SlideShare a Scribd company logo

[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Active Vietnam

DevDay.org
DevDay.org

Security testing of any system is about finding all possible ambiguities and flaws of the system which might result in loss of information at the hands of employees or outsiders of the organization. This seminar will give you knowledge of Security Testing and related topics with simple and useful examples to help you approach it easily.

Technology
1 of 52
SECURITY TESTING Thuy Nguyen Thi Hong Da Nang - 01/2018
AGENDA What is Security What is Security Testing Techniques Practices
WHAT IS SECURITY
WHAT IS SECURITY TESTING
SIX MEASURES Confidentiality Integrity Authentication Authorization Availability Non-repudiation
TECHNIQUES 1. Injection 2.Broken Authentication and Session Management 3. Cross-Site Scripting (XSS)
TECHNIQUES 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure
TECHNIQUES 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards
1 - INJECTION
Injection $username = $_POST['username']; $password = $_POST['password'];
$sql ="SELECT count(*) FROM user WHERE username = '$username' AND password = ‘$password'"; SELECT count(*) FROM user WHERE username = ‘thuynguyen' AND password = ‘123456’ SELECT * FROM user WHERE username = 'thuynguyen' AND password = 'something' OR '1' Injection
Injection $sql = "SELECT count(*) FROM user WHERE username = '$username' AND password = ‘$password'"; SELECT * FROM user WHERE username = 'thuynguyen' AND password = ‘123456' OR ‘1=1' SELECT * FROM user WHERE username = 'thuynguyen' AND password = 'something' ; DROP TABLE Suppliers'
2 - BROKEN AUTHENTICATION AND SESSION MANAGEMENT
Broken Authentication And Session Management Scenario #1: Password is guessable
Scenario #2: Asking for the credentials Broken Authentication And Session Management
Broken Authentication and Session Management Scenario #3: Session Management
Broken Authentication and Session Management Scenario #4: Asking for the credentials
3 - CROSS-SITE SCRIPTING (XSS)
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
4 - INSECURE DIRECT OBJECT REFERENCESS
Insecure Direct Object References
5 - SECURITY MISCONFIGURATION
Security Misconfiguration Scenario #1 : sample applications that are not removed
Security Misconfiguration Scenario #2 : Directory listing is not disabled on the server
Security Misconfiguration Scenario #3 : allows detailed error messages, e.g. stack traces, to be returned to users
Security Misconfiguration Scenario #4 : open to the Internet by other CSP users
6 - SENSITIVE DATA EXPOSURE
Sensitive Data Exposure
Sensitive Data Exposure
7 - MISSING FUNCTION LEVEL ACCESS CONTROL
http://example.com/app/getappInfo http://example.com/app/admin_geta ppInfo MISSING FUNCTION LEVEL ACCESS CONTROL
8 - CROSS-SITE REQUEST FORGERY (CSRF)
Cross-Site Request Forgery (CSRF) http://bank.com/transfer.do?acct=BOB&amount=1 00 <a href=“http://bank.com/transfer.do?acct=MARIA&a mount=100000">View my Pictures!</a> <img src=“http://bank.com/transfer.do?acct=MARIA&a mount=100000" width="0" height="0" border="0">
9 - USING COMPONENTS WITH KNOWN VULNERABILITIES
Using Components with Known Vulnerabilities Apache CXF Authentication Bypass
Spring Remote Code Execution
10 - UNVALIDATED REDIRECTS AND FORWARDS
Scenario #1 : http://www.example.com/redirec t.jsp?url=evil.com Unvalidated Redirects and Forwards
Scenario #2 : http://www.example.com/boring. jsp?fwd=admin.jsp Unvalidated Redirects and Forwards
TOOLS WireShark
THANK YOU!

Recommended

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...DevDay.org
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 

Recommended

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Securit...DevDay.org
 
Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Securing the Web @DevDay Da Nang 2018
Securing the Web @DevDay Da Nang 2018Sumanth Damarla
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesMindfire Solutions
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malwareCysinfo Cyber Security Community
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5Jayesh Patel
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013testslidesha12
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareCysinfo Cyber Security Community
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis Cysinfo Cyber Security Community
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis Cysinfo Cyber Security Community
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 

More Related Content

What's hot

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoXamarin
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacksRespa Peter
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection PaperAung Khant
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013testslidesha12
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Tim Bass
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comKirill Ermakov
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSSMike Crabb
 

What's hot (20)

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Protecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen LombardoProtecting data on device with SQLCipher, Stephen Lombardo
Protecting data on device with SQLCipher, Stephen Lombardo
 
Reverse engineering malware
Reverse engineering malwareReverse engineering malware
Reverse engineering malware
 
Kioptrix 2014 5
Kioptrix 2014 5Kioptrix 2014 5
Kioptrix 2014 5
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
 
Sql Injection Paper
Sql Injection PaperSql Injection Paper
Sql Injection Paper
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Unifi securitybugs sep2013
Unifi securitybugs sep2013Unifi securitybugs sep2013
Unifi securitybugs sep2013
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Proxy Caches and Web Application Security
Proxy Caches and Web Application Security Proxy Caches and Web Application Security
Proxy Caches and Web Application Security
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Reversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malwareReversing and decrypting communications of apt malware
Reversing and decrypting communications of apt malware
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques Used
 
Flashack
FlashackFlashack
Flashack
 
Automating malware analysis
Automating malware analysis Automating malware analysis
Automating malware analysis
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
Vulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.comVulnerability Funalitics with vulners.com
Vulnerability Funalitics with vulners.com
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 

Similar to [DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Active Vietnam

OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10InnoTech
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web ApplicationsVladimir Soghoyan
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Nitroxis Sprl
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesYulian Slobodyan
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Lostar
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)mikemcbryde
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Securitysandra sukarieh
 
Sichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von DjangoSichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von DjangoMarkus Zapke-Gründemann
 
Magento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewMagento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewAmasty
 

Similar to [DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Active Vietnam (20)

OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
Web Security
Web SecurityWeb Security
Web Security
 
Code securely
Code securelyCode securely
Code securely
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Security Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security IssuesSecurity Training: #4 Development: Typical Security Issues
Security Training: #4 Development: Typical Security Issues
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)Application Security 101 (OWASP DC)
Application Security 101 (OWASP DC)
 
Security 101
Security 101Security 101
Security 101
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 
Sichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von DjangoSichere Web-Applikationen am Beispiel von Django
Sichere Web-Applikationen am Beispiel von Django
 
Magento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of ViewMagento Security from Developer's and Tester's Points of View
Magento Security from Developer's and Tester's Points of View
 

More from DevDay.org

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at WizelineDevDay.org
 
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...DevDay.org
 
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...DevDay.org
 
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at WizelineDevDay.org
 
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...DevDay.org
 
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...DevDay.org
 
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...DevDay.org
 
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...DevDay.org
 
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...DevDay.org
 
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...DevDay.org
 
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMSDevDay.org
 
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...DevDay.org
 
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...DevDay.org
 
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...DevDay.org
 
[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...DevDay.org
 
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...DevDay.org
 
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...DevDay.org
 
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...DevDay.org
 
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...DevDay.org
 
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IODevDay.org
 

More from DevDay.org (20)

[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
[DevDay2019] Lean UX - By Bryant Castro, Bryant Castro at Wizeline
 
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
[DevDay2019] Why you'll lose without UX Design - By Szilard Toth, CTO at e·pi...
 
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
[DevDay2019] Things i wish I knew when I was a 23-year-old Developer - By Chr...
 
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
[DevDay2019] Designing design teams - Christopher Nguyen, UX Manager at Wizeline
 
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
[DevDay2019] Growth Hacking - How to double the benefits of your startup with...
 
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
[DevDay2019] Collaborate or die: The designers’ guide to working with develop...
 
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
[DevDay2019] How AI is changing the future of Software Testing? - By Vui Nguy...
 
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
[DevDay2019] Hands-on Machine Learning on Google Cloud Platform - By Thanh Le...
 
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
[DevDay2019] Micro Frontends Architecture - By Thang Pham, Senior Software En...
 
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
[DevDay2019] Power of Test Automation and DevOps combination - One click savi...
 
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
[DevDay2019] How do I test AI models? - By Minh Hoang, Senior QA Engineer at KMS
 
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
[DevDay2019] How to quickly become a Senior Engineer - By Tran Anh Minh, CEO ...
 
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
[Devday2019] Dev start-up - By Le Trung, Founder & CEO at Hifiveplus and Edu...
 
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
[DevDay2019] Web Development In 2019 - A Practical Guide - By Hoang Nhu Vinh,...
 
[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...[DevDay2019] Opportunities and challenges for human resources during the digi...
[DevDay2019] Opportunities and challenges for human resources during the digi...
 
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
[DevDay2019] Python Machine Learning with Jupyter Notebook - By Nguyen Huu Th...
 
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
[DevDay2019] Do you dockerize? Are your containers safe? - By Pham Hong Khanh...
 
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
[DevDay2019] Develop a web application with Kubernetes - By Nguyen Xuan Phong...
 
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
[DevDay2019] Paradigm shift towards effective Scrum - By Tam Doan, Agile Coac...
 
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
[DevDay2019] JAM Stack - By Ngo Thi Ni, Web Developer at Agility IO
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Active Vietnam

Editor's Notes

  1. Security is set of measures to protect an application against unforeseen actions that cause it to stop functioning or being exploited. Unforeseen actions can be either intentional or unintentional. Bảo mật là một bộ các biện pháp để bảo vệ một ứng dụng chống lại các hành động không lường trước khiến nó ngừng hoạt động hoặc bị khai thác. Hành động không lường trước có thể là cố ý hoặc vô ý.
  2. A testing technique to determine if an information system protects data and maintains functionality as intended. Một kỹ thuật kiểm tra để xác định xem một hệ thống thông tin bảo vệ dữ liệu và duy trì các chức năng như dự định.
  3. Security testing takes the following six measures to provide a secured environment:  Confidentiality - It protects against disclosure of information to unintended recipients. Nó bảo vệ chống lại tiết lộ thông tin cho người nhận không mong muốn. Cross-Site Scripting (XSS) Security Misconfiguration Cross-Site Request Forgery (CSRF) Unvalidated Redirects and Forwards  Integrity - It allows transferring accurate and correct desired information from senders to intended receivers. Nó cho phép truyền tải chính xác và chính xác thông tin mong muốn từ người gửi cho người nhận dự định.  Authentication - It verifies and confirms the identity of the user. Nó kiểm tra và xác nhận danh tính của người dùng. Authentication and Session Management Injection  Authorization - It specifies access rights to the users and resources. Nó quy định quyền truy cập cho người dùng và tài nguyên. Missing Function Level Access Control Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control  Availability - It ensures readiness of the information on requirement. Nó đảm bảo sẵn sàng của các thông tin về yêu cầu.  Non-repudiation - It ensures there is no denial from the sender or the receiver for having sent or received the message. Nó đảm bảo không có sự từ chối từ người gửi hoặc người nhận cho đã gửi hoặc nhận tin nhắn. You can try this very basic test on any web application: Log into the web application using valid credentials. Log out of the web application. Click the BACK button of the browser. Verify if you are asked to log in again or if you are able go back to the logged in page again.
  4. SQL injection là một kỹ thuật cho phép những kẻ tấn công lợi dụng lỗ hổng của việc kiểm tra dữ liệu đầu vào trong các ứng dụng web và các thông báo lỗi của hệ quản trị cơ sở dữ liệu trả về để inject (tiêm vào) và thi hành các câu lệnh SQL bất hợp pháp. Broken Authentication and Session Management Kẻ tấn công có thể là những kẻ tấn công nặc danh, hoặc người người dùng sở hữu tài khoản muốn ăn cắp thông tin từ tài khoản khác. Cross-Site Scripting (XSS) Cross Site Scripting (XSS) là gì ? Là một kiểu tấn công cho phép hacker chèn vào những đoạn script độc hại (thông thường là javascript hoặc HTML) vào website và sẽ được thực thi ở trình duyệt người dùng.
  5. Insecure Direct Object References lỗi bảo mật đối tượng tham chiếu thiếu an toàn Security Misconfiguration Có thể là những kẻ tấn công nặc danh từ phía ngoài, hoặc người người dùng sở hữu tài khoản muốn kiểm soát hệ thống. Kẻ tấn công sử dụng tài khoản tài khoản mặc định, trang web không được sử dụng, lỗi bảo mật chưa được vá, tập tin và thư mục không được bảo vệ để thu thâp thông tin hoặc truy cập hệ thống một cách bất hợp pháp. Sensitive Data Exposure Hãy xem xét đến những người sử dụng hệ thống của bạn. Liệu họ có muốn truy cập vào dữ liệu mật mà họ không được uỷ quyền không? Thông thường, những kẻ tấn công không bẻ mật mã mà phá hoại những thứ khác: chẳng hạn tìm các khóa, lấy các bản sao dữ liệu không được mã hóa, hoặc truy cập dữ liệu qua các kênh có thể tự động giải mã.
  6. Missing Function Level Access Control Hầu hết các trang web đều có 1 hàm phân quyền cho người dùng. Nhưng nếu hàm đó không được đồng bộ thực hiện đúng đắn như phía người dùng thì kẻ tấn công có thể được lợi dụng lỗ hỏng này để tấn công vào trang web với những đặc quyền cao hơn. Thay đổi địa chỉ web để có được những đặc quyền cao hơn trong quản trị trang web. Ví dụ như đang ở mức người dùng bình thường thay đổi có thể lên mức admin. Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) là cách tấn công mà kẻ tấn công sử dụng một trang web độc hại, email, blog, tin nhắn để dụ người dùng ấn vào những thành phần ở trong trang web đó như các link, ảnh ... rồi sau đó thực hiện một hành động trên một trang web tin cậy mà người dùng hiện đang được chứng thực. Đối với CSRF để khai thác được thì người dùng phải đăng nhập vào các trang web mục tiêu - Tức là người dùng phải có chứng thực trên các trang web mục tiêu mà kẻ tấn công nhắm tới. Mục đích tấn công: Thực hiện các hành động người dùng không mong muốn trên các website kẻ tấn công nghĩ người dùng có chứng thực mà nó lại có lợi cho kẻ tấn công. Using Components with Known Vulnerabilities • Hầu như tất cả các phần của phần mềm hiện nay đều sử dụng các thành phần bên ngoài hoặc thư viện. Nó mang lại lợi thế đáng kể cho người lập trình về thời gian và công sức. • Lỗ hổng từ các thành phần hợp thành như thư viện, framework, plug-in và các module phần mềm khác được gọi là các lỗ hổng thành phần. Unvalidated Redirects and Forwards • OWASP: Là các liên kết từ một trang an toàn đến một trang không an toàn. • Google: Chuyển hướng không tin cậy đơn giản là spam hay malware. • Microsoft: Là bất kỳ ứng dụng web nào chuyển hướng đến một URL độc hại bên ngoài • Tóm lại: Chuyển hướng và chuyển hướng không an toàn là liên kết từ trang web tin cậy sẽ đưa người dùng đến một trang web không tin cậy để lừa đảo hoặc thu thập thông tin từ người dùng.
  7. Application functions related to authentication and session management are often not implemented correctly Các chức năng ứng dụng liên quan đến xác thực và quản lý phiên thường không được thực hiện chính xác
  8. Cross-site Scripting (XSS) refers to client-side code injection attack where in an attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application Cross-Site Scripting (XSS) đề cập đến tấn công bằng mã lệnh phía máy khách, trong đó kẻ tấn công có thể thực hiện các tập lệnh độc hại (thường được gọi là payload độc hại) vào một trang web hoặc ứng dụng web hợp pháp
  9. Security misconfiguration can happen at any level of an application stack, including the network services, platform, web server, application server, database, frameworks, custom code, and pre-installed virtual machines, containers, or storage. Việc cấu hình sai về bảo mật có thể xảy ra ở bất kỳ cấp ứng dụng nào, bao gồm các dịch vụ mạng, nền tảng, máy chủ web, máy chủ ứng dụng, cơ sở dữ liệu, khuôn khổ, mã tùy chỉnh và các máy ảo, thùng chứa hoặc lưu trữ sẵn.
  10. The application server comes with sample applications that are not removed from the production server Máy chủ ứng dụng đi kèm với các ứng dụng mẫu không được gỡ bỏ từ máy chủ sản xuất
  11. Directory listing is not disabled on the server Kịch bản số 2: Danh sách thư mục không bị vô hiệu trên máy chủ
  12. A cloud service provider has default sharing permissions open to the Internet by other CSP users Nhà cung cấp dịch vụ đám mây có quyền chia sẻ mặc định mở cho người dùng CSP khác trên Internet Content Security Policy (CSP) là chính sách bảo mật nội dung, được sử dụng để xác định các nguồn nội dung an toàn trên website mà trình duyệt có thể tải về cho người dùng.
  13. An application encrypts credit card numbers in a database using automatic database encryption. Một ứng dụng mã hóa số thẻ tín dụng trong một cơ sở dữ liệu sử dụng mã hóa cơ sở dữ liệu tự động.
  14. A site doesn't use or enforce TLS for all pages or supports weak encryption Trang web không sử dụng hoặc thi hành TLS cho tất cả các trang hoặc hỗ trợ mã hóa yếu The password database uses unsalted or simple hashes to store everyone's passwords. Cơ sở dữ liệu mật khẩu dùng unsigned hoặc đơn giản băm để lưu trữ mật khẩu của mọi người.
  15. The attacker simply force browses to target URLs. Kẻ tấn công chỉ cần lực lượng duyệt để nhắm mục tiêu URL.
  16. Cross-Site Request Forgery (CSRF) An attack that forces an end user to execute unwanted actions on a web application
  17. This kind of threat occurs when the components such as libraries and frameworks used within the app almost always execute with full privileges Loại đe dọa này xảy ra khi các thành phần như thư viện và khuôn khổ được sử dụng trong ứng dụng hầu như luôn luôn thực hiện với các đặc quyền đầy đủ
  18. By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.) Bằng cách không cung cấp mã thông báo nhận dạng, kẻ tấn công có thể gọi bất kỳ dịch vụ web nào với sự cho phép đầy đủ. (Apache CXF là một khung dịch vụ, không nên nhầm lẫn với Apache Application Server.)
  19. Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server. Lạm dụng việc triển khai ngôn ngữ Expression trong mùa xuân cho phép kẻ tấn công thực hiện mã tùy ý, có hiệu quả chiếm trên máy chủ.
  20. Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. Chuyển hướng không chuyển hướng và chuyển tiếp có thể xảy ra khi một ứng dụng web chấp nhận đầu vào không đáng tin cậy có thể khiến ứng dụng web chuyển hướng yêu cầu đến một URL chứa trong đầu vào không đáng tin cậy.