scripting, SQL injection ¨ Authentication ¤ Eavesdropping, brute force attack, dictionary attach, cookie replay, credential theft ¨ Authorization ¤ Elevation of privilege, disclosure of confidential info, data tampering ¨ Configuration Management ¤ Unauth access to admin interfaces, retrieval of config data in clear text, lack of individual accountability ¨ Sensitive Information ¤ Unauth access to stored data ¨ Session Management ¤ Session hijacking, session replace, man in the middle attacks ¨ Cryptography ¤ Poor key generation, weak encryption, improper key management practices ¨ Parameter Manipulation ¤ Query string manipulation, Form field manipulation, cookie manipulation, HTTP header manipulation ¨ Exception management ¤ Improper info disclosure, denial of service ¨ Auditing and logging ¤ User denies performing an operation, attacker exploits without a trace or covers the tracks 13