Vishal Kumar, profile picture
Uploaded byVishal Kumar
PPTX, PDF585 views

Owasp top 10 security threats

The document summarizes the OWASP Top 10 security threats. It describes each of the top 10 threats, including injection, broken authentication, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing access controls, cross-site request forgery, use of vulnerable components, and unsafe redirects/forwards. For each threat, it provides a brief explanation of the meaning and potential impacts, such as data loss, account compromise, or full host takeover. The document encourages implementing people, process, and technology measures to address application security issues.

Education
In this document
Powered by AI

Introduction to OWASP and its mission to improve application security through community efforts.

Explains injection vulnerabilities like SQL, OS, LDAP leading to data loss, corruption, or access denial.

Discusses flaws in authentication leading to compromised credentials and identity theft.

Details XSS flaws that allow script execution in users' browsers causing session hijacking.

Describes risks of exposing internal object references without access control, allowing data manipulation.

Highlights the importance of secure configurations to prevent data compromises and expensive recoveries.

Outlines the vulnerabilities in protecting sensitive data leading to fraud and identity theft.

Discusses flaws in access verification that allow unauthorized functionality access.

Explains CSRF attacks enabling unauthorized requests through the victim's session.

Describes the risks of using vulnerable libraries and components, exposing applications to attacks.

Explains risks in web redirects allowing attackers to direct users to harmful sites.

Encourages audience to like, share, and subscribe to further content regarding application security.

Embed presentation

Downloaded 10 times
OWASP 10 Security Threats By: Vishal Kumar (CEH | CHFI | CISE | MCP) theprohackers2017@gmail.com
About OWASP The OWASP Foundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. OWASP can be found at www.owasp.org. OWASP is not affiliated with any technology company. Similar to many open- source software projects, OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
A1-Injection Injection means “to input something in somewhere” the attacker use the tricks to the interpreter into executing unintended (malicious) commands or accessing data without authority. The types are: SQL, OS, and LDAP, injection occur when important data is sent to an interpreter (attacker) as part of a command or query. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover. Meaning Impact
A2-Broken Authentication and Session Management Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Meaning Impact SERVER
A3- Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. Meaning Impact MODERATE
A4-Insecure Direct Object Reference A direct object reference also called “Parameter Tempering” occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Such flaws can compromise all the data that can be referenced by the parameter. it’s easy for an attacker to access all available data of that type. Meaning Impact MODERATE
A5-Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time. Recovery costs could be expensive. Meaning Impact MODERATE
A6- Sensitive Data Exposer Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc. Meaning Impact SERVER
A7-Missing Functional Level Access Control Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack. Meaning Impact MODERATOR
A8-Cross-Site Request Forgery A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login. Meaning Impact MODERATOR
A9- Using Components with Known Vulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise. Meaning Impact MODERATOR
A10-Unvalidated Redirects and Forwards Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass. Meaning Impact MODERATOR
Please Like and Share this presentation and please subscribe my YouTube channel for more videos. www.prohackers.in https://www.youtube.com/channel/UCcyYSi1sh1SmyMlGfB-Vq6A https://www.facebook.com/theprohackers2017/ For any suggestion and query please write us on: Theprohackers2017@gmail.com Thanking You…!!!

More Related Content

PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPT
Application Security
byReggie Niccolo Santos
 
ODP
Web Application Firewall
byChandrapal Badshah
 
PPTX
Cross Site Scripting
byAli Mattash
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Application Security
byReggie Niccolo Santos
 
Web Application Firewall
byChandrapal Badshah
 
Cross Site Scripting
byAli Mattash
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Cross site scripting
byn|u - The Open Security Community
 

What's hot

PPT
IDS and IPS
bySantosh Khadsare
 
PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PPTX
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PDF
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
PDF
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 
PPTX
Web application security
byKapil Sharma
 
PPTX
Firewalls in network security
byVikram Khanna
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
4 palo alto licenses
byMostafa El Lathy
 
PPT
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
PPTX
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
PDF
Secure Session Management
byGuidePoint Security, LLC
 
PPTX
Honeypot
byShashwat Shriparv
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PPT
Introduction To OWASP
byMarco Morana
 
PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PPTX
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 
IDS and IPS
bySantosh Khadsare
 
OWASP API Security Top 10 - API World
by42Crunch
 
Reflective and Stored XSS- Cross Site Scripting
byInMobi Technology
 
OWASP Top 10 - 2017
byHackerOne
 
Web Application Penetration Testing
byPriyanka Aash
 
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...
byAjin Abraham
 
Insecure direct object reference (null delhi meet)
byAbhinav Mishra
 
Web application security
byKapil Sharma
 
Firewalls in network security
byVikram Khanna
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
4 palo alto licenses
byMostafa El Lathy
 
Introduction to Web Application Penetration Testing
byAnurag Srivastava
 
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
Secure Session Management
byGuidePoint Security, LLC
 
Honeypot
byShashwat Shriparv
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Introduction To OWASP
byMarco Morana
 
Cross Site Scripting (XSS)
byBarrel Software
 
Android Application Penetration Testing - Mohammed Adam
byMohammed Adam
 

Viewers also liked

PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
PPTX
Exploiting parameter tempering attack in web application
byVishal Kumar
 
PDF
Geneva Application Security Forum: Vers une authentification plus forte dans ...
bySylvain Maret
 
PDF
OWASP TOP 10 Proactive
byAbdessamad TEMMAR
 
PDF
Sécurité et Quaité de code PHP
byJean-Marie Renouard
 
PDF
Javascript et JQuery
byJean-Marie Renouard
 
PPTX
Web Application Security | A developer's perspective - Insecure Direct Object...
byn|u - The Open Security Community
 
PDF
Rebooting Software Development - OWASP AppSecUSA
byNick Galbreath
 
KEY
Owasp Au Rev4
bysumsid1234
 
PPTX
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
PDF
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
byAbraham Aranguren
 
PDF
State of OWASP 2015
bytmd800
 
PPTX
OWASP Free Training - SF2014 - Keary and Manico
byEoin Keary
 
PPTX
RSA Europe 2013 OWASP Training
byJim Manico
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PPTX
OWASP Open SAMM
byintive
 
PDF
2013 OWASP Top 10
bybilcorry
 
ODP
Basic of SSDLC
byChitpong Wuttanan
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
[Wroclaw #5] OWASP Projects: beyond Top 10
byOWASP
 
Exploiting parameter tempering attack in web application
byVishal Kumar
 
Geneva Application Security Forum: Vers une authentification plus forte dans ...
bySylvain Maret
 
OWASP TOP 10 Proactive
byAbdessamad TEMMAR
 
Sécurité et Quaité de code PHP
byJean-Marie Renouard
 
Javascript et JQuery
byJean-Marie Renouard
 
Web Application Security | A developer's perspective - Insecure Direct Object...
byn|u - The Open Security Community
 
Rebooting Software Development - OWASP AppSecUSA
byNick Galbreath
 
Owasp Au Rev4
bysumsid1234
 
Owasp top-ten-mapping-2015-05-lwc
byKaty Anton
 
OWASP OWTF - Summer Storm - OWASP AppSec EU 2013
byAbraham Aranguren
 
State of OWASP 2015
bytmd800
 
OWASP Free Training - SF2014 - Keary and Manico
byEoin Keary
 
RSA Europe 2013 OWASP Training
byJim Manico
 
OWASP Top Ten in Practice
bySecurity Innovation
 
OWASP Open SAMM
byintive
 
2013 OWASP Top 10
bybilcorry
 
Basic of SSDLC
byChitpong Wuttanan
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 

Similar to Owasp top 10 security threats

ODP
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PDF
Web application sec_3
byvhimsikal
 
PDF
Owasp Top 10
byShivam Porwal
 
PDF
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
PPTX
Owasp 2017 oveview
byShreyas N
 
PDF
Web Application Security 101
byCybersecurity Education and Research Centre
 
PDF
OWASP Top 10 (2010 release candidate 1)
byJeremiah Grossman
 
PPTX
Security workshop - Lets get our hands dirty!!
byManjyot Singh
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
PDF
OWASP Top 10
byArthur Shvetsov
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
DOCX
supraja technologies material for secure coding
bySri Latha
 
PDF
Ofer Maor - OWASP Top 10
byCSAIsrael
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PPTX
OWASP top 10-2013
bytmd800
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
PPTX
Web and Mobile Application Security
byPrateek Jain
 
PDF
A talk on OWASP Top 10 by Mukunda Tamly
bynull - The Open Security Community
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
The OWASP Top 10 Most Critical Web App Security Risks - TdT@Cluj #20
byTabăra de Testare
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
Web application sec_3
byvhimsikal
 
Owasp Top 10
byShivam Porwal
 
Solvay secure application layer v2015 seba
bySebastien Deleersnyder
 
Owasp 2017 oveview
byShreyas N
 
Web Application Security 101
byCybersecurity Education and Research Centre
 
OWASP Top 10 (2010 release candidate 1)
byJeremiah Grossman
 
Security workshop - Lets get our hands dirty!!
byManjyot Singh
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
OWASP Top 10
byArthur Shvetsov
 
Owasp top 10 2017
byibrahimumer2
 
supraja technologies material for secure coding
bySri Latha
 
Ofer Maor - OWASP Top 10
byCSAIsrael
 
CyberSecurityppt. pptx
byiamayesha2526
 
OWASP top 10-2013
bytmd800
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Web and Mobile Application Security
byPrateek Jain
 
A talk on OWASP Top 10 by Mukunda Tamly
bynull - The Open Security Community
 
Owasp Top 10-2013
byn|u - The Open Security Community
 

More from Vishal Kumar

PDF
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
PDF
The Complete Questionnaires About Firewall
byVishal Kumar
 
PDF
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
byVishal Kumar
 
PDF
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
byVishal Kumar
 
PDF
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
byVishal Kumar
 
PDF
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
byVishal Kumar
 
PPTX
Auditing System Password Using L0phtcrack
byVishal Kumar
 
PPTX
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
byVishal Kumar
 
PPTX
Fundamental of Secure Socket Layer (SSL) | Part - 2
byVishal Kumar
 
PDF
The Fundamental of Electronic Mail (E-mail)
byVishal Kumar
 
PPTX
Fundamental of Secure Socket Layer (SSl) | Part - 1
byVishal Kumar
 
PPTX
The Fundamental of Secure Socket Layer (SSL)
byVishal Kumar
 
PPTX
Hawkeye the Credential Theft Maalware
byVishal Kumar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
PPTX
Mirroring web site using ht track
byVishal Kumar
 
PPTX
Collecting email from the target domain using the harvester
byVishal Kumar
 
PPTX
Information gathering using windows command line utility
byVishal Kumar
 
PPTX
Introduction ethical hacking
byVishal Kumar
 
PPTX
Social engineering
byVishal Kumar
 
PPTX
Social engineering
byVishal Kumar
 
Threat Hunting Procedures and Measurement Matrice
byVishal Kumar
 
The Complete Questionnaires About Firewall
byVishal Kumar
 
E-mail Security Protocol - 2 Pretty Good Privacy (PGP)
byVishal Kumar
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
byVishal Kumar
 
Privileges Escalation by Exploiting Client-Side Vulnerabilities Using Metasploit
byVishal Kumar
 
Exploiting Client-Side Vulnerabilities and Establishing a VNC Session
byVishal Kumar
 
Auditing System Password Using L0phtcrack
byVishal Kumar
 
Dumping and Cracking SAM Hashes to Extract Plaintext Passwords
byVishal Kumar
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
byVishal Kumar
 
The Fundamental of Electronic Mail (E-mail)
byVishal Kumar
 
Fundamental of Secure Socket Layer (SSl) | Part - 1
byVishal Kumar
 
The Fundamental of Secure Socket Layer (SSL)
byVishal Kumar
 
Hawkeye the Credential Theft Maalware
byVishal Kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
Mirroring web site using ht track
byVishal Kumar
 
Collecting email from the target domain using the harvester
byVishal Kumar
 
Information gathering using windows command line utility
byVishal Kumar
 
Introduction ethical hacking
byVishal Kumar
 
Social engineering
byVishal Kumar
 
Social engineering
byVishal Kumar
 

Recently uploaded

PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PPTX
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PPTX
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
PPTX
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
PDF
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
PPTX
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
PPTX
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PPTX
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
PPTX
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
PDF
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
PDF
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
PPTX
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
How to Configure Push & Pull Rule in Odoo 18 Inventory
byCeline George
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
3 G8_Q3_L3_ (Cartoon as Representation in Opinion Editorial Article).pptx
byNorafeSahagun
 
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
International Men's Day Event: Breaking the Silence: Embracing Vulnerability ...
byAssociation for Project Management
 
AN EXTREMELY BORING GENERAL QUIZ FOR UG.pptx
bySriramG47
 
TAMIS & TEMS - HOW, WHY and THE STEPS IN PROCTOLOGY
byJohn Thanakumar
 
PURPOSIVE SAMPLING IN EDUCATIONAL RESEARCH RACHITHRA RK.pptx
byssuser047b711
 
Multiple Linear Regression - Least Square Method X₁ on X₂ and X₃
bySundar B N
 
DHA/HAAD/MOH/DOH OPTOMETRY MCQ PYQ. .pdf
byAnmol Singh
 
Types of eggs and Egg membranes (Developmental Zoology)
bySudhandraKarthi
 
Access partner report in Odoo 18.2 _ Odoo 19
byCeline George
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 

Owasp top 10 security threats

  • 1.
    OWASP 10 Security Threats By:Vishal Kumar (CEH | CHFI | CISE | MCP) theprohackers2017@gmail.com
  • 2.
    About OWASP The OWASPFoundation came online on December 1st 2001 it was established as a not-for-profit charitable organization in the United States on April 21, 2004. OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. OWASP advocate approaching application security as a people, process, and technology problem because the most effective approaches to application security include improvements in all of these areas. OWASP can be found at www.owasp.org. OWASP is not affiliated with any technology company. Similar to many open- source software projects, OWASP produces many types of materials in a collaborative and open way. The OWASP Foundation is a not-for-profit entity that ensures the project's long-term success.
  • 3.
    A1-Injection Injection means “toinput something in somewhere” the attacker use the tricks to the interpreter into executing unintended (malicious) commands or accessing data without authority. The types are: SQL, OS, and LDAP, injection occur when important data is sent to an interpreter (attacker) as part of a command or query. Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover. Meaning Impact
  • 4.
    A2-Broken Authentication and Session Management Applicationfunctions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. Such flaws may allow some or even all accounts to be attacked. Once successful, the attacker can do anything the victim could do. Meaning Impact SERVER
  • 5.
    A3- Cross-Site Scripting (XSS) XSSflaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. Meaning Impact MODERATE
  • 6.
    A4-Insecure Direct Object Reference A directobject reference also called “Parameter Tempering” occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. Such flaws can compromise all the data that can be referenced by the parameter. it’s easy for an attacker to access all available data of that type. Meaning Impact MODERATE
  • 7.
    A5-Security Misconfiguration Good security requireshaving a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time. Recovery costs could be expensive. Meaning Impact MODERATE
  • 8.
    A6- Sensitive Data Exposer Manyweb applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. compromises all data that should have been protected. Typically, this information includes sensitive data such as health records, credentials, personal data, credit cards, etc. Meaning Impact SERVER
  • 9.
    A7-Missing Functional Level Access Control Mostweb applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack. Meaning Impact MODERATOR
  • 10.
    A8-Cross-Site Request Forgery A CSRFattack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login. Meaning Impact MODERATOR
  • 11.
    A9- Using Components with KnownVulnerabilities Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. The full range of weaknesses is possible, including injection, broken access control, XSS, etc. The impact could range from minimal to complete host takeover and data compromise. Meaning Impact MODERATOR
  • 12.
    A10-Unvalidated Redirects and Forwards Web applicationsfrequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Such redirects may attempt to install malware or trick victims into disclosing passwords or other sensitive information. Unsafe forwards may allow access control bypass. Meaning Impact MODERATOR
  • 13.
    Please Like andShare this presentation and please subscribe my YouTube channel for more videos. www.prohackers.in https://www.youtube.com/channel/UCcyYSi1sh1SmyMlGfB-Vq6A https://www.facebook.com/theprohackers2017/ For any suggestion and query please write us on: Theprohackers2017@gmail.com Thanking You…!!!