The document discusses various types of web vulnerabilities including broken access control, sensitive data exposure, injections, security misconfigurations, vulnerable components, and logging/monitoring flaws. It provides examples of real-world incidents for each type of vulnerability and recommends mitigation strategies like multi-factor authentication, encryption, input validation, least privilege access, and regular updates/monitoring.

1. WEB VULNERABILITIES

2. OVERVIEW
BASICS
TOP 10 OWSP
PRACTICAL EXAMPLE

3. WEB VULNERABILITIES : BASIC
 Web application vulnerabilities involve a system flaw or
weakness in a web-based application
 Due to not validating or sanitizing form inputs,
misconfigured web servers, and application design flaws
 They can be exploited to compromise the application's
security
 These vulnerabilities are not the same as other common
types of vulnerabilities, such as network or asset.
 They arise because web applications need to interact
with multiple users across multiple networks

4. WEB VULNERABILITIES : BASIC
Why Web Security Matters:
Data Breaches Impact: Severe consequences of data
breaches, including financial losses, reputational damage,
and legal repercussions.
User Trust: Users trust organizations to safeguard their
information, and a breach can erode this trust, affecting
customer loyalty and brand reputation.
Regulatory Compliance: Growing importance of
compliance with data protection regulations and failure to
comply can result in significant penalties.

5. OWSP
• OWASP : is a nonprofit foundation that works to improve the security of
software. OWASP is an open platform that security professionals from around
the world use to share information, tools, and events that are focused on
securing the web
• Top 10 : One of OWASP’s most valuable resources is the OWASP Top 10.
• The organization has published this list since 2003 as a way to spread
awareness of the web’s most targeted vulnerabilities.
• The Top 10 mainly applies to new or custom made software.
• Importance : Many of the world's largest organizations reference the OWASP
Top 10 during application development to help ensure their programs address
common security mistakes.
• Community-Driven: Highlight that the OWASP Top 10 is a result of collective
expertise and contributions from security professionals globally, making it a
comprehensive and reliable resource.

6. OWSP

7. BROKEN ACCESS CONTROL
Definition : class of vulnerabilities where attackers exploit weaknesses in
the mechanisms responsible for user authentication and session
management.
Common Weaknesses: Common issues such as weak password policies,
session fixation, and insufficiently protected authentication credentials.
Risks of Broken Authentication:
Unauthorized Access: Emphasize that successful attacks can lead to
unauthorized access to user accounts, administrative interfaces, or sensitive
information.
Data Exposure: Potential for exposure of sensitive data if authentication
credentials or session tokens are compromised.

8. BROKEN ACCESS CONTROL

9. BROKEN ACCESS CONTROL
Common Attack Scenarios:
Credential Stuffing: Explain how attackers use username and password
combinations obtained from previous data breaches to gain unauthorized access to
other accounts where users reuse credentials.
Session Hijacking: Discuss the risk of attackers intercepting or stealing session
tokens to impersonate legitimate users.
Mitigation Strategies:
Multi-Factor Authentication (MFA): Highlight the importance of implementing MFA
to add an extra layer of security beyond passwords.
Secure Session Management: Emphasize the need for secure session
management practices, including the use of secure cookies, session timeouts, and
token rotation.
Password Policies: Advocate for strong password policies, regular password
updates, and the use of password hashing to protect stored credentials.

10. BROKEN ACCESS CONTROL
Yahoo (2013-2014):
Incident: Yahoo experienced two major data breaches affecting over
one billion user accounts.
Cause: The breaches were attributed to stolen session cookies and
weak encryption methods.
Impact: The compromised information included names, email
addresses, telephone numbers, and hashed passwords. The
incidents had a profound impact on Yahoo's reputation, leading to a
decrease in its acquisition value by Verizon.

11. CRYPTOGRAPHIC FAILURES/SENSATIVE DATA EXPOSURE
Overview: Sensitive Data Exposure occurs when an application fails to
adequately protect sensitive information, such as credit card numbers,
passwords, or personal details, putting user privacy and security at risk.
Nature of Data: Clarify that sensitive data can include personally
identifiable information (PII), financial details, and any information that, if
exposed, could lead to identity theft or financial loss.
Common Scenarios and Causes:
Insecure Transmission: Data transmitted over unencrypted channels
can be intercepted by attackers during transit, emphasizing the
importance of using secure protocols like HTTPS.
Weak Data Storage: Risk of storing sensitive data in an insecure
manner, such as plain text or using weak encryption algorithms, making
it susceptible to unauthorized access.

12. CRYPTOGRAPHIC FAILURES/SENSATIVE DATA EXPOSURE
Consequences of Sensitive Data Exposure:
Identity Theft: Potential for attackers to use exposed personal information for
identity theft and fraudulent activities.
Financial Loss: Financial risks associated with the exposure of credit card
information or banking details.
Prevention and Mitigation:
Data Encryption: Importance of encrypting sensitive data both in transit (using
protocols like TLS) and at rest (using strong encryption algorithms).
Secure Key Management: Significance of secure key management practices to
protect encryption keys and prevent unauthorized access.
Data Masking: Concept of data masking, where sensitive information is partially or
fully obscured to limit exposure, especially in non-production environments.

13. INJECTIONS
Definition: Injection vulnerabilities as a type of security risk
where untrusted data is introduced into a program or query,
leading to unintended consequences.
Common Types: Common injection types such as SQL
injection, NoSQL injection, OS command injection, etc.
Examples of Injection Vulnerabilities:
•SQL Injection Example
•OS Command Injection Example

14. INJECTIONS
SQL Injection Example:
Scenario:
Consider a simple web application with a login page where
users enter their credentials.
Vulnerable Code (Before Mitigation):
// SQL query construction in the backend
const query = "SELECT * FROM users WHERE
username='" + enteredUsername + "' AND password='" +
enteredPassword + "'";

15. SQL INJECTIONS
Exploitation:
1. Normal Login Attempt:
•User enters valid credentials like username: user123 and password:
pass123.
•The SQL query becomes: SELECT * FROM users WHERE
username='user123' AND password='pass123'.
2. SQL Injection Attempt:
•Malicious user enters: username: ' OR '1'='1' -- and any password.
•The manipulated query becomes: SELECT * FROM users WHERE
username='' OR '1'='1' --' AND password='anyPassword'.
•The double hyphen (--) signifies a comment in SQL, effectively
ignoring the rest of the original query.
3.Outcome:
•The query always evaluates to true (1=1), allowing the attacker to
bypass authentication and potentially gain unauthorized access.

16. SQL INJECTIONS
Mitigation:
// Using parameterized queries to prevent SQL injection const query
"SELECT * FROM users WHERE username=? AND password=?";
Parameterized queries ensure that user input is treated as data, not
executable code.

17. SECURITY MISCONFIGURATION
Overview: Security misconfigurations occur when an application, server,
database, or any component of a system is not securely configured. This
provides potential attackers with unnecessary access or information,
making it easier for them to exploit vulnerabilities.
Common Misconfigurations:
Default Settings: Leaving default configurations unchanged, which
may include default passwords or settings that are not suitable for a
production environment.
Unnecessary Services: Running unnecessary services or features
that increase the attack surface without providing any benefit.
Excessive Permissions: Granting excessive permissions to users,
applications, or services.

18. SECURITY MISCONFIGURATION

19. SECURITY MISCONFIGURATION
Prevention and Mitigation:
Regular Audits and Reviews: Stress the importance of regular security
audits and reviews to identify and correct misconfigurations.
Least Privilege Principle: Emphasize the principle of least privilege,
where users and systems should only have the minimum level of access
required to perform their tasks.
Automation of Security Configurations: Advocate for the use of
automation tools to enforce and monitor security configurations
consistently.

20. IDENTIFICATION AND AUTHENTICATION FLAWS
Identification and Authentication Relevance:
IDOR vulnerabilities can be linked to authentication flaws.
Weak or insufficient access controls can allow attackers to
manipulate object references and access unauthorized
data.
Mitigation:
Implement proper access controls to ensure that
authenticated users can only access their own data.
Validate and authorize user actions on the server side.

21. VULNERABLE AND OUTDATE COMPONENTS
Vulnerability occurs when a web application uses third-party
libraries, frameworks, or components that have known
security vulnerabilities. Attackers can exploit these
vulnerabilities to compromise the application.
Common Causes:
Outdated Libraries: Using outdated versions of libraries
or components that have known security patches or
updates.
Lack of Monitoring: Not actively monitoring and updating
third-party components after they are initially integrated
into the application.

22. VULNERABLE AND OUTDATE COMPONENTS
Risks and Consequences:
Exploitation of Weaknesses: Attackers actively search for and exploit known
vulnerabilities in widely used components.
Data Breaches: Potential for data breaches and unauthorized access resulting
from exploiting vulnerabilities in third-party components.
Prevention and Mitigation:
Regular Updates: Importance of regularly updating all third-party libraries and
components to their latest secure versions.
Automated Dependency Scanning: Use of automated tools for dependency
scanning that can identify and alert developers about outdated or vulnerable
components.
Monitoring Security Bulletins: Staying informed about security bulletins and
updates related to third-party components.

23. SOFTWARE AND DATA INTEGRITY FAILURE
Software and data integrity failures are vulnerabilities in software or
infrastructure that allow an attacker to modify or delete data in an unauthorized
manner. Attackers can exploit these vulnerabilities to gain access to sensitive
information or cause damage to the system.
Some examples of software and data integrity failures include:
Insufficient Verification of Data Authenticity: This occurs when the software
does not properly verify the data source before it is processed. This can allow an
attacker to inject malicious data into the system.
Missing Support for Integrity Checks: This occurs when the software cannot
verify data integrity. This can make it easier for an attacker to modify or delete data
without being detected.
Untrusted Search Path: This occurs when the software allows an attacker to
control the search path for libraries or modules. This can allow an attacker to inject
malicious code into the system.

24. SOFTWARE AND DATA INTEGRITY FAILURE
Real-Life Example of Software and Integrity Failures: WannaCry
In 2017, a ransomware attack called WannaCry infected over 230,000 computers in over 150
countries. The attack used a vulnerability in the Windows operating system to spread. Once
infected, the ransomware encrypted the victim's files and demanded a ransom payment to
decrypt them.
Mitigation :
The key to preventing software and integrity failures is to monitor third-party software and
ensure the implementation of all security updates and patches promptly to ensure the
software's and data's reliability throughout the software development life cycle.
Compile a Software Bill of Materials (SBOM); this allows for a better understanding of the
application's structure and makes it easier to identify which components need updating.
Regularly monitor for updates and security patches for all components and apply these
updates swiftly to help minimize potential risks associated with vulnerabilities.
Replace components that are no longer supported or have known security vulnerabilities to
ensure that the application only uses up-to-date and secure components.

25. SECURITY LOGGING AND MONITORING FLAWS
Security logging and monitoring failures are security vulnerabilities that can occur
when a system or application fails to log or monitor security events properly. This
can allow attackers to gain unauthorized access to systems and data without
detection.
Some of the most common security logging and monitoring failures include:
Not Logging Important Security Events: This can include failed login attempts,
unauthorized access to sensitive data, or changes to system configurations.
Not Monitoring Logs for Suspicious Activity: This can include repeated failed
login attempts, unusual traffic patterns, or changes to system configurations.
Not Storing Logs for Long Enough: This can make it challenging to investigate
security incidents that occurred in the past.
Not Having a Process for Reviewing and Responding to Security Logs: This
can allow security incidents to go undetected and unaddressed.
Insecure Logging and Monitoring Systems: This can allow attackers to access or
modify logs, making tracking their activities difficult.

26. SECURITY LOGGING AND MONITORING FLAWS
Mitigation :
The key to protecting against security logging and monitoring failures is to
log all critical security events and monitor them for suspicious activity. Let’s
dive into what that means:
Ensure comprehensive logs are generated
Securely store and protect log files to ensure their integrity and
confidentiality
Implement a process to regularly review and analyze logs with both
automated tools and manual inspection
Set up real-time monitoring and alerting systems to detect and respond
to security events
Create a comprehensive incident response plan that clearly outlines
roles, responsibilities, and procedures

27. SERVER-SIDE REQUEST FORGERY (SSRF)
A Server-Side Request Forgery (SSRF) attack involves an attacker
abusing server functionality to access or modify resources. The attacker
targets an application that supports data imports from URLs or allows
them to read data from URLs. URLs can be manipulated, either by
replacing them with new ones or by tampering with URL path traversal.
Mitigation :
Whitelist IPs to be allowed access to server URL
Disable unused URLs