipulating a website user's interaction by hiding clickable elements behind opaque layers	Trick users into performing undesired actions, potentially leading to sensitive data exposure	Implement X-Frame-Options HTTP response header. Use framebusting scripts

FE + BE

Type	Definition	Impact	Prevention
Injection Flaws	Occur when untrusted data is sent to an interpreter as part of a command or query	Data loss, corruption, or disclosure to unauthorized parties Denial of service Full host takeover	Use prepared statements with parameterized queries, use safe API which avoids the use of interpreter entirely or provides a parameterized interface
Cross-Site Scripting (XSS)	Injecting malicious scripts into web pages viewed by other users Types Reflected XSS: malicious script comes from the current HTTP request (https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>) Stored XSS: malicious script comes from the website's database (<p><script>/* Bad stuff here... */</script></p>) DOM-based XSS: vulnerability exists in client-side code rather than server-side code (You searched for: <img src=1 onerror='/* Bad stuff here... */'>)	Steal sensitive data like login credentials, personal data, or credit card details Hijack an account Spread web worms Access browser history and clipboard contents Control the browser remotely Scan and exploit intranet appliances and applications	Validate, sanitize, and escape user inputs Filter input on arrival Encode data on output Use appropriate response headers Implement Content Security Policy It's HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from disable inline JavaScript (either reflected or stored – means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript)
Cross-Site Request Forgery (CSRF)	An attacker tricks a victim into performing actions on their behalf on a web application	Unauthorized actions performed on a user's behalf, potentially leading to data loss or account takeover	Use unique CSRF Tokens Use anti-CSRF tokens in forms Validate Request Origin (Origin and Referer headers) Secure cookies (Session Hijacking) Set Expires and Max-Age Secure: Ensures that the cookie will only be sent if the request is made over a secure (HTTPS) connection (prevents man-in-the-middle attacks) HttpOnly: Prevents JavaScript from having access to the cookie (prevents XSS attacks) SameSite: Can be set to only send cookies if the request origin matches the target domain (prevents CSRF attacks) Cross-Origin Resource Sharing (CORS) allows servers to specify who (i.e., which origins) can access the assets on the server Set Access-Control-Allow-Origin header Use HTTPS (SSL) connection Setup Root SSL certificate that is trusted certificate authority (CA)
Security Misconfiguration	Inadequate default security configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information	Unauthorized access to sensitive data, or functionality that can compromise the entire system	Regular security hardening of your servers, applications, and databases
Insecure Direct Object References (IDOR)	When a web application exposes a reference to an internal implementation object	Unauthorized data access or manipulation	Implement proper access control checks Avoid exposing direct object references to users
Unvalidated Redirects and Forwards	Web applications often redirect and forward users to other pages and websites, and use untrusted data to determine the destination	Phishing attacks, forcing users to perform undesired actions or download malicious software	Avoid using user-supplied input to determine the destination of redirects and forwards Validate the destination of redirects and forwards before allowing them to take place
Components with Known Vulnerabilities	Using software libraries or components with known vulnerabilities	Serious data loss Server takeover	Regularly update and patch all components used in the application

Backend (BE)

Type	Definition	Impact	Prevention
Broken Authentication	When session management is not properly implemented, allowing attackers to compromise passwords, keys or session tokens	Unauthorized access to accounts and data	Multi-factor authentication Session timeout Password complexity rules
Sensitive Data Exposure	When an application does not adequately protect sensitive information	Credit card fraud, identity theft, and other serious crimes	Encrypt sensitive data Disable caching for sensitive data and use secure cookies

Database (DB)

Type	Definition	Impact	Prevention
SQL Injection	Technique where an attacker can inject SQL queries into an application to manipulate a database	Unauthorized access Data corruption or loss Expose sensitive information	Use prepared statements Use parameterized queries Apply least privilege principle Validate and sanitize user input Use deny/allow list validation
Inadequate Authentication/Authorization	Absence or poor implementation of user authentication or authorization process	Unauthorized access to sensitive data or critical functionalities	Implement strong authentication and authorization mechanisms Multi-factor authentication
Unencrypted Data	Storing sensitive data in plain text	Data breaches, exposing sensitive user or system information	Always encrypt sensitive data Use secure hashing algorithms Use secure protocols for data transfer
Data Leakage	Unintended transfer or exposure of data from within an organization to an external or untrusted destination	Financial losses, damage to brand reputation, legal penalties	Implement data loss prevention (DLP) solutions Regular security audits Use strong encryption
Insecure Database Configuration	Default or weak database configurations that can be easily exploited by attackers	Unauthorized access Data theft, loss, manipulation System instability	Regularly review and update database configurations Disable unnecessary features Secure database accounts
Database Vulnerabilities	Weaknesses or flaws in a database system that can be exploited	Unauthorized access Data theft, loss, manipulation System instability	Regularly update and patch database systems Perform vulnerability assessments and penetration testing
Lack of Backup and Recovery Plan	Failure to regularly backup data and lack of a plan for data recovery	Data loss and system downtime in the event of a disaster or data corruption	Implement regular data backup
Insecure Direct Object References (IDOR)	A vulnerability where an application exposes direct references to database records	Unauthorized access Data theft, loss, manipulation	Validate user requests Implement access control checks Use indirect object references
Excessive Privileges	Assigning more privileges to a database user than required	Unauthorized activities Data manipulation Potential system damage	Follow the principle of least privilege Regularly review user privileges

Infrastructure (Infra)

Type	Definition	Impact	Prevention
Unpatched Software	Failure to regularly update software with security patches	System vulnerable to known threats	Regularly update and patch all software
Insufficient transport layer protection	Failure to adequately secure data during transmission over networks	Leaves data vulnerable to interception and eavesdropping	Use protocols: HTTPS for web communications SSH for secure shell access VPNs for remote connections TLS encryption for email
Distributed Denial of Service (DDoS) Attack	Coordinated efforts to overwhelm a target system or network with a flood of traffic	Disrupts access to services Causing downtime Potential financial losses	Implement DDoS mitigation tools and services (e.g. CloudFlare) Utilize firewalls and intrusion detection/prevention systems to filter and block malicious traffic Distribute server load across multiple servers or utilize cloud-based DDoS protection services
Weak Passwords	Use of easily guessed or common passwords	Permits unauthorized access to systems	Implement strong password policies
Lack of Encryption	Failure to encrypt sensitive data	If data is breached, it can be easily read and used maliciously	Encrypt all sensitive data, both in transit and at REST
Poor Access Control	Failure to properly control who has access to data	Unauthorized users can access sensitive data or systems	Implement strict access control policies Regularly review and update access permissions
Phishing Attacks	Deceptive attempts to gain sensitive information	Unauthorized access Data breaches Malware infection	Use email filters to block known phishing attempts
Malware Infection	Malicious software designed to cause harm	Can damage systems Steal data Disrupt operations	Regularly update antivirus software Avoid clicking suspicious links or downloading unverified software
Social Engineering	Manipulative tactics used to trick individuals into divulging sensitive information	Unauthorized access Data breaches	Encourage a culture of security awareness
Outdated Hardware	Using old or unsupported hardware	Older hardware may have known vulnerabilities that are not patched	Regularly update and replace hardware
Lack of Incident Response Plan	Failure to have a plan in place for when a security incident occurs	Increased damage and slower recovery times	Develop and regularly update an incident response plan
Unsecured APIs	APIs that do not have proper security measures in place	Unauthorized access to systems and data	Implement API security measures such as encryption, access control, and rate limiting
Misconfigured Cloud Storage	Incorrectly configured cloud storage settings that leave data exposed	Unauthorized access Data breaches	Regularly audit and test cloud storage configurations

Password Storage

Visualization	Specs
	Store Password Avoid storing passwords in plain text to prevent unauthorized access Storing password hashes alone is vulnerable to precomputation attacks like rainbow tables Use salt to counter precomputation attacks by adding a unique, randomly generated string to each password before hashing A salt, as per OWASP, is a unique, randomly generated string added to each password during hashing Store passwords with their salt in the database by hashing the password combined with the salt
	Validate Password Validate passwords by fetching the corresponding salt from DB, appending it to the entered password, and comparing the resulting hash with the stored hash

Uniform Resources

Type	Definition	Identity Resources	Example
URI: Uniform Resource Identifier	Identifies a logical or physical resource on the web	scheme://path scheme://authority/path?query string	mailto://joe@mycompany.com ldap://2000:ac8::8/t=MB?object?process
URL: Uniform Resource Locator	URL is subtype of URI Key concept of HTTP Locates a resource Address of a unique resource on the web Can be used with other protocols	scheme://(domain name:port)authority/path to file?query string#anchor scheme: http, https, ftp, sftp, file, mailto, tel, sms, urn, data, blob, ws, wss domain name: google.com, amazon.com, apple.com, microsoft.com, usa.gov port: 80, 443, 8080 path to file: assets/image.png query string: order=asc&limit=10 anchor: initial_setup, overview, conclusion	http://(mysite.com:80)authority/path/to/file.html?product=book#docAnchor
URN: Uniform Resource Name	URN is subtype of URI Locates names and resources Uses the URN scheme Cannot be used to locate a resource	scheme://namespace/namespace specific string	urn://isbn/888

Inner Workflow

HTTPS

Visualization	Steps	Specs
	Client and server establish a TCP connection Client sends a "client hello" with encryption preferences and server responds with a "server hello" and SSL certificate Client generates a session key, encrypts it with the server's public key, and sends it. Server decrypts it with its private key Both parties use the shared session key for symmetric encryption, ensuring secure data transmission	Reasons for switching to symmetric encryption Security: Asymmetric encryption only works one way, risking decryption if data is sent back to the client Efficiency: Asymmetric encryption is resource-intensive, impractical for long sessions

Authentication Mechanisms

Overview

Credentials

JSON Web Token (JWT)

Visualization	Specs
	JWT Structure Content Header { "alg": "HS256", "type": "JWT" } Data { "user_id": 1234, } Signature: HMACSHA256("base64(header).base64(data)", secret) Encode each part using Base64: base64(header), base64(data), base64(signature) Concatenate each part using dot (.): base64(header).base64(data).base64(signature)

Oauth 2.0

Visualization

Specs

Open Authorization (OAuth): Protocol for sharing user Authorization across systems OAuth 1.0: Protocol designed only for web browser only OAuth 2.0: Protocol for cross-platform use (web, mobile, desktop, API) Involved Parties User (Resource Owner): Authorizes flows across systems Identity Provider (IdP): Stores user identity, validates credentials, and shares authorization with other services Server: Service user accesses for authorization Flow Types Authorization code: Client gets a code from server, exchanges for access token Client credentials: Client directly authenticates for access to its resources Implicit code: Deprecated due to security risks Resource owner password: User's credentials exchanged for access token, not recommended for security reasons

SSH Keys

SSL Certificates

2FA

2FA (Two-Factor Authentication)

Visualization	Specs
	Safety Secret key transmission via HTTPS Encryption of secret keys in client and database Security Password (6-digit number) has 1 million combinations Changes every 30 seconds, making it hard to guess 2FA Code Types SMS code, scratch card, mobile app Hardware token: U2F FIDO key, MFA token, digital ID Biometric system: finger/hand print, iris scan, behavior/movement tracking

2SA

2SA (Two-Step Verification)