CSRF is a security vulnerability that tricks a victim into performing unintended actions on a web application where they are authenticated. By exploiting the trust that a website places in the user’s browser, attackers can force users to execute actions without their consent or knowledge.
SQL Injection is a code injection technique that exploits a software vulnerability within the database query layer. This occurs when an application does not properly sanitise or neutralise special elements in SQL statements. Attackers craft malicious inputs to manipulate queries, gaining unauthorised access to databases or manipulating data.
At its core, XSS exploits the trust a user places in a web application. By manipulating input fields, URLs, or other interactive elements, attackers can introduce scripts that execute commands, steal sensitive information, or alter website functionality.
The term “unsafe consumption of APIs” refers to the practice where developers trust data received from third-party APIs more than they trust user input, leading to weaker security standards for the data coming from these integrated services. Typically, this occurs because third-party APIs are seen as more “trusted” than direct user input, so developers may not apply the same level of scrutiny or security measures when consuming data from these external sources.
Improper inventory management refers to the failure to adequately track and manage the lifecycle of APIs within an organisation. This includes:
– Keeping track of all deployed API versions.
– Documenting endpoints, their functions, and access control requirements.
– Managing deprecated or unused versions.
– Ensuring that sensitive or debug information is not exposed via endpoints.
– Auditing and monitoring API usage regularly.
When APIs are not properly inventoried, organisations may unknowingly expose insecure or deprecated API versions to the public. This can lead to serious security issues, as older versions may lack critical patches or expose debugging functionality that provides attackers with valuable information.