A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Credentials Stuffing protection

Login Enforcement

Session tracking

HTTP cookie tampering protection

Session hijacking protection

A3

Sensitive Data Exposure

Data Guard

Attack signatures (“Predictable Resource Location” and “Information Leakage”)

A4

XML External Entities (XXE)

Attack signatures (“Other Application Attacks” - XXE)

XML content profile (Disallow DTD)

(Subset of API protection)

A5

Broken Access Control

File types

Allowed/disallowed URLs

Login Enforcement

Session tracking

Attack signatures (“Directory traversal”)

A6

Security Misconfiguration

Attack Signatures

DAST integration

Allowed Methods

HTML5 Cross-Domain Request Enforcement

A7

Cross-site Scripting (XSS)

Attack signatures (“Cross Site Scripting (XSS)”)

Parameter meta characters

HttpOnly cookie attribute enforcement

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (“Server Side Code Injection”)

A9

Using components with known vulnerabilities

Attack Signatures

DAST integration

A10

Insufficient Logging and Monitoring

Request/response logging

Attack alarm/block logging

On-device logging and external logging to SIEM system

Event Correlation