SlideShare a Scribd company logo

Top 10 web application security risks akash mahajan

Akash Mahajan
Akash Mahajan

Looking at the Top 10 web application security risks according to OWASP Top 2010

Technology
1 of 21
Download to read offline
TOP 10 WEB APPLICATION SECURITY RISKS Overview of OWASP Top 10 – 2010 Akash Mahajan – Chapter Lead for null Bangalore
CONNECT THIS IMAGE TO WEB SECURITY
AKASH MAHAJAN | ABOUT ME • Independent Web Security Consultant • Chapter lead for null Bangalore • I test, hack, secure web applications and servers. • I consult companies on secure deployments on AWS etc. • Been doing application security for 5+ years. • Wrote IDS sigs for malware and vulnerabilities for 3 years as well.
AGENDA • OWASP • OWASP Top 10 • Application Security Risks • OWASP Top 10 Details • The Beginning • Contact Details
OPEN WEB APPLICATION SECURITY PROJECT • OWASP is a worldwide non-profit open community dedicated to web application security. • OWASP offers free tools, books, documents etc. to developers, security practitioners and anyone interested in application security. • Some of the most popular OWASP projects are • OWASP Top 10 • OWASP Web Goat Project • OWASP Testing Guide • OWASP Developer Guide • Definitely visit and track updates on http://www.owasp.org
OWASP TOP 10 • OWASP TOP 10 is a document listing the top 10 most critical risks faced by web applications currently. • It is purely about managing risk and not just avoiding vulnerabilities. • It is meant to be consumed by the developers and not just security dudes. • You should consider using it if you are in-charge of keeping web apps safe. • Also If your organization doesn’t have a app sec program and would like to start now. • Top 10 implies that these risks should be mitigated first to ensure safety of the web application. • There are other risks but the less severe than the top 10.
OWASP TOP 10 • Who else is using it? • The PCI Council, US Department of Defense, US Federal Trade Commission, Data Interchange Standards Association • Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle • How do they use it? • Microsoft uses it as part of Security Development Lifecycle • PCI Council uses it as part of the PCI Data Security Standard • Oracle, NSA use it as part of developer awareness • Others use it to ensure minimal level of security audit of web applications
APPLICATION SECURITY RISKS • Applications can have many attack vectors • A form that submits to the database • A database login for a partner for direct access. • FTP login for third party content team • These attack vectors can be used to exploit security weaknesses. • For example stolen FTP credentials for an Amazon EC2 server might allow the EC2 credentials to be stolen as well. • Once stolen all services based on your Amazon account are vulnerable to hijack. • You could end up paying for someone else misusing your Amazon services!
OWASP TOP 10 – A1 INJECTION • Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an interpreter as part of a command. • The attacker’s hostile data can trick the interpreter into executing commands or accessing unauthorized data. • SQL Injection is one of the most used vectors when malicious people want to create a new botnet. • First a vulnerable web facing application is identified. Automated roBOTs/scripts crawl the world wide web looking for the identified application. Once found they inject HTML/JS with links pointing to trojan downloaders etc. • Users with insecure browsers/OS come to the infected websites they get infected in turn creating a NETwork • In some cases up to 10,00,000 sites have been infected in a single day.
OWASP TOP 10 – A2 CROSS SITE SCRIPTING XSS • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Frequently used to steal your session. • One of the most in-famous example is the MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown. • A XSS bug occurring on the website registration page can enable theft of registration details. • Would you like your competitor to find out about all your new users?
OWASP TOP 10 – A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities • Developers tend to build custom authentication schemes which aren’t tested enough and may contain logical flaws as well. • Technical impact include login theft to malicious users getting access to all account details. • Generating a new password every time someone enters an email id in forgot password will cause a denial of service attack! • Not destroying the session after a fixed time.
CONNECT THIS IMAGE TO WEB SECURITY Paris Hilton Tinkerbell
OWASP TOP 10 – A4 INSECURE DIRECT OBJECT REFERENCE • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. • Technical impact can be letting unauthorized users download files not meant for them. • Real world website has a page to display invoice for the user. It contains an id parameter. If we change the parameter, it shows the details for another user. • Most people mistakenly think that if a file or folder is not linked from any web page it can’t be found by a malicious user.
OWASP TOP 10 – A5 CROSS SITE REQUEST FORGERY • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. • This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim • Log you out of your email account. • Add a rouge DNS entry in your ADSL modem! • Create a filter in webmail to forward all email to a malicious user.
OWASP TOP 10 – A6 SECURITY MISCONFIGURATION • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. • This includes keeping all software up to date, including all code libraries used by the application. • Network Solutions were offering wordpress installations on a shared server. The main configuration file wp-config.php was world readable. Mass hack of wordpress based websites • Shipping with default passwords!
OWASP TOP 10 – A7 INSECURE CRYPTOGRAPHIC STORAGE • Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. • Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes • Storing unsalted hashes in a known weak hash algorithm like md5. Using rainbow tables attackers can figure out stolen passwords in no time at all. • Storing the encryption key in the same location as the encrypted files.
OWASP TOP 10 – A8 FAILURE TO RESTRICT URL ACCESS • Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway • This can be due either • Simple misconfiguration • Flawed coding or logic. • Assuming that if it is hidden so it will be never found doesn’t usually end up well. Anonymous users accessing pages meant for authenticated users and authenticated users accessing admin pages can have a negative impact.
OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT LAYER PROTECTION • Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. • Login and password passed in clear text over the wire. Anyone monitoring the traffic can get hold of the credentials.
OWASP TOP 10 – A10 UNVALIDATED REDIRECTS AND FORWARDS • Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. • Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. • Malicious user creating a redirect that points to another site for phishing • Forward parameter coded to send user to admin section or to normal section
THE BEGINNING • These risks only cover the top 10 of them all. There are many that are very dangerous and should be guarded against like • Clickjacking, Denial of service, Information Leakage, Improper Error Handling, Insufficient Anti-automation, Lack of intrusion detection, Malicious file execution • To develop secure code ‘OWASP Developers Guide’ • To test web applications for security ‘OWASP Testing Guide’ • To review web applications ‘OWASP Code Review Guide’ • Keep yourself updated join a local OWASP chapter • Get on the mailing lists.
AKASH MAHAJAN | REACH ME • Reach me on • Website: akashm.com • Email: akashmahajan@gmail.com • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm

Recommended

Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 

Recommended

Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Layered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowLayered API Security: What Hackers Don't Want You To Know
Layered API Security: What Hackers Don't Want You To KnowAaronLieberman5
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web AttackKelly Speiser
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
Devbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityDevbeat Conference - Developer First Security
Devbeat Conference - Developer First SecurityMichael Coates
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Secure Web Services
Secure Web ServicesSecure Web Services
Secure Web ServicesRob Daigneau
 
The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
Web security
Web security Web security
Web security Kaushal Bhavsar
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API SecurityApigee | Google Cloud
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Shrutirupa Banerjiee
 
Securing the cloud
Securing the cloudSecuring the cloud
Securing the cloudZIONSECURITY
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 

More Related Content

What's hot

The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverIMMUNIO
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCAlert Logic
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015tmd800
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017HackerOne
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goMichael Furman
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsSecurity Innovation
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationTjylen Veselyj
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaoneMichael Coates
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Shrutirupa Banerjiee
 
Securing the cloud
Securing the cloudSecuring the cloud
Securing the cloudZIONSECURITY
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A PentesterNorthBayWeb
 

What's hot (19)

The Quiet Rise of Account Takeover
The Quiet Rise of Account TakeoverThe Quiet Rise of Account Takeover
The Quiet Rise of Account Takeover
 
Web security
Web security Web security
Web security
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
 
State of OWASP 2015
State of OWASP 2015State of OWASP 2015
State of OWASP 2015
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
How an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software SystemsHow an Attacker "Audits" Your Software Systems
How an Attacker "Audits" Your Software Systems
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Web Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combinationWeb Application Firewall (WAF) DAST/SAST combination
Web Application Firewall (WAF) DAST/SAST combination
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
Data-driven API Security
Data-driven API SecurityData-driven API Security
Data-driven API Security
 
2013 michael coates-javaone
2013 michael coates-javaone2013 michael coates-javaone
2013 michael coates-javaone
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)
 
Securing the cloud
Securing the cloudSecuring the cloud
Securing the cloud
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
So Your Company Hired A Pentester
So Your Company Hired A PentesterSo Your Company Hired A Pentester
So Your Company Hired A Pentester
 

Similar to Top 10 web application security risks akash mahajan

Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Miguel de la Cruz
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteDNN
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cmsuisgslide
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 

Similar to Top 10 web application security risks akash mahajan (20)

Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)Vulnerabilidades en sitios web (english)
Vulnerabilidades en sitios web (english)
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
How to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET WebsiteHow to Harden the Security of Your .NET Website
How to Harden the Security of Your .NET Website
 
Owasp healthcare cms
Owasp healthcare cmsOwasp healthcare cms
Owasp healthcare cms
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 

More from Akash Mahajan

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionAkash Mahajan
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereAkash Mahajan
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+dataAkash Mahajan
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL AttacksAkash Mahajan
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesAkash Mahajan
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingAkash Mahajan
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanAkash Mahajan
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practiceAkash Mahajan
 
Web application security
Web application securityWeb application security
Web application securityAkash Mahajan
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 

More from Akash Mahajan (15)

On Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs SessionOn Writing Well - A talk given at WinjaBlogs Session
On Writing Well - A talk given at WinjaBlogs Session
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-thereINCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
INCOMPLETE - OUTLINE for RootConf 2014 - The little-servcie-which-wasn't-there
 
The real incident of stealing a droid app+data
The real incident of stealing a droid app+dataThe real incident of stealing a droid app+data
The real incident of stealing a droid app+data
 
Believe It Or Not SSL Attacks
Believe It Or Not SSL AttacksBelieve It Or Not SSL Attacks
Believe It Or Not SSL Attacks
 
I haz your mouse clicks and key strokes
I haz your mouse clicks and key strokesI haz your mouse clicks and key strokes
I haz your mouse clicks and key strokes
 
Hackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web ProgrammingHackers versus Developers and Secure Web Programming
Hackers versus Developers and Secure Web Programming
 
Secure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash MahajanSecure HTTP Headers c0c0n 2011 Akash Mahajan
Secure HTTP Headers c0c0n 2011 Akash Mahajan
 
Php security
Php securityPhp security
Php security
 
Secure passwords-theory-and-practice
Secure passwords-theory-and-practiceSecure passwords-theory-and-practice
Secure passwords-theory-and-practice
 
Web application security
Web application securityWeb application security
Web application security
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In Php
 
Startups Security
Startups SecurityStartups Security
Startups Security
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

Top 10 web application security risks akash mahajan

  • 1. TOP 10 WEB APPLICATION SECURITY RISKS Overview of OWASP Top 10 – 2010 Akash Mahajan – Chapter Lead for null Bangalore
  • 2. CONNECT THIS IMAGE TO WEB SECURITY
  • 3. AKASH MAHAJAN | ABOUT ME • Independent Web Security Consultant • Chapter lead for null Bangalore • I test, hack, secure web applications and servers. • I consult companies on secure deployments on AWS etc. • Been doing application security for 5+ years. • Wrote IDS sigs for malware and vulnerabilities for 3 years as well.
  • 4. AGENDA • OWASP • OWASP Top 10 • Application Security Risks • OWASP Top 10 Details • The Beginning • Contact Details
  • 5. OPEN WEB APPLICATION SECURITY PROJECT • OWASP is a worldwide non-profit open community dedicated to web application security. • OWASP offers free tools, books, documents etc. to developers, security practitioners and anyone interested in application security. • Some of the most popular OWASP projects are • OWASP Top 10 • OWASP Web Goat Project • OWASP Testing Guide • OWASP Developer Guide • Definitely visit and track updates on http://www.owasp.org
  • 6. OWASP TOP 10 • OWASP TOP 10 is a document listing the top 10 most critical risks faced by web applications currently. • It is purely about managing risk and not just avoiding vulnerabilities. • It is meant to be consumed by the developers and not just security dudes. • You should consider using it if you are in-charge of keeping web apps safe. • Also If your organization doesn’t have a app sec program and would like to start now. • Top 10 implies that these risks should be mitigated first to ensure safety of the web application. • There are other risks but the less severe than the top 10.
  • 7. OWASP TOP 10 • Who else is using it? • The PCI Council, US Department of Defense, US Federal Trade Commission, Data Interchange Standards Association • Companies like Microsoft, Citibank, IBM, HP, British Telecom, Oracle • How do they use it? • Microsoft uses it as part of Security Development Lifecycle • PCI Council uses it as part of the PCI Data Security Standard • Oracle, NSA use it as part of developer awareness • Others use it to ensure minimal level of security audit of web applications
  • 8. APPLICATION SECURITY RISKS • Applications can have many attack vectors • A form that submits to the database • A database login for a partner for direct access. • FTP login for third party content team • These attack vectors can be used to exploit security weaknesses. • For example stolen FTP credentials for an Amazon EC2 server might allow the EC2 credentials to be stolen as well. • Once stolen all services based on your Amazon account are vulnerable to hijack. • You could end up paying for someone else misusing your Amazon services!
  • 9. OWASP TOP 10 – A1 INJECTION • Injection flaws, such as SQL, OS injection, occur when untrusted data is sent to an interpreter as part of a command. • The attacker’s hostile data can trick the interpreter into executing commands or accessing unauthorized data. • SQL Injection is one of the most used vectors when malicious people want to create a new botnet. • First a vulnerable web facing application is identified. Automated roBOTs/scripts crawl the world wide web looking for the identified application. Once found they inject HTML/JS with links pointing to trojan downloaders etc. • Users with insecure browsers/OS come to the infected websites they get infected in turn creating a NETwork • In some cases up to 10,00,000 sites have been infected in a single day.
  • 10. OWASP TOP 10 – A2 CROSS SITE SCRIPTING XSS • XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. • Frequently used to steal your session. • One of the most in-famous example is the MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown. • A XSS bug occurring on the website registration page can enable theft of registration details. • Would you like your competitor to find out about all your new users?
  • 11. OWASP TOP 10 – A3 BROKEN AUTHENTICATION AND SESSION MANAGEMENT • Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities • Developers tend to build custom authentication schemes which aren’t tested enough and may contain logical flaws as well. • Technical impact include login theft to malicious users getting access to all account details. • Generating a new password every time someone enters an email id in forgot password will cause a denial of service attack! • Not destroying the session after a fixed time.
  • 12. CONNECT THIS IMAGE TO WEB SECURITY Paris Hilton Tinkerbell
  • 13. OWASP TOP 10 – A4 INSECURE DIRECT OBJECT REFERENCE • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. • Technical impact can be letting unauthorized users download files not meant for them. • Real world website has a page to display invoice for the user. It contains an id parameter. If we change the parameter, it shows the details for another user. • Most people mistakenly think that if a file or folder is not linked from any web page it can’t be found by a malicious user.
  • 14. OWASP TOP 10 – A5 CROSS SITE REQUEST FORGERY • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. • This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim • Log you out of your email account. • Add a rouge DNS entry in your ADSL modem! • Create a filter in webmail to forward all email to a malicious user.
  • 15. OWASP TOP 10 – A6 SECURITY MISCONFIGURATION • Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. • This includes keeping all software up to date, including all code libraries used by the application. • Network Solutions were offering wordpress installations on a shared server. The main configuration file wp-config.php was world readable. Mass hack of wordpress based websites • Shipping with default passwords!
  • 16. OWASP TOP 10 – A7 INSECURE CRYPTOGRAPHIC STORAGE • Many web applications do not properly protect sensitive data, such as credit cards, SSNs, and authentication credentials, with appropriate encryption or hashing. • Attackers may steal or modify such weakly protected data to conduct identity theft, credit card fraud, or other crimes • Storing unsalted hashes in a known weak hash algorithm like md5. Using rainbow tables attackers can figure out stolen passwords in no time at all. • Storing the encryption key in the same location as the encrypted files.
  • 17. OWASP TOP 10 – A8 FAILURE TO RESTRICT URL ACCESS • Many web applications check URL access rights before rendering protected links and buttons. However, applications need to perform similar access control checks each time these pages are accessed, or attackers will be able to forge URLs to access these hidden pages anyway • This can be due either • Simple misconfiguration • Flawed coding or logic. • Assuming that if it is hidden so it will be never found doesn’t usually end up well. Anonymous users accessing pages meant for authenticated users and authenticated users accessing admin pages can have a negative impact.
  • 18. OWASP TOP 10 – A9 INSUFFICIENT TRANSPORT LAYER PROTECTION • Applications frequently fail to authenticate, encrypt, and protect the confidentiality and integrity of sensitive network traffic. When they do, they sometimes support weak algorithms, use expired or invalid certificates, or do not use them correctly. • Login and password passed in clear text over the wire. Anyone monitoring the traffic can get hold of the credentials.
  • 19. OWASP TOP 10 – A10 UNVALIDATED REDIRECTS AND FORWARDS • Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. • Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. • Malicious user creating a redirect that points to another site for phishing • Forward parameter coded to send user to admin section or to normal section
  • 20. THE BEGINNING • These risks only cover the top 10 of them all. There are many that are very dangerous and should be guarded against like • Clickjacking, Denial of service, Information Leakage, Improper Error Handling, Insufficient Anti-automation, Lack of intrusion detection, Malicious file execution • To develop secure code ‘OWASP Developers Guide’ • To test web applications for security ‘OWASP Testing Guide’ • To review web applications ‘OWASP Code Review Guide’ • Keep yourself updated join a local OWASP chapter • Get on the mailing lists.
  • 21. AKASH MAHAJAN | REACH ME • Reach me on • Website: akashm.com • Email: akashmahajan@gmail.com • Twitter: @makash • Linkedin: www.linkedin.com/in/akashm