5. OWASP Top 10
AttacksAny testing of web applications should at the very least consider the
application security risks listed in the owasp top 10.
5
6. A1: Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker's hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
Impact:
● Data loss or corruption
● Data could be stolen
● Complete host system takeover
● Unauthorized access. Denial of access.
Prevention requires:
● Input validation / sanitization
● Parameterized queries
● Use Libs vetted for security.
● Avoid reflecting input back to a user
6
7. A1: Injection Example
A function for adding new students:
void addStudent(String lastName, String firstName) {
String query = "INSERT INTO students (last_name, first_name) VALUES ('"+ lastName + "', '" + firstName + "')";
getConnection().createStatement().execute(query);
}
If addStudent is called with parameters "Williams", "John", the resulting SQL is:
INSERT INTO students (last_name, first_name) VALUES ('Williams', 'John')
But with bad data the following SQL is executed: Lastname as Robert’); DROP TABLE Students;--
INSERT INTO students (last_name, first_name) VALUES ('QQQQ', 'Robert’); DROP TABLE Students;-- ')
In fact, two commands are executed:
INSERT INTO students (last_name, first_name) VALUES ('QQQQ', 'Robert')
DROP TABLE Students
7
8. A2: Broken Authentication
A vulnerability that allows bypass or capture of authentication
methods that are used by the web application.
● Authentication and session management are often not implemented correctly.
● Broken Authentication may also disclose credentials or allow passwords to be
changed
When can it happen?
Unencrypted connections, Predictable login credentials, Credentials are not
protected when saved. Session IDs used in URL, Session value does not timeout or
does not get invalidated after logout.
Prevention requires:
● Enable encryption on requests.
● Enforce strong password policy,, Multi factor auth, Limit failed login.
● Sensitive Info stored should be salted and hashed in addition to encryption.
● Session Id invalidation
8
12. A3: Sensitive Data Exposure
Sensitive data is not correctly handled by your application,
data exposure is a serious risk.
Prevention requires encryption at different levels :
● Encrypt data during transport and at-rest
● Use latest encryption algorithm
● Only store sensitive data when necessary
● Disable autocomplete and caching
on forms that collect sensitive data.
1
2
13. Data Breaches
● Data breach of 150 million accounts at MyFitnessPal
● Sonic Drive-In Breach - Millions of credit/debit card
numbers are stolen
● LinkedIn - 117 Million Emails and Passwords Leaked
● Yahoo! all 3 billion of its user accounts were impacted.
1
3
19. A9: Using Components with Known Vulnerabilities
Seen mostly in component heavy development patterns.
When can this attack happen?
● Could be in both client side & server side
● Direct & nested dependencies of components
● Unsupported, vulnerable or out-of-date libraries in use
1
9
23. A10: - Insufficient Logging & Monitoring
● Most successful attacks start with vulnerability probing.
● US companies took an average of 206 days to detect a data
breach
● 53% of breaches were discovered by an external source.
2
3