Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
· What makes API Security different from web application security
· The top 10 common API security vulnerabilities
· Examples and mitigation strategies for each of the risks
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Slides for my webinar "API Security Fundamentals". They cover
👉 𝐎𝐖𝐀𝐒𝐏’𝐬 𝐭𝐨𝐩 𝟏𝟎 API security vulnerabilities with suggestions on how to avoid them, including the 2019 and the 2023 versions.
👉 API authorization and authentication using 𝐎𝐀𝐮𝐭𝐡 and 𝐎𝐈𝐃𝐂
👉 How certain 𝐀𝐏𝐈 𝐝𝐞𝐬𝐢𝐠𝐧𝐬 expose vulnerabilities and how to prevent them
👉 APIs sit within a wider system and therefore API security requires a 𝐡𝐨𝐥𝐢𝐬𝐭𝐢𝐜 𝐚𝐩𝐩𝐫𝐨𝐚𝐜𝐡. I’ll talk about elements “around the API” that also need to be protected
👉 automating API 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐞𝐬𝐭𝐢𝐧𝐠
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
The Open Web Application Security Project is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security
OWASP is stand as Open Web Application Security Project which define the top 10 most vulnerabilities related with website and their exploit.
Every slide have description with their particular vulnerabilities and their impact also.
Have you ever actually gone through the process of hacking a website? Join me on this wonderful ride of application security powered by the OWASP Juice Shop to demonstrate some of the top website vulnerabilities from the OWASP Top 10. In this training, we will review several different techniques used in web application testing, exploit vulnerabilities discovered manually and with tools, and finally take over the whole show just to see how it’s done. A laptop is not necessary as this exercise is meant to be interactive and entertaining. Be sure to bring your thinking cap and your best hacks.
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://youtu.be/BQWcUjzxJE0
Have you been wondering about how to start in mobile application security, more specifically iOS/Android application security? In this talk, I will try to answer some of the most common questions about getting started in mobile application security testing. Starting from what platform to choose, where to learn, good resources, hardware requirements etc etc. Will also demo you about Mobexler - A Mobile Application Penetration Testing Platform and how you can use it for pentesting of iOS as well as android apps. This talk will be a mix of some demo, and some knowledge.
Securing dns records from subdomain takeoverOWASP Delhi
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 7th July.
Watch the webinar here - https://www.youtube.com/watch?v=C0LQJTXFosI
The speaker will be speaking upon the following abstract -
Basics of DNS records
Introduction to DNS record takeovers
Different types of DNS takeovers
Its impact
How to protect DNS records from takeover
Demo
Q&A
This talk will be for product security folks/ people on defending side. The speaker will also be covering the concept behind subdomain takeovers and its impact.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 31st May.
Watch the webinar here - https://www.youtube.com/watch?v=22Hccp-7UDU
A person's assessment/ investigation is only as good as the report that supports it.
A good quality or effective report is a presentation of you as an assessor, analyst, or consultant.
The speaker discusses here the important points to keep in mind while preparing a Cyber Security Report. A must know webinar for all - freshers, professionals, bug bounty hunters and the C- level entities.
Session presented in the Combined [nullDelhi + OWASPDelhi] webinar on 24th May.
Watch the webinar here - https://www.youtube.com/watch?v=jmzfdw-UYC0
An air gapped environment is described as “computer or network that has
no network interfaces, either wired or wireless, connected to outside network.” In this case, side channels and proximity are leveraged to eavesdrop air gapped systems. A case study showing practical use case of sniffing is also discussed.
Link to the Webinar - https://youtu.be/jmzfdw-UYC0
Combined (NullDelhi + OWASPDelhi) Webinar on UDP Hunter by Savan Gadhiya on 10th May, 2020.
For the full video, please visit - https://www.youtube.com/watch?v=yLEL5XrzFyE
The speaker discussed the docker attack surface. Furthermore, he demonstrated how an attacker can escape the docker container and gain access to the host machine.
Companies and organizations have been following many traditional strategies for deploying WAF (web application firewall) in their infrastructure where most of the work is done. manually. Every ACL, every rule entry, every signature, and every other configuration was created and managed by hand. It could have various flaws: flaw of wrong ACL, flaw of accidental misconfiguration, flaw of bad signature, and other various things. The good news is that thanks to the DevOps Rebel Alliance, we now have a better way to do things: Infrastructure-as-Code (IAC).
Instead of clicking around a web UI or manually executing commands and setting up rules and configuration, the idea behind IAC is to write code to define, provision, and manage your WAF. You can validate each WAF change through code reviews and automated tests and you can create/use a library of reusable, documented, battle-tested code that makes it easier to scale and evolve your WAF. In this talk by Avinash Jain, we will have a quick on the various concept of what, how and why of "Automating AWS WAF using Terraform".
Discussion on traditional threat intelligence model, explore advanced approaches to reduce manual intervention and convert it into actionable threat intelligence.
Slides of the talk delivered by Chandra Ballabh in the August, 2019 Meetup of Combined OWASP Delhi and nullDelhi at Thoughtworks, Delhi
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
Network attacks in wired Lan environments
Protection in wired Lan
Layout of modern networks ( wired + wireless )
Difference between wired and wireless security
Most powerful situation to acquire in any network
Wireless attacks
Why NTP ?
Captive portal attacks
Conclusion and some wild thoughts
For complete data to perform this attack please go to the Github link below:
https://github.com/mohitrajain/Wireless_security_beyond_password_cracking
IETF's Role and Mandate in Internet Governance by Mohit BatraOWASP Delhi
1. Internet Governance (IG) Primer
2. I-* Organizations
3. IANA function -Names, Numbers and Protocol Parameters
4. IANA Transition
5. WHOIS for names and numbers
6. Need for Standardization and Standardization Bodies
7. How IETF Works
8. TLS Protocol
9. Increasing Indian participation in global Internet Governance activities and structures
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
Agenda
Hypervisor : what, how and why?
Hypervisor in linux
Capsule course on hypervisor (Intel VT-x, AMD - V, KVM)
Spawning a bare-bone VM
Injection code in VM
I/O Between Host and Guest
Converting C Code to Shellcode
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
2. AGENDA
• OWASP Top 10 Vulnerabilities
• Injection
• Sensitive Data Exposure
• Cross Site Scripting (XSS)
• Insufficient logging and monitoring
3. OWASP TOP 10:2017 RELEASE
1. Injection
2. Broken Authentication & Session Management
3. Sensitive Data Exposure
4. XML External Entities(XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting(XSS)
8. Insecure Deserialization
9. Using components with known vulnerabilities
10. Insufficient logging & monitoring
4. #1: INJECTION
• Injections are at the head of the OWASP Top 10 and Injection flaws, particularly
SQL Injection, are common in web applications.
• Injection occurs when user-supplied data is sent to an interpreter as part of a
command or query. The attacker’s hostile data tricks the interpreter into
executing unintended commands or changing data.
5. #2: BROKEN AUTHENTICATION & SESSION
MANAGEMENT
• Broken Authentication & Session
Management allows anonymous
attacks aimed at attempting to
steal valuable data, especially
personally identifiable
information.
6. #3: SENSITIVE DATA EXPOSURE
• Sensitive data, such as credit card numbers, health data, or passwords should
have extra protection given the potential of damage if it falls into the wrong
hands.
• If data is stored or transferred as plain text, if older/weaker encryption is used, or
if data is decrypted carelessly, attacker can gain access and exploit the data.
7.
8. #4: XML EXTERNAL ENTITIES
• XML is a data format used to describe different data elements.
• XML also uses “entities” to help define related data, but entities can access
remote or local content, as harmless as pulling a current stock price from a third
party website.
• If a developer uses a common or default filename in a common location, an
attacker’s job is easy.
9. #5: BROKEN ACCESS CONTROL
• Access control, or authorization, is how web apps let different users access
different content, data or functions.
• Sometimes gaining unauthorized access is as simple as manually entering an
unlinked URL in a browser, such as http://example.com/admin
• As with other vulnerabilities, attackers can gain access to(or modify)data, accounts
and functions that they shouldn’t.
10. #6: SECURITY MISCONFIGURATION
• Security Misconfiguration arises when Security settings are defined, implemented,
and maintained as defaults.
• Example #1: The app server admin console is automatically installed and not
removed
• Example #2: Directory listing is not disabled on your server
• Example #3: App server configuration allows stack traces to be returned to users,
potentially exposing underlying flaws
• Example #4: App server comes with sample applications that are not removed
from your production server
11. #7: CROSS-SITE SCRIPTING
• Cross-site Scripting (XSS) is a client-side code injection attack.
• The attacker aims to execute malicious scripts in a web browser of the victim by
including malicious code in a legitimate web page or web application.
• The actual attack occurs when the victim visits the web page or web application
that executes the malicious code.
• he web page or web application becomes a vehicle to deliver the malicious script
to the user’s browser.
12.
13. #8: INSECURE DESERIALIZATION
• It occurs when untrusted data is used to abuse the logic of an application, inflict a
denial of service (DoS) attack, or even execute arbitrary code upon it
being deserialized.
• It’s frequently possible for an attacker to abuse these deserialization features
when the application is deserializing untrusted data which the attacker controls.
14. #9: USING COMPONENTS WITH KNOWN
VULNERABILITIES
• Known vulnerabilities are vulnerabilities that were discovered in open source
components and published in the NVD, security advisories or issue trackers.
• From the moment of publication , a vulnerability can be exploited by hackers who
find the documentation.
• The possible impact of open source vulnerabilities ranges from minor to some of
the largest breaches known.
• It’s estimated that well over 80% of all software includes, at least, some open
source components.
15. #10: INSUFFICIENT LOGGING AND MONITORING
• As per the study of Insider Threat showed by Ponemon Institute, companies come
across more than 52 incidents due to insider fraud annually. WHY???
• Insufficient logging and monitoring vulnerability occurs when the security-critical
events aren’t logged properly, and the system is not monitoring the current
happenings.
• The lack of these functionalities can make the malicious activities harder to detect
and it affects effective incident handling when an attack happens.