A presentation of OWASP's top 10 most common web application security flaws. The content in the slides is sourced from various sources listed in the references section.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
this presentation about security testing gives you an idea about the need of security testing, 2 commonly used security testing approaches in the industry , brief of cookies testing & basic security checklist for an application
Table of Content
Web Application Firewall
possible security measures of WAF
Data Validation Strategies
Varieties Of Input
Reject Known Bad
Accept Known Good
Sanitization Safe Data Handling
Semantic Checks
Introduction SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
SQL Injection
Blind SQL Injection
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
General concepts of web application security vulnerabilities primarily based on OWASP Top 10 list-2007(I know its too old :-))
I, along with Sandeep and Vishal, presented on this at IIIT-Delhi college in April, 2014
The goal of the Top 10 project is to raise awareness about application security by identifying some of the most critical risks facing organizations. The Top 10 project is referenced by many standards, books, tools, and organizations, including MITRE, PCI DSS, DISA, FTC, and many more. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. The OWASP Top 10 was first released in 2003, minor updates were made in 2004 and 2007, and this is the 2010 release.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
this presentation about security testing gives you an idea about the need of security testing, 2 commonly used security testing approaches in the industry , brief of cookies testing & basic security checklist for an application
Table of Content
Web Application Firewall
possible security measures of WAF
Data Validation Strategies
Varieties Of Input
Reject Known Bad
Accept Known Good
Sanitization Safe Data Handling
Semantic Checks
Introduction SQL Injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
SQL Injection
Blind SQL Injection
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
Oh, WASP! Security Essentials for Web AppsTechWell
The past few years have seen a rapid increase in business efficiency through Web-based applications. Unfortunately, a dramatic increase in the number of web application vulnerabilities has followed. Insecure web applications can be disastrous for mission critical businesses and users' sensitive data. More than 70 percent of security vulnerabilities are due to flaws in the application rather than firewall breaches. Bennie Paul explains how security testing has become an indispensable part of the SDLC for businesses operating online today. OWASP (Open Web Application Security Project) provides open source tools, code, and materials to develop, test, and maintain application security. Monitoring the “OWASP Top 10” web application security flaws is highly recommended as part of an organization’s testing methodology. Vulnerabilities identified are compared against the organization’s security objectives and regulations, and categorized accordingly for remediation. Benny guides you through the OWASP vulnerabilities, technique, framework, and preventive measures that you can adopt for building better software.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteGoogle
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-pilot-review/
AI Pilot Review: Key Features
✅Deploy AI expert bots in Any Niche With Just A Click
✅With one keyword, generate complete funnels, websites, landing pages, and more.
✅More than 85 AI features are included in the AI pilot.
✅No setup or configuration; use your voice (like Siri) to do whatever you want.
✅You Can Use AI Pilot To Create your version of AI Pilot And Charge People For It…
✅ZERO Manual Work With AI Pilot. Never write, Design, Or Code Again.
✅ZERO Limits On Features Or Usages
✅Use Our AI-powered Traffic To Get Hundreds Of Customers
✅No Complicated Setup: Get Up And Running In 2 Minutes
✅99.99% Up-Time Guaranteed
✅30 Days Money-Back Guarantee
✅ZERO Upfront Cost
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Software Engineering, Software Consulting, Tech Lead, Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Transaction, Spring MVC, OpenShift Cloud Platform, Kafka, REST, SOAP, LLD & HLD.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
2. What is OWASP
OWASP stands for the Open Web Application
Security Project, an online community that
produces articles, methodologies, documentation,
tools, and technologies in the field of web
application security
3. OWASP TOP 10
OWASP Top 10 is the list of the 10 most common application vulnerabilities.
It also shows their risks, impacts, and countermeasures.
Updated every three to four years, the latest OWASP vulnerabilities list was
released in 2018.
4. Let’s dive into it!
1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security misconfigurations
7. Cross Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with known vulnerabilities
10. Insufficient logging and monitoring
5. 1. INJECTION
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query through a
form input or some other data submission to a web application.
The attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
6. Types of SQL Injection
1) In-band SQLi (Classic) - The attacker uses the same channel of communication to
launch their attacks and to gather their results
a) Error-based SQLi - the attacker performs actions that cause the database to produce
error messages
b) Union-based SQLi - this technique takes advantage of the UNION SQL operator, which
fuses multiple select statements generated by the database to get a single HTTP
response
7. Types of SQL injection
2) Inferential SQLi (Blind) - The attacker sends data payloads to the server and observes
the response and behavior of the server to learn more about its structure
a) Boolean - that attacker sends a SQL query to the database prompting the application to
return a result. The result will vary depending on whether the query is true or false. Based on
the result, the information within the HTTP response will modify or stay unchanged. The
attacker can then work out if the message generated a true or false result.
b) Time-based - attacker sends a SQL query to the database, which makes the database wait
(for a period in seconds) before it can react. The attacker can see from the time the database
takes to respond, whether a query is true or false. Based on the result, an HTTP response will
be generated instantly or after a waiting period. The attacker can thus work out if the
message they used returned true or false, without relying on data from the database.
8. Types of SQL injection
3) Out-of-band SQLi - The attacker can only carry out this form of attack when certain
features are enabled on the database server used by the web application
11. SQL injection: UNION SELECT example
http://www.estore.com/items/items.asp?itemid=999 UNION SELECT user-name, password FROM USERS
this query combines the request for item 999’s name and description with another that
pulls names and passwords for every user in the database.
999 UNION SELECT user-name, password FROM USERS
SUBMIT
Enter item ID
12. Preventing SQL Injection
Preventing injection requires keeping data separate from commands and queries.
The preferred option is to use a safe API, which avoids the use of the interpreter
entirely or provides a parameterized interface, or migrate to use Object Relational
Mapping Tools (ORMs).
13. 2. BROKEN AUTHENTICATION
Occurs when application functions related to authentication and session
management are often implemented incorrectly.
This allows attackers to compromise passwords, keys, or session tokens, or to
exploit other implementation flaws to assume other users’ identities temporarily
or permanently.
Example: Application session timeouts aren’t set properly. A user uses a public computer to access
an application. Instead of selecting “logout” the user simply closes the browser tab and walks away.
An attacker uses the same browser an hour later, and the user is still authenticated
14. Broken authentication vulnerabilities
An app is vulnerable if it:
Permits automated attacks such as credential stuffing, where the attacker has a list of
valid usernames and passwords.
Permits brute force or other automated attacks.
Permits default, weak, or well-known passwords, such as”Password1″ or “admin/admin.″
Uses weak or ineffective credential recovery and forgot-password processes, such as
“knowledge-based answers,” which cannot be made safe.
15. Broken authentication vulnerabilities:
Uses plain text, encrypted, or weakly hashed passwords.
Has missing or ineffective multi-factor authentication.
Exposes session IDs in the URL (e.g., URL rewriting).
Eg: https://bank.com/user=1234 => https://bank.com/user=4321
Does not rotate session IDs after successful login.
Does not properly invalidate session IDs. User sessions or authentication tokens
(particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a
period of inactivity.
16. Preventing broken authentication
Where possible, implement multi-factor authentication to prevent automated,
credential stuffing, brute force, and stolen credential re-use attacks.
Do not ship or deploy with any default credentials, particularly for admin users.
Implement weak-password checks, such as testing new or changed passwords
against a list of the top 10000 worst passwords.
Align password length, complexity and rotation policies with NIST 800-63 B’s
guidelines in section 5.1.1 for Memorized Secrets or other modern, evidence
based password policies.
17. Preventing broken authentication
Ensure registration, credential recovery, and API pathways are hardened against
account enumeration attacks by using the same messages for all outcomes.
Limit or increasingly delay failed login attempts. Log all failures and alert
administrators when credential stuffing, brute force, or other attacks are detected.
Use a server-side, secure, built-in session manager that generates a new random
session ID with high entropy after login. Session IDs should not be in the URL, be
securely stored and invalidated after logout, idle, and absolute timeouts.
18. 3. SENSITIVE DATA EXPOSURE
consists of compromising data that should have been protected.
Examples of Sensitive Data that requires protection:
1. Credentials e.g. usernames and passwords
2. Credit card numbers
3. Social Security Numbers
4. Medical information
5. Personally identifiable information (PII)
6. Other personal information
19. Types of sensitive data
Stored data – data at rest
Transmitted data – data that is transmitted internally between servers, or to web
browsers
20. Preventing sensitive data exposure
Classify data processed, stored or transmitted by an application. Identify which
data is sensitive according to privacy laws, regulatory requirements, or business
needs.
Apply controls as per the classification.
Don’t store sensitive data unnecessarily. Discard it as soon as possible. Data that is
not retained cannot be stolen.
Make sure to encrypt all sensitive data at rest.
Ensure up-to-date and strong standard algorithms, protocols, and keys are in
place; use proper key management.
21. Preventing sensitive data exposure
Encrypt all data in transit with secure protocols such as TLS with.
Disable caching for response that contain sensitive data.
Store passwords using strong adaptive and salted hashing functions with a work
factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
Verify independently the effectiveness of configuration and settings.
22. 4. XML EXTERNAL ENTITIES (XEE)
• XML External Entity attack is a type of attack against an application that parses
XML input.
• This attack occurs when XML input containing a reference to an external entity is
processed by a weakly configured XML parser
24. Preventing XML external entity attacks
Whenever possible, use less complex data formats ,such as JSON, and avoid
serialization of sensitive data.
Patch or upgrade all XML processors and libraries in use by the application or on
the underlying operating system.
25. 5. BROKEN ACCESS CONTROL
In website security, access control means putting a limit on what sections or pages
visitors can reach, depending on their needs.
some examples of what we consider to be “access”:
1. Access to a hosting control / administrative panel
2. Access to a server via FTP / SFTP / SSH
3. Access to a website’s administrative panel
4. Access to other applications on your server
5. Access to a database
26. Broken access control examples
Scenario 1:
http://example.com/app/accountInfo?acct=notmyacct
An attacker simply modifies the ‘acct’ parameter in the browser to send whatever account
number they want. If not properly verified, the attacker can access any user’s account.
Scenario 2:
An attacker simply force browses to target URLs. Admin rights are required for access
to the admin page.
http://example.com/app/getappInfo
http://example.com/app/admin_getappInfo
27. Reducing risks of broken access control
Employ least privileged concepts – apply a role appropriate to the task and only for the amount of
time necessary to complete said task and no more.
Get rid of accounts you don’t need or whose user no longer requires it.
Audit your servers and websites – who is doing what, when, and why.
If possible, apply multi-factor authentication to all your access points.
Disable access points until they are needed in order to reduce your access windows.
Remove unnecessary services off your server.
Check applications that are externally accessible versus applications that are tied to your network.
If you are developing a website, bear in mind that a production box should not be the place to
develop, test, or push updates without testing.
28. 6. SECURITY MISCONFIGURATION
Is often the result of using default configurations or displaying excessively verbose
errors
Examples
1. The app server admin console is automatically installed and not removed
2. Directory listing is not disabled on your server
3. App server configuration allows stack traces to be returned to users, potentially
exposing underlying flaws
4. App server comes with sample applications that are not removed from your
production server
29. 7. CROSS-SITE SCRIPTING
• Occur when web applications allow users to add custom code into a url path or
onto a website that will be seen by other users
• This vulnerability can be exploited to run malicious JavaScript code on a victim’s
browser
Types of XSS
1. Reflected
2. Stored
3. DOM
30. 8. INSECURE DESERIALIZATION
This threat targets the many web applications which frequently serialize and
deserialize data.
The process of serialization is converting objects to byte strings.
The process of deserialization is converting byte strings to objects.
31. 9. USING COMPONENTS WITH KNOWN
VULNERABILITIES
Components, such as libraries, frameworks, and other software modules, run with
the same privileges as the application.
If a vulnerable component is exploited, such an attack can facilitate serious data
loss or server takeover.
Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.
32. An app is vulnerable if:
If you do not know the versions of all components you use (both client-side and
server-side). This includes components you directly use as well as nested
dependencies.
If software is vulnerable, unsupported, or out of date. This includes the OS,
web/application server, database management system (DBMS), applications, APIs
and all components, runtime environments, and libraries.
If you do not scan for vulnerabilities regularly and subscribe to security bulletins
related to the components you use.
33. An app is vulnerable if:
If you do not fix or upgrade the underlying platform, frameworks, and
dependencies in a risk-based, timely fashion. This commonly happens in
environments when patching is a monthly or quarterly task under change control,
which leaves organizations open to many days or months of unnecessary
exposure to fixed vulnerabilities.
If software developers do not test the compatibility of updated, upgraded, or
patched libraries.
34. 10. INSUFFICIENT LOGGING AND MONITORING
Not having an efficient logging and monitoring process in place can increase the
damage of a website compromise.
Attackers rely on the lack of monitoring and timely response to achieve their goals
without being detected.
This XXE payload defines an external entity &xxe; whose value is the contents of the /etc/passwd file and uses the entity within the productId value.
This causes the application's response to include the contents of the file
One of the attack vectors presented by OWASP regarding this security risk was a super cookie containing serialized information about the logged-in user. The role of the user was specified in this cookie.
If an attacker is able to deserialize an object successfully, then modify the object to give himself an admin role, serialize it again. This set of actions could compromise the whole web application.