Cybersecurity Glossary

Open Web Application Security Project. A nonprofit organization that produces freely available methodologies, tools, and documentation for web application security.

A regularly updated report outlining the ten most critical web application security risks, serving as a standard awareness document for developers and security professionals.

A vulnerability where a web application redirects users to an attacker-controlled URL, commonly exploited in phishing attacks to make malicious links appear legitimate.

An open authorization framework that allows third-party applications to access user resources without exposing credentials, widely used for social login and API authorization.

An attack where OAuth access tokens or refresh tokens are stolen through vulnerabilities, enabling unauthorized access to protected resources and APIs.

Open Source Intelligence. The collection and analysis of publicly available information from sources like social media, websites, and public records for security assessment.

Operational Technology security. The practice of protecting hardware and software that monitors and controls physical devices and processes in industrial environments.

A list of the ten most critical security risks facing mobile applications, maintained by OWASP as a guide for mobile application developers.

The practice of converting special characters in output data to their safe equivalents, preventing injection attacks like XSS when data is rendered in browsers.

Offensive Security Certified Professional. A hands-on penetration testing certification from Offensive Security requiring a 24-hour practical exam.

The process of gathering publicly available information about a target organization to support penetration testing, including domains, employees, and technologies.

A theoretically unbreakable encryption technique using a random key the same length as the message, used only once and then discarded.

OpenID Connect. An identity layer built on top of OAuth 2.0 that allows clients to verify user identity and obtain basic profile information.

Offensive Security Web Expert. An advanced certification focused on white-box web application penetration testing requiring source code analysis skills.

Offensive Security Experienced Penetration Tester. An advanced certification covering evasion techniques, custom exploits, and advanced lateral movement.

Online Certificate Status Protocol. A protocol for checking the revocation status of X.509 digital certificates in real time.

An open-source tool that exposes operating system information through SQL queries, enabling security monitoring and endpoint visibility.

An open-source VPN protocol that uses SSL/TLS for key exchange and supports multiple encryption algorithms and authentication methods.

Open Shortest Path First. An interior gateway routing protocol that uses link-state information to construct a topology map for optimal packet routing.

A mobile attack where a malicious app displays a fake interface on top of a legitimate app to steal credentials or intercept actions.

Security weaknesses in OAuth implementations including open redirectors, insecure token storage, and improper scope validation.

Offensive Security Exploit Developer. An advanced certification covering Windows exploit development including reverse engineering and shellcoding.

Testing focused on achieving specific business-impact objectives rather than finding all vulnerabilities.

Open Source Security Testing Methodology Manual. A comprehensive methodology for security testing covering all aspects of operational security.

A list of the most critical security risks to APIs, including broken object-level authorization, authentication failures, and excessive data exposure.

The server-side practice of verifying the Origin header in HTTP requests to prevent cross-origin attacks.

A user account that remains active after the associated person has left the organization, creating a security risk.

The professional progression from junior pentester through senior consultant, red team lead, and offensive security director.

Converting special characters to their safe equivalents when rendering user data in HTML, JavaScript, or SQL contexts.

Security considerations when using Object-Relational Mapping frameworks, including injection risks and query optimization.

A cryptographic protocol where a sender transfers information to a receiver without knowing which pieces were received.

Practices for managing security risks in open-source software including vulnerability monitoring and license compliance.