SlideShare a Scribd company logo

OWASP, Application Security

Download as PPTX, PDF
Dilip Sharma
Dilip Sharma

OWASP, Application Security , TOP 10 threat , Security

Software
1 of 13
OWASP TOP-10 -2017 Dilip Sharma
• A1:2017 - Injection • A2:2017 - Broken Authentication • A3:2017 - Sensitive Data Exposure • A4:2017 - XML External Entities (XXE) • A5:2017 - Broken Access Control • A6:2017 - Security Misconfiguration • A7:2017 - Cross-Site Scripting (XSS) • A8:2017 - Insecure Deserialization • A9:2017 - Using Components with Known Vulnerabilities • A10:2017 - Insufficient Logging & Monitoring
• A1:2017 - Injection An application is vulnerable to attack when • User-supplied data is not validated, • User-supplied data is not filtered • User-supplied data is not sanitized • Dynamic queries or non-parameterized calls without context aware How to Detect Injection Flaw • Injection flaws are easy to discover when examining code. • Scanners and fuzzers can help attackers find injection flaws. Impact of Injection on Application Injection can result in • Data loss, corruption • Disclosure to unauthorized parties • Loss of accountability, • Denial of access. • Injection can sometimes lead to complete host takeover. How to Prevent • Preventing injection requires keeping data separate from commands and queries. • The preferred option is to use a safe API, which avoids the use of the interpreter entirely or provides a parameterized interface • Use positive or "whitelist" server-side input validation • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization
• A7:2017 - Cross-Site Scripting (XSS) Impact of Injection on Application How to Detect Injection Flaw Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. How to Prevent • Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. • Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. • User the OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques. • • Enabling a Content Security Policy (CSP) is a defense-in- depth mitigating control against XSS XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications • The impact of XSS is moderate for (Reflected XSS ,DOM XSS) • The impact of XSS is severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.
• A3:2017 - Sensitive Data Exposure Impact of Injection on Application How to Detect Sesetive Data Expouser Flaw How to Prevent Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser Over the last few years, this has been the most common impactful attack. • The most common flaw is simply not encrypting sensitive data. • When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. • For data in transit, server side weaknesses are mainly easy to detect. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws. An application is vulnerable to attack when • If encryption not enforced, e.g. are any user agent (browser) security directives or headers missing. • If Is sensitive data stored in clear text, including backups. • If any old or weak cryptographic algorithms used either by default or in older code. • If any default crypto keys in use, weak crypto keys generated or re- used, or is proper key management or rotation missing. • The first thing is to determine the protection needs of data in transit and at rest. • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. • Apply controls as per the classification. • Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. • Disable caching for responses that contain sensitive data • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as PBKDF2. https://www.republicworld.com/india-news/general-news/noida-fraudster-who-duped-14-lakh-e-commerce-customers- nabbed
• A4:2017 - XML External Entities (XXE) Impact of Injection on Application These flaws can be used to • Extract data • Execute a remote request from the server. • Scan internal systems. • Perform a denial-of-service attack, as well as execute other attacks. How to Detect XXE Flaw How to Prevent Developer training is essential to identify and mitigate XXE. Besides that, preventing XXE requires: • Whenever possible, use less complex data formats such as JSON. • Avoid serialization of sensitive data • Disable XML external entity and DTD processing in all XML parsers in the application • Update SOAP to SOAP 1.2 or higher • If above controls are not possible, consider using virtual patching, API security gateways, or Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks. SAST tools can discover this issue by inspecting dependencies and configuration. DAST tools require additional manual steps to detect and exploit this issue. Manual testers need to be trained in how to test for XXE, as it not commonly tested as of 2017-18 Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. An application is vulnerable to attack when • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor. • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack. (https://en.wikipedia.org/wiki/Billion_laughs_attack)
• A5:2017 - Broken Access Control Impact of Injection on Application How to Detect Injection Flaw How to Prevent Access control is only effective if enforced in trusted server-side code or server-less API • With the exception of public resources, deny by default. • Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage. • • Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. • • Unique application business limit requirements should be enforced by domain models. • Disable web server directory list Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. • Allowing the primary key to be changed to another users record, permitting viewing or editing someone else's account. • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user. • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation • CORS misconfiguration allows unauthorized API access. • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE An application is vulnerable to attack when The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers. Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT, etc), controller, direct object references, etc
• A6:2017 - Security Misconfiguration Impact on Application How to Detect Security Misconfiguration Flaw How to Prevent • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. • Development, QA, and production environments should all be configured identically, with different credentials used in each environment. • This process should be automated to minimize the effort required to setup a new secure environment Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. XSS flaws occur whenever an application includes untrusted data in a new web page without • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges). • Default accounts and their passwords still enabled and unchanged. • Error handling reveals stack traces or other overly informative error messages to users. • For upgraded systems, latest security features are disabled or not configured securely. • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values. • The server does not send security headers or directives or they are not set to secure values. An application is vulnerable to attack when • Security misconfiguration can happen at any level of • application stack • network service • platform • web server /application server • Database • frameworks /custom code, and pre-installed virtual machines, • Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy etc. • Give attackers unauthorized access to some system data or functionality. • May result in a complete system compromise.
• A7:2017 - Cross-Site Scripting (XSS) Impact of Injection on Application How to Detect Injection Flaw Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. How to Prevent • Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. • Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. • User the OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques. • • Enabling a Content Security Policy (CSP) is a defense-in- depth mitigating control against XSS XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two- thirds of all applications • The impact of XSS is moderate for (Reflected XSS ,DOM XSS) • The impact of XSS is severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.
• A8:2017 - Insecure Deserialization Impact of Insecure Deserialization on Application How to Detect Injection Flaw This issue is included in the Top 10 based on an industry survey and not on quantifiable data. Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem How to Prevent • The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types. • Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation • Logging deserialization exceptions and failures, such as where the incoming type is not the expected type • Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize. • Monitoring deserialization, alerting if a user deserializes constantly. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. An application is vulnerable to attack when This can result in two primary types of attacks: • Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization. • Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed The impact of deserialization flaws cannot be understated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data.
• A9:2017 - Using Components with Known Vulnerabilities Impact of A9 on Application How to Detect Injection Flaw Area of this issue is very widespread. Component-heavy development patterns can lead to development teams not even understanding which components they use in their application or API, much less keeping them up to date. Some scanners such as retire.js help in detection, but determining exploitability requires additional effort. How to Prevent • Remove unused dependencies, unnecessary features, components, files, and documentation. • Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component. • Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. An application is vulnerable to attack when • If you do not aware versions of all components you use (both client-side & server-side). Direct component + nested dependencies. • If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion, which leads organizations open to many days or months of unnecessary exposure to fixed vulnerabilities. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to date have relied on exploiting known vulnerabilities in components. Depending on the assets you are protecting, perhaps this risk should https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-251/Microsoft-Sql-Server.html
• A10:2017 - Insufficient Logging & Monitoring Impact of Injection on Application How to Detect Logging Flaw This issue is included in the Top 10 based on an industry survey. One strategy for determining if you have sufficient monitoring is to examine the logs following penetration testing. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted. How to Prevent As per the risk of the data stored or processed by the application: • Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis. • Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions. • Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. • Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. • There are commercial and open source application protection frameworks such as • OWASP AppSensor, • OWASP ModSecurityCore Rule Set, Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Insufficient logging, detection, monitoring and active response occurs any time: •Auditable events, such as logins, failed logins, and high-value transactions are not logged. •Warnings and errors generate no, inadequate, or unclear log messages. •Logs of applications and APIs are not monitored for suspicious activity. •Appropriate alerting thresholds and response escalation processes are not in place or effective. You are vulnerable to information leakage if you make logging and alerting events visible to a user or an attacker (see A3:Senstive Data exposure)
OWASP, Application Security

Recommended

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 

Recommended

OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
OWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum - Top 10 A6 - 8th meeting - Security Misconfiguration
OWASP Khartoum - Top 10 A6 - 8th meeting - Security MisconfigurationOWASP Khartoum
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Richard Sullivan
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesDilum Bandara
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaOWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecuritySri Manakula Vinayagar Engineering College
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSymosis Security (Previously C-Level Security)
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1Setia Juli Irzal Ismail
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 

More Related Content

What's hot

OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersBenjamin Floyd
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksKun-Da Wu
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Prathan Phongthiproek
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 

What's hot (20)

OWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web DevelopersOWASP Top 10 List Overview for Web Developers
OWASP Top 10 List Overview for Web Developers
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20Point-Of-Sale Hacking - 2600Thailand#20
Point-Of-Sale Hacking - 2600Thailand#20
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 

Similar to OWASP, Application Security

Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEArun Voleti
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanAkash Mahajan
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniquesSri Latha
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)TzahiArabov
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTrueTesters
 

Similar to OWASP, Application Security (20)

Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Cybersecurity update 12
Cybersecurity update 12Cybersecurity update 12
Cybersecurity update 12
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniques
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
 
WebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdfWebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdf
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Truetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web VulnerabilityTruetesters presents OWASP Top 10 Web Vulnerability
Truetesters presents OWASP Top 10 Web Vulnerability
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 

Recently uploaded

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 

Recently uploaded (20)

Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Exploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the ProcessExploring iOS App Development: Simplifying the Process
Exploring iOS App Development: Simplifying the Process
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 

OWASP, Application Security

  • 2. • A1:2017 - Injection • A2:2017 - Broken Authentication • A3:2017 - Sensitive Data Exposure • A4:2017 - XML External Entities (XXE) • A5:2017 - Broken Access Control • A6:2017 - Security Misconfiguration • A7:2017 - Cross-Site Scripting (XSS) • A8:2017 - Insecure Deserialization • A9:2017 - Using Components with Known Vulnerabilities • A10:2017 - Insufficient Logging & Monitoring
  • 3. • A1:2017 - Injection An application is vulnerable to attack when • User-supplied data is not validated, • User-supplied data is not filtered • User-supplied data is not sanitized • Dynamic queries or non-parameterized calls without context aware How to Detect Injection Flaw • Injection flaws are easy to discover when examining code. • Scanners and fuzzers can help attackers find injection flaws. Impact of Injection on Application Injection can result in • Data loss, corruption • Disclosure to unauthorized parties • Loss of accountability, • Denial of access. • Injection can sometimes lead to complete host takeover. How to Prevent • Preventing injection requires keeping data separate from commands and queries. • The preferred option is to use a safe API, which avoids the use of the interpreter entirely or provides a parameterized interface • Use positive or "whitelist" server-side input validation • Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization
  • 4. • A7:2017 - Cross-Site Scripting (XSS) Impact of Injection on Application How to Detect Injection Flaw Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. How to Prevent • Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. • Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. • User the OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques. • • Enabling a Content Security Policy (CSP) is a defense-in- depth mitigating control against XSS XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two-thirds of all applications • The impact of XSS is moderate for (Reflected XSS ,DOM XSS) • The impact of XSS is severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.
  • 5. • A3:2017 - Sensitive Data Exposure Impact of Injection on Application How to Detect Sesetive Data Expouser Flaw How to Prevent Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser Over the last few years, this has been the most common impactful attack. • The most common flaw is simply not encrypting sensitive data. • When crypto is employed, weak key generation and management, and weak algorithm, protocol and cipher usage is common, particularly for weak password hashing storage techniques. • For data in transit, server side weaknesses are mainly easy to detect. Failure frequently compromises all data that should have been protected. Typically, this information includes sensitive personal information (PII) data such as health records, credentials, personal data, and credit cards, which often require protection as defined by laws or regulations such as the EU GDPR or local privacy laws. An application is vulnerable to attack when • If encryption not enforced, e.g. are any user agent (browser) security directives or headers missing. • If Is sensitive data stored in clear text, including backups. • If any old or weak cryptographic algorithms used either by default or in older code. • If any default crypto keys in use, weak crypto keys generated or re- used, or is proper key management or rotation missing. • The first thing is to determine the protection needs of data in transit and at rest. • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. • Apply controls as per the classification. • Don’t store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. • Disable caching for responses that contain sensitive data • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as PBKDF2. https://www.republicworld.com/india-news/general-news/noida-fraudster-who-duped-14-lakh-e-commerce-customers- nabbed
  • 6. • A4:2017 - XML External Entities (XXE) Impact of Injection on Application These flaws can be used to • Extract data • Execute a remote request from the server. • Scan internal systems. • Perform a denial-of-service attack, as well as execute other attacks. How to Detect XXE Flaw How to Prevent Developer training is essential to identify and mitigate XXE. Besides that, preventing XXE requires: • Whenever possible, use less complex data formats such as JSON. • Avoid serialization of sensitive data • Disable XML external entity and DTD processing in all XML parsers in the application • Update SOAP to SOAP 1.2 or higher • If above controls are not possible, consider using virtual patching, API security gateways, or Web Application Firewalls (WAFs) to detect, monitor, and block XXE attacks. SAST tools can discover this issue by inspecting dependencies and configuration. DAST tools require additional manual steps to detect and exploit this issue. Manual testers need to be trained in how to test for XXE, as it not commonly tested as of 2017-18 Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. An application is vulnerable to attack when • The application accepts XML directly or XML uploads, especially from untrusted sources, or inserts untrusted data into XML documents, which is then parsed by an XML processor. • Any of the XML processors in the application or SOAP based web services has document type definitions (DTDs) enabled. • If the application uses SOAP prior to version 1.2, it is likely susceptible to XXE attacks if XML entities are being passed to the SOAP framework • Being vulnerable to XXE attacks likely means that the application is vulnerable to denial of service attacks including the Billion Laughs attack. (https://en.wikipedia.org/wiki/Billion_laughs_attack)
  • 7. • A5:2017 - Broken Access Control Impact of Injection on Application How to Detect Injection Flaw How to Prevent Access control is only effective if enforced in trusted server-side code or server-less API • With the exception of public resources, deny by default. • Implement access control mechanisms once and re-use them throughout the application, including minimizing CORS usage. • • Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. • • Unique application business limit requirements should be enforced by domain models. • Disable web server directory list Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. • Bypassing access control checks by modifying the URL, internal application state, or the HTML page, or simply using a custom API attack tool. • Allowing the primary key to be changed to another users record, permitting viewing or editing someone else's account. • Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user. • Metadata manipulation, such as replaying or tampering with a JSON Web Token (JWT) access control token or a cookie or hidden field manipulated to elevate privileges, or abusing JWT invalidation • CORS misconfiguration allows unauthorized API access. • Force browsing to authenticated pages as an unauthenticated user or to privileged pages as a standard user. Accessing API with missing access controls for POST, PUT and DELETE An application is vulnerable to attack when The technical impact is attackers acting as users or administrators, or users using privileged functions, or creating, accessing, updating or deleting every record. Access control weaknesses are common due to the lack of automated detection, and lack of effective functional testing by application developers. Access control detection is not typically amenable to automated static or dynamic testing. Manual testing is the best way to detect missing or ineffective access control, including HTTP method (GET vs PUT, etc), controller, direct object references, etc
  • 8. • A6:2017 - Security Misconfiguration Impact on Application How to Detect Security Misconfiguration Flaw How to Prevent • A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. • Development, QA, and production environments should all be configured identically, with different credentials used in each environment. • This process should be automated to minimize the effort required to setup a new secure environment Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. XSS flaws occur whenever an application includes untrusted data in a new web page without • Missing appropriate security hardening across any part of the application stack, or improperly configured permissions on cloud services. • Unnecessary features are enabled or installed (e.g. unnecessary ports, services, pages, accounts, or privileges). • Default accounts and their passwords still enabled and unchanged. • Error handling reveals stack traces or other overly informative error messages to users. • For upgraded systems, latest security features are disabled or not configured securely. • The security settings in the application servers, application frameworks (e.g. Struts, Spring, ASP.NET), libraries, databases, etc. not set to secure values. • The server does not send security headers or directives or they are not set to secure values. An application is vulnerable to attack when • Security misconfiguration can happen at any level of • application stack • network service • platform • web server /application server • Database • frameworks /custom code, and pre-installed virtual machines, • Automated scanners are useful for detecting misconfigurations, use of default accounts or configurations, unnecessary services, legacy etc. • Give attackers unauthorized access to some system data or functionality. • May result in a complete system compromise.
  • 9. • A7:2017 - Cross-Site Scripting (XSS) Impact of Injection on Application How to Detect Injection Flaw Automated tools can find some XSS problems automatically, particularly in mature technologies such as PHP, J2EE / JSP, and ASP.NET. How to Prevent • Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. • Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. • Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. • User the OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques. • • Enabling a Content Security Policy (CSP) is a defense-in- depth mitigating control against XSS XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two- thirds of all applications • The impact of XSS is moderate for (Reflected XSS ,DOM XSS) • The impact of XSS is severe for stored XSS, with remote code execution on the victim's browser, such as stealing credentials, sessions, or delivering malware to the victim.
  • 10. • A8:2017 - Insecure Deserialization Impact of Insecure Deserialization on Application How to Detect Injection Flaw This issue is included in the Top 10 based on an industry survey and not on quantifiable data. Some tools can discover deserialization flaws, but human assistance is frequently needed to validate the problem How to Prevent • The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types. • Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation • Logging deserialization exceptions and failures, such as where the incoming type is not the expected type • Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize. • Monitoring deserialization, alerting if a user deserializes constantly. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. An application is vulnerable to attack when This can result in two primary types of attacks: • Object and data structure related attacks where the attacker modifies application logic or achieves arbitrary remote code execution if there are classes available to the application that can change behavior during or after deserialization. • Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed The impact of deserialization flaws cannot be understated. These flaws can lead to remote code execution attacks, one of the most serious attacks possible. The business impact depends on the protection needs of the application and data.
  • 11. • A9:2017 - Using Components with Known Vulnerabilities Impact of A9 on Application How to Detect Injection Flaw Area of this issue is very widespread. Component-heavy development patterns can lead to development teams not even understanding which components they use in their application or API, much less keeping them up to date. Some scanners such as retire.js help in detection, but determining exploitability requires additional effort. How to Prevent • Remove unused dependencies, unnecessary features, components, files, and documentation. • Only obtain components from official sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component. • Every organization must ensure that there is an ongoing plan for monitoring, triaging, and applying updates or configuration changes for the lifetime of the application or portfolio. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. An application is vulnerable to attack when • If you do not aware versions of all components you use (both client-side & server-side). Direct component + nested dependencies. • If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database management system (DBMS), applications, APIs and all components, runtime environments, and libraries. • If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion, which leads organizations open to many days or months of unnecessary exposure to fixed vulnerabilities. While some known vulnerabilities lead to only minor impacts, some of the largest breaches to date have relied on exploiting known vulnerabilities in components. Depending on the assets you are protecting, perhaps this risk should https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-251/Microsoft-Sql-Server.html
  • 12. • A10:2017 - Insufficient Logging & Monitoring Impact of Injection on Application How to Detect Logging Flaw This issue is included in the Top 10 based on an industry survey. One strategy for determining if you have sufficient monitoring is to examine the logs following penetration testing. The testers’ actions should be recorded sufficiently to understand what damages they may have inflicted. How to Prevent As per the risk of the data stored or processed by the application: • Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis. • Ensure that logs are generated in a format that can be easily consumed by a centralized log management solutions. • Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar. • Establish effective monitoring and alerting such that suspicious activities are detected and responded to in a timely fashion. • There are commercial and open source application protection frameworks such as • OWASP AppSensor, • OWASP ModSecurityCore Rule Set, Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Insufficient logging, detection, monitoring and active response occurs any time: •Auditable events, such as logins, failed logins, and high-value transactions are not logged. •Warnings and errors generate no, inadequate, or unclear log messages. •Logs of applications and APIs are not monitored for suspicious activity. •Appropriate alerting thresholds and response escalation processes are not in place or effective. You are vulnerable to information leakage if you make logging and alerting events visible to a user or an attacker (see A3:Senstive Data exposure)