[DOCS] Add new description and reference to README.md

joserenatosilva · Dec 27, 2018 · 7498ea7 · 7498ea7
1 parent 5f0ed88
commit 7498ea7
Show file tree

Hide file tree

Showing 5 changed files with 14 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -14,6 +14,7 @@ These are vulnerable applications! 🔥
 
 ## OWASP Top 10 (2017) Apps
 
+- A3 - Sensitive Data Exposure - [Insecure Go Project](owasp-top10-2017-apps/a3/insecure-go-project)
 - A4 - XML External Entities (XXE) - [ViniJr Blog](owasp-top10-2017-apps/a4/vinijr-blog)
 - A5 - Broken Access Control - [Vulnerable Ecommerce API](owasp-top10-2017-apps/a5/ecommerce-api)
 - A6 - Security Misconfiguration - [Vulnerable Wordpress Misconfig](owasp-top10-2017-apps/a6/misconfig-wordpress)

diff --git a/owasp-top10-2017-apps/a4/vinijr-blog/README.md b/owasp-top10-2017-apps/a4/vinijr-blog/README.md
@@ -5,9 +5,9 @@
 
 ## What is XXE?
 
-Definition from [OWASP](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing):
+Definition from [OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf):
 
-An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
+Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
 
 ## Requirements
 
@@ -18,7 +18,7 @@ To build this lab you will need [Docker][Docker Install] and [Docker Compose][Do
 After cloning this repository, you can type the following command to start the vulnerable application:
 
 ```sh
-make install
+$ make install
 ```
 
 Then simply visit [localhost:10080][App] !

diff --git a/owasp-top10-2017-apps/a5/ecommerce-api/README.md b/owasp-top10-2017-apps/a5/ecommerce-api/README.md
@@ -5,9 +5,9 @@
 
 ## What is Broken Access Control?
 
-Definition from [OWASP](https://www.owasp.org/index.php/Broken_Access_Control):
+Definition from [OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf):
 
-Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do. Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.
+Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.
 
 ## Requirements
 
@@ -18,7 +18,7 @@ To build this lab you will need [Docker][Docker Install] and [Docker Compose][Do
 After cloning this repository, you can type the following command to start the vulnerable application:
 
 ```sh
-make install
+$ make install
 ```
 
 ## Available routes

diff --git a/owasp-top10-2017-apps/a6/misconfig-wordpress/README.md b/owasp-top10-2017-apps/a6/misconfig-wordpress/README.md
@@ -5,9 +5,9 @@
 
 ## What is Security Misconfiguration?
 
-Definition from [OWASP](https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration):
+Definition from [OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf):
 
-Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy options, etc.
+Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
 
 ## Requirements
 
@@ -25,11 +25,11 @@ Then simply visit [localhost:8000][App] !
 
 ## Attack Narrative
 
-(SPOILER) To understand how this vulnerability can be exploited, check this section!
+To understand how this vulnerability can be exploited, check this section!
 
 ## Mitigating the vulnerability
 
-(SPOILER) To understand how this vulnerability can be mitigated, check this other section!
+To understand how this vulnerability can be mitigated, check this other section!
 
 [Docker Install]:  https://docs.docker.com/install/
 [Docker Compose Install]: https://docs.docker.com/compose/install/

diff --git a/owasp-top10-2017-apps/a8/amarelo-designs/README.md b/owasp-top10-2017-apps/a8/amarelo-designs/README.md
@@ -5,11 +5,9 @@
 
 ## What is Insecure Deserialization?
 
-Definition from [OWASP](https://www.owasp.org/index.php/Deserialization_of_untrusted_data):
+Definition from [OWASP](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf):
 
-Serialization is the process of turning some object into a data format that can be restored later. People often serialize objects in order to save them to storage, or to send as part of communications. Deserialization is the reverse of that process -- taking data structured from some format, and rebuilding it into an object.
-
-However, many programming languages offer a native capability for serializing objects. These native formats usually offer more features than JSON or XML, including customizability of the serialization process. Unfortunately, the features of these native deserialization mechanisms can be repurposed for malicious effect when operating on untrusted data. Attacks against deserializers have been found to allow denial-of-service, access control, and remote code execution attacks.
+Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. 
 
 ## Requirements
 
@@ -20,7 +18,7 @@ To build this lab you will need [Docker][Docker Install] and [Docker Compose][Do
 After cloning this repository, you can type the following command to start the vulnerable application:
 
 ```sh
-make install
+$ make install
 ```
 
 Then simply visit [localhost:5000][App] !