The document discusses web penetration testing and the OWASP Top 10 vulnerabilities. It defines vulnerability as a flaw that can be exploited to compromise security, and threat as anything that can harm assets by exploiting vulnerabilities. Web penetration testing systematically evaluates application security controls. OWASP is dedicated to developing secure applications and APIs, and maintains the OWASP Top 10 list of the most critical web application security risks, including injection, broken authentication, sensitive data exposure, and more. Each risk is described in terms of what it is and its potential impacts.
2. WEB PENETRATION
Session Flow
What is Vulnerability
What is Threat?
What is Web Penetration
What is OWASP
OWASP Top 10 Vulnerabilities
Cyberops Infosec
2
3. WEB PENETRATION
What is Vulnerability
A vulnerability is a flaw or weakness in a system's design, implementation,
operation or management that could be exploited to compromise the system's
security objectives.
Cyberops Infosec
3
4. WEB PENETRATION
What is Threat
A threat is anything (a malicious external attacker, an internal user, a system
instability, etc) that may harm the assets owned by an application (resources of
value, such as the data in a database or in the file system) by exploiting a
vulnerability.
Cyberops Infosec
4
5. WEB PENETRATION
What is Web Penetration
A security test is a method of evaluating the security of a computer system or
network by methodically validating and verifying the effectiveness of application
security controls.
Cyberops Infosec
5
6. WEB PENETRATION
What is OWASP
The Open Web Application Security Project (OWASP) is an open
community dedicated to enabling organizations to develop, purchase, and
maintain applications and APIs that can be trusted.
Cyberops Infosec
6
7. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A1 – Injection
• 2017-A2 – Broken Authentication and Session Management
• 2017-A3 –Sensitive Data Exposure
• 2017-A4 – XML External Entities (XXE)
• 2017-A5 – Broken Access Control
• 2017-A6 – Security Misconfiguration
• 2017-A7 – Cross Site Scripting
• 2017-A8 – Insecure Deserialization
• 2017-A9 – Using Component with known Vulnerabilities
• 2017-A10 – Insufficient Logging & Monitoring
Cyberops Infosec
7
8. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A1 – Injection
Describe : Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur
when untrusted data is sent to an interpreter as part of a command or query.
Impact : The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
Cyberops Infosec
8
9. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A2 – Broken Authentication
Describe : Application functions related to authentication and session
management are often implemented incorrectly by developers.
Impact : Vulnerability allowing attackers to compromise passwords, keys, or
session tokens, or to exploit other implementation flaws to assume other
users’ identities temporarily or permanently.
Cyberops Infosec
9
10. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A3 – Sensitive Data Exposure
Describe : Web applications and APIs do not properly protect sensitive data,
such as financial, healthcare, and PII.
Impact : Attackers may steal or modify such weakly protected data to conduct
credit card fraud, identity theft, or other crimes. Sensitive data may be
compromised without extra protection, such as encryption at rest or in transit,
and requires special precautions when exchanged with the browser.
Cyberops Infosec
10
11. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A4 – XML External Entities (XSS)
Describe : Many older or poorly configured XML processors evaluate external
entity references within XML documents.
Impact : External entities can be used to disclose internal files using the file URI
handler, internal file shares, internal port scanning, remote code execution,
and denial of service attacks.
Cyberops Infosec
11
12. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A5 – Broken Access Control
Describe : Restrictions on what authenticated users are allowed to do are often
not properly enforced.
Impact : Attackers can exploit these flaws to access unauthorized functionality
and/or data, such as access other users' accounts, view sensitive files, modify
other users’ data, change access rights, etc.
Cyberops Infosec
12
13. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A6 – Security Misconfiguration
Describe : Security misconfiguration is the most commonly seen issue. This is
commonly a result of insecure default configurations, incomplete or ad hoc
configurations, open cloud storage, misconfigured HTTP headers, and verbose
error messages containing sensitive information.
Impact : Due to security misconfiguration all data, packages and messages can
be compromised.
Cyberops Infosec
13
14. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A7 – Cross Site Scripting
Describe : XSS flaws occur whenever an application includes untrusted data in
a new web page without proper validation or escaping, or updates an existing
web page with user-supplied data using a browser API that can create HTML or
JavaScript.
Impact : XSS allows attackers to execute scripts in the victim’s browser which
can hijack user sessions, deface web sites, or redirect the user to malicious
sites.
Cyberops Infosec
14
15. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A8 – Insecure Deserialization
Describe : Insecure deserialization often leads to remote code execution.
Impact : If deserialization flaws do not result in remote code execution, they
can be used to perform attacks, including replay attacks,
Cyberops Infosec
15
16. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A9 – Using Components with known vulnerabilities
Describe : Components, such as libraries, frameworks, and other software
modules, run with the same privileges as the application.
Impact : If a vulnerable component is exploited, such an attack can facilitate
serious data loss or server takeover. Applications and APIs using components
with known
Cyberops Infosec
16
17. WEB PENETRATION
OWASP Top 10 – 2017 has evolved:
• 2017-A10 – Insufficient Logging & Monitoring
Describe : Insufficient logging and monitoring, coupled with missing or
ineffective integration with incident response, allows attackers to further
attack systems, maintain persistence, pivot to more systems, and tamper,
extract, or destroy data.
Impact : Most breach studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal processes or
monitoring.
Cyberops Infosec
17