SlideShare a Scribd company logo

Truetesters presents OWASP Top 10 Web Vulnerability

TrueTesters
TrueTesters

The document discusses the OWASP Top 10 web vulnerabilities. It provides examples and explanations of the top vulnerabilities, which are injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. For each vulnerability, it describes how attacks can occur and provides recommendations on how to prevent the vulnerability.

Technology
1 of 48
OWASP Top 10 Web Vulnerability Presented by TrueTesters. Testing your system before the bad guys do. Sponsored by
Our Sponsors
What is OWASP? What is the OWASP Top 10?
★ A code injection happens when an attacker sends invalid data to the web application with the intention to make it do something that the application was not designed/ programmed to do. ★ String query = “SELECT * FROM accounts WHERE custID = ‘” + request.getParameter(“id”) + “‘”; Sponsored by Injection
Real Examples of SQL Injection Sponsored by
How to Prevent SQL Injection ★ Use Positive or whitelist server side input validation ★ Use a Web Application Firewall ★ Escape user supplied inputs ★ Use Stored Procedures
Sponsored by
★ This vulnerability can allow an attacker to use manual and/or automatic methods to try to gain control over any account they want in a system – or even worse – to gain complete control over the system. ★ The second most common form of this flaw is allowing users to brute force username/password combination against admin pages. Sponsored by Broken Authentication
How to detect Broken Authentication pages Sponsored by ★ Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. ★ Uses plain text, encrypted, or weakly hashed passwords. ★ Has missing or ineffective multi-factor authentication. ★ Exposes session IDs in the URL (e.g., URL rewriting). ★ Does not rotate session IDs after successful login. ★ Does not properly invalidate session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity. A web application contains a broken authentication vulnerability if it:
How to Prevent Broken Authentication ★ Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks. ★ Do not ship or deploy with any default credentials, particularly for admin users. ★ Implement weak-password checks, such as testing new or changed passwords against a list of the top 10,000 worst passwords. ★ Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected. ★ Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL. Ids should also be securely stored and invalidated after logout, idle, and absolute timeouts.
★ It consists of compromising data that should have been protected. ★ Some sensitive data that requires protection is: ○ Credentials ○ Credit card numbers ○ Social Security Numbers ○ Medical information ○ Personally identifiable information (PII) ○ Other personal information Sponsored by Sensitive Data Exposure
States of Data Sponsored by Stored Data: Data at Rest Transmitted Data: transmitted internally between servers, or to web browsers Data in Use: Currently being accessed
Real Examples of Sensitive Data Exposure Sponsored by
How to Prevent Sensitive Data Exposure ★ Classify data processed, stored, or transmitted by an application. ★ Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. ★ Apply controls as per the classification. ★ Don’t store sensitive data unnecessarily. ★ Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen. ★ Make sure to encrypt all sensitive data at rest. ★ Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
How to Prevent Sensitive Data Exposure contd... ★ Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. ★ Enforce encryption using directives like HTTP Strict Transport Security (HSTS). ★ Disable caching for responses that contain sensitive data. ★ Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. ★ Verify independently the effectiveness of configuration and settings.
Sponsored by
★ This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. ★ They mostly attack: ○ Vulnerable XML processors if malicious actors can upload XML or include hostile content in an XML document ○ Vulnerable code ○ Vulnerable dependencies ○ Vulnerable integrations Sponsored by XML External Entities (XXE)
How to Prevent XML External Entities ★ Whenever possible, use less complex data formats ,such as JSON, and avoid serialization of sensitive data. ★ Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. ★ Use dependency checkers (update SOAP to SOAP 1.2 or higher). ★ Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention.’ ★ Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes. ★ Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
Sponsored by
★ In website security, access control means putting a limit on what sections or pages visitors can reach, depending on their needs. ★ Examples of Broken access control; ○ Access to a hosting control / administrative panel ○ Access to a server via FTP / SFTP / SSH ○ Access to a website’s administrative panel ○ Access to other applications on your server ○ Access to a database Sponsored by Broken Access Control
How to Reduce the risk of Broken Access Control ★ Employ least privileged concepts – apply a role appropriate to the task and only for the amount of time necessary to complete said task and no more. ★ Get rid of accounts you don’t need or whose user no longer requires it. ★ Audit your servers and websites – who is doing what, when, and why. ★ If possible, apply multi-factor authentication to all your access points. ★ Disable access points until they are needed in order to reduce your access windows. ★ Remove unnecessary services off your server. ★ Check applications that are externally accessible versus applications that are tied to your network. ★ If you are developing a website, bear in mind that a production box should not be the place to develop, test, or push updates without testing.
How to Prevent Broken Access Control ★ Implement access control mechanisms once and reuse them throughout the application, including minimizing CORS usage. ★ Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. ★ Unique application business limit requirements should be enforced by domain models. ★ Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots. ★ Log access control failures, alert admins when appropriate (e.g. repeated failures). ★ Rate limit API and controller access to minimize the harm from automated attack tooling. ★ JWT tokens should be invalidated on the server after logout.
★ Security misconfigurations can occur in the following places ○ Unpatched flaws ○ Default configurations ○ Unused pages ○ Unprotected files and directories ○ Unnecessary services Sponsored by Security Misconfigurations
Places Misconfigurations can Occur Sponsored by ★ Security Misconfigurations can happen at any level of stack: ○ Network services ○ Platform ○ Web server ○ Application server ○ Database ○ Frameworks ○ Custom code ○ Pre-installed virtual machines ○ Containers ○ Storage
How to Prevent Security Misconfigurations ★ Development, QA, and production environments should all be configured identically, with different credentials used in each environment. Automate this process in order to minimize the effort required to set up a new secure environment. ★ Remove or do not install unused features and frameworks. ★ Review cloud storage permissions, security notes, updates, and patches. ★ A segmented application architecture that provides effective and secure separation between components or tenants, with segmentation, containerization, or cloud security groups. ★ Sending security directives to clients, e.g. Security Headers. ★ An automated process to verify the effectiveness of the configurations and settings in all environments.
Sponsored by
★ XSS attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method. ★ it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page. ★ XSS is present in about two-thirds of all applications. Sponsored by Cross-Site Scripting (XSS)
Types of XSS Sponsored by
Real Examples of XSS Sponsored by
How to Prevent Xss ★ Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. ★ Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet for XSS Prevention has details on the required data escaping techniques. ★ Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. ★ Enabling a content security policy (CSP) is a defense-in-depth mitigating control against XSS.
Sponsored by
★ Every web developer needs to make peace with the fact that attackers/security researchers are going to try to play with everything that interacts with their application–from the URLs to serialized objects. ★ The process of serialization is converting objects to byte strings. ★ The process of deserialization is converting byte strings to objects. Sponsored by Insecure Deserialization
Example of Insecure Deserialization Sponsored by A PHP forum uses PHP object serialization to save a “super” cookie, containing the user’s user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:”Mallory”;i:2;s:4:”user”; i:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:”Alice”;i:2;s:5:”admin”; i:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;}
How to Prevent Insecure Deserialization ★ The best way to protect your web application from this type of risk is not to accept serialized objects from untrusted sources. If you can’t do this then try the following; ○ Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering. ○ Enforcing strict type constraints during deserialization before object creation as the code typically expects a definable set of classes. ○ Isolating and running code that deserializes in low privilege environments when possible. ○ Logging deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions. ○ Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize. ○ Monitoring deserialization, alerting if a user deserializes constantly.
★ These days, even simple websites such as personal blogs have a lot of dependencies. We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later. ★ In 2019, 56% of all CMS applications were out of date at the point of infection. Sponsored by Using Components with Known Vulnerabilities
Why aren’t we updating our software on time? Sponsored by ★ Webmasters/developers cannot keep up with the pace of the updates; after all, updating properly takes time. ★ Legacy code won’t work on newer versions of its dependencies. ★ Webmasters are scared that something will break on their website. ★ Webmasters don’t have the expertise to properly apply the update.
How to Avoid Using Components with Known Vulnerabilities ★ Remove all unnecessary dependencies. ★ Have an inventory of all your components on the client-side and server-side. ★ Monitor sources like Common Vulnerabilities and Disclosures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. ★ Obtain components only from official sources. ★ Get rid of components not actively maintained. ★ Use virtual patching with the help of a Website Application Firewall.
Sponsored by
★ While 100% security is not a realistic goal, there are ways to keep your website monitored on a regular basis so you can take immediate action when something happens. ★ Not having an efficient logging and monitoring process in place can increase the damage of a website compromise. Sponsored by Insufficient Logging and Monitoring
Examples of Insufficient Logging and Monitoring Sponsored by A major retailer reportedly had an internal malware analysis sandbox analyzing attachments. The sandbox software had detected potentially unwanted software, but no one responded to this detection. The sandbox had been producing warnings for some time before detecting the breach due to fraudulent card transactions by an external bank.
How to Prevent Insufficient Logging and Monitoring ★ Keeping audit logs are vital to staying on top of any suspicious change to your website. An audit log is a document that records the events in a website so you can spot anomalies and confirm with the person in charge that the account hasn’t been compromised. ★ Whatever the reason for running out-of-date software on your web application, you can’t leave it unprotected. Both TrueTesters and OWASP recommend virtual patching for the cases where patching is not possible.
Why TrueTesters? Our Area of Expertise
Conclusion Sponsored by
References Sponsored by ★ https://sucuri.net/ ★ Google Images ★ https://owasp.org/www-project-top-ten/ ★ https://medium.com/@cxosmo/owasp-top-10-real-world-examples-part-2 -3cdb3bebc976

Recommended

Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
Vasan Ramadoss
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 

Recommended

Secure Web Applications Ver0.01
Secure Web Applications Ver0.01Secure Web Applications Ver0.01
Secure Web Applications Ver0.01
Vasan Ramadoss
 
OWASP Top 10 2017
OWASP Top 10 2017OWASP Top 10 2017
OWASP Top 10 2017
Siddharth Phatarphod
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New VulnerabilitiesOWASP Top 10 2017 - New Vulnerabilities
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
dcervigni
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
Kelly Speiser
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
Chandrapal Badshah
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
owasp-pune
 

More Related Content

What's hot

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
dcervigni
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
Kelly Speiser
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
Chandrapal Badshah
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
Security Innovation
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
Nikola Milosevic
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
Lalit Kale
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
Sorina Chirilă
 

What's hot (20)

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Cm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protectionCm2 secure code_training_1day_data_protection
Cm2 secure code_training_1day_data_protection
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Anatomy Web Attack
Anatomy Web AttackAnatomy Web Attack
Anatomy Web Attack
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Web Application Firewall
Web Application FirewallWeb Application Firewall
Web Application Firewall
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Web application security
Web application securityWeb application security
Web application security
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Application Security Tools
Application Security ToolsApplication Security Tools
Application Security Tools
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013 A5-Security misconfiguration-OWASP 2013
A5-Security misconfiguration-OWASP 2013
 

Similar to Truetesters presents OWASP Top 10 Web Vulnerability

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
owasp-pune
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
LogeekNightUkraine
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
Dilip Sharma
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
SamsonMuoki
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
Mike Tetreault
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
Rohitha Liyanagama
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
apponix123
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
Akash Mahajan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
mmubashirkhan
 

Similar to Truetesters presents OWASP Top 10 Web Vulnerability (20)

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)Threat Modeling for Web Applications (and other duties as assigned)
Threat Modeling for Web Applications (and other duties as assigned)
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Top 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajanTop 10 web application security risks akash mahajan
Top 10 web application security risks akash mahajan
 
OWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risksOWASP Top 10 - 2017 Top 10 web application security risks
OWASP Top 10 - 2017 Top 10 web application security risks
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Cyber security issues
Cyber security issuesCyber security issues
Cyber security issues
 

Recently uploaded

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
HarisZaheer8
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 

Recently uploaded (20)

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
AWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptxAWS Cloud Cost Optimization Presentation.pptx
AWS Cloud Cost Optimization Presentation.pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 

Truetesters presents OWASP Top 10 Web Vulnerability

  • 1. OWASP Top 10 Web Vulnerability Presented by TrueTesters. Testing your system before the bad guys do. Sponsored by
  • 3. What is OWASP? What is the OWASP Top 10?
  • 4. ★ A code injection happens when an attacker sends invalid data to the web application with the intention to make it do something that the application was not designed/ programmed to do. ★ String query = “SELECT * FROM accounts WHERE custID = ‘” + request.getParameter(“id”) + “‘”; Sponsored by Injection
  • 5. Real Examples of SQL Injection Sponsored by
  • 6. How to Prevent SQL Injection ★ Use Positive or whitelist server side input validation ★ Use a Web Application Firewall ★ Escape user supplied inputs ★ Use Stored Procedures
  • 8. ★ This vulnerability can allow an attacker to use manual and/or automatic methods to try to gain control over any account they want in a system – or even worse – to gain complete control over the system. ★ The second most common form of this flaw is allowing users to brute force username/password combination against admin pages. Sponsored by Broken Authentication
  • 9. How to detect Broken Authentication pages Sponsored by ★ Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords. ★ Uses plain text, encrypted, or weakly hashed passwords. ★ Has missing or ineffective multi-factor authentication. ★ Exposes session IDs in the URL (e.g., URL rewriting). ★ Does not rotate session IDs after successful login. ★ Does not properly invalidate session IDs. User sessions or authentication tokens (particularly single sign-on (SSO) tokens) aren’t properly invalidated during logout or a period of inactivity. A web application contains a broken authentication vulnerability if it:
  • 10. How to Prevent Broken Authentication ★ Where possible, implement multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse attacks. ★ Do not ship or deploy with any default credentials, particularly for admin users. ★ Implement weak-password checks, such as testing new or changed passwords against a list of the top 10,000 worst passwords. ★ Limit or increasingly delay failed login attempts. Log all failures and alert administrators when credential stuffing, brute force, or other attacks are detected. ★ Use a server-side, secure, built-in session manager that generates a new random session ID with high entropy after login. Session IDs should not be in the URL. Ids should also be securely stored and invalidated after logout, idle, and absolute timeouts.
  • 11.
  • 12. ★ It consists of compromising data that should have been protected. ★ Some sensitive data that requires protection is: ○ Credentials ○ Credit card numbers ○ Social Security Numbers ○ Medical information ○ Personally identifiable information (PII) ○ Other personal information Sponsored by Sensitive Data Exposure
  • 13. States of Data Sponsored by Stored Data: Data at Rest Transmitted Data: transmitted internally between servers, or to web browsers Data in Use: Currently being accessed
  • 14. Real Examples of Sensitive Data Exposure Sponsored by
  • 15. How to Prevent Sensitive Data Exposure ★ Classify data processed, stored, or transmitted by an application. ★ Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs. ★ Apply controls as per the classification. ★ Don’t store sensitive data unnecessarily. ★ Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen. ★ Make sure to encrypt all sensitive data at rest. ★ Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  • 16. How to Prevent Sensitive Data Exposure contd... ★ Encrypt all data in transit with secure protocols such as TLS with perfect forward secrecy (PFS) ciphers, cipher prioritization by the server, and secure parameters. ★ Enforce encryption using directives like HTTP Strict Transport Security (HSTS). ★ Disable caching for responses that contain sensitive data. ★ Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt, or PBKDF2. ★ Verify independently the effectiveness of configuration and settings.
  • 18. ★ This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. ★ They mostly attack: ○ Vulnerable XML processors if malicious actors can upload XML or include hostile content in an XML document ○ Vulnerable code ○ Vulnerable dependencies ○ Vulnerable integrations Sponsored by XML External Entities (XXE)
  • 19. How to Prevent XML External Entities ★ Whenever possible, use less complex data formats ,such as JSON, and avoid serialization of sensitive data. ★ Patch or upgrade all XML processors and libraries in use by the application or on the underlying operating system. ★ Use dependency checkers (update SOAP to SOAP 1.2 or higher). ★ Disable XML external entity and DTD processing in all XML parsers in the application, as per the OWASP Cheat Sheet ‘XXE Prevention.’ ★ Implement positive (“whitelisting”) server-side input validation, filtering, or sanitization to prevent hostile data within XML documents, headers, or nodes. ★ Verify that XML or XSL file upload functionality validates incoming XML using XSD validation or similar.
  • 21. ★ In website security, access control means putting a limit on what sections or pages visitors can reach, depending on their needs. ★ Examples of Broken access control; ○ Access to a hosting control / administrative panel ○ Access to a server via FTP / SFTP / SSH ○ Access to a website’s administrative panel ○ Access to other applications on your server ○ Access to a database Sponsored by Broken Access Control
  • 22. How to Reduce the risk of Broken Access Control ★ Employ least privileged concepts – apply a role appropriate to the task and only for the amount of time necessary to complete said task and no more. ★ Get rid of accounts you don’t need or whose user no longer requires it. ★ Audit your servers and websites – who is doing what, when, and why. ★ If possible, apply multi-factor authentication to all your access points. ★ Disable access points until they are needed in order to reduce your access windows. ★ Remove unnecessary services off your server. ★ Check applications that are externally accessible versus applications that are tied to your network. ★ If you are developing a website, bear in mind that a production box should not be the place to develop, test, or push updates without testing.
  • 23. How to Prevent Broken Access Control ★ Implement access control mechanisms once and reuse them throughout the application, including minimizing CORS usage. ★ Model access controls should enforce record ownership, rather than accepting that the user can create, read, update, or delete any record. ★ Unique application business limit requirements should be enforced by domain models. ★ Disable web server directory listing and ensure file metadata (e.g. .git) and backup files are not present within web roots. ★ Log access control failures, alert admins when appropriate (e.g. repeated failures). ★ Rate limit API and controller access to minimize the harm from automated attack tooling. ★ JWT tokens should be invalidated on the server after logout.
  • 24.
  • 25. ★ Security misconfigurations can occur in the following places ○ Unpatched flaws ○ Default configurations ○ Unused pages ○ Unprotected files and directories ○ Unnecessary services Sponsored by Security Misconfigurations
  • 26. Places Misconfigurations can Occur Sponsored by ★ Security Misconfigurations can happen at any level of stack: ○ Network services ○ Platform ○ Web server ○ Application server ○ Database ○ Frameworks ○ Custom code ○ Pre-installed virtual machines ○ Containers ○ Storage
  • 27. How to Prevent Security Misconfigurations ★ Development, QA, and production environments should all be configured identically, with different credentials used in each environment. Automate this process in order to minimize the effort required to set up a new secure environment. ★ Remove or do not install unused features and frameworks. ★ Review cloud storage permissions, security notes, updates, and patches. ★ A segmented application architecture that provides effective and secure separation between components or tenants, with segmentation, containerization, or cloud security groups. ★ Sending security directives to clients, e.g. Security Headers. ★ An automated process to verify the effectiveness of the configurations and settings in all environments.
  • 29. ★ XSS attacks consist of injecting malicious client-side scripts into a website and using the website as a propagation method. ★ it allows an attacker to inject content into a website and modify how it is displayed, forcing a victim’s browser to execute the code provided by the attacker while loading the page. ★ XSS is present in about two-thirds of all applications. Sponsored by Cross-Site Scripting (XSS)
  • 31. Real Examples of XSS Sponsored by
  • 32. How to Prevent Xss ★ Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. ★ Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet for XSS Prevention has details on the required data escaping techniques. ★ Applying context-sensitive encoding when modifying the browser document on the client side acts against DOM XSS. ★ Enabling a content security policy (CSP) is a defense-in-depth mitigating control against XSS.
  • 34. ★ Every web developer needs to make peace with the fact that attackers/security researchers are going to try to play with everything that interacts with their application–from the URLs to serialized objects. ★ The process of serialization is converting objects to byte strings. ★ The process of deserialization is converting byte strings to objects. Sponsored by Insecure Deserialization
  • 35. Example of Insecure Deserialization Sponsored by A PHP forum uses PHP object serialization to save a “super” cookie, containing the user’s user ID, role, password hash, and other state: a:4:{i:0;i:132;i:1;s:7:”Mallory”;i:2;s:4:”user”; i:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;} An attacker changes the serialized object to give themselves admin privileges: a:4:{i:0;i:1;i:1;s:5:”Alice”;i:2;s:5:”admin”; i:3;s:32:”b6a8b3bea87fe0e05022f8f3c88bc960″;}
  • 36. How to Prevent Insecure Deserialization ★ The best way to protect your web application from this type of risk is not to accept serialized objects from untrusted sources. If you can’t do this then try the following; ○ Implementing integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering. ○ Enforcing strict type constraints during deserialization before object creation as the code typically expects a definable set of classes. ○ Isolating and running code that deserializes in low privilege environments when possible. ○ Logging deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions. ○ Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize. ○ Monitoring deserialization, alerting if a user deserializes constantly.
  • 37.
  • 38. ★ These days, even simple websites such as personal blogs have a lot of dependencies. We can all agree that failing to update every piece of software on the backend and frontend of a website will, without a doubt, introduce heavy security risks sooner rather than later. ★ In 2019, 56% of all CMS applications were out of date at the point of infection. Sponsored by Using Components with Known Vulnerabilities
  • 39. Why aren’t we updating our software on time? Sponsored by ★ Webmasters/developers cannot keep up with the pace of the updates; after all, updating properly takes time. ★ Legacy code won’t work on newer versions of its dependencies. ★ Webmasters are scared that something will break on their website. ★ Webmasters don’t have the expertise to properly apply the update.
  • 40. How to Avoid Using Components with Known Vulnerabilities ★ Remove all unnecessary dependencies. ★ Have an inventory of all your components on the client-side and server-side. ★ Monitor sources like Common Vulnerabilities and Disclosures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components. ★ Obtain components only from official sources. ★ Get rid of components not actively maintained. ★ Use virtual patching with the help of a Website Application Firewall.
  • 42. ★ While 100% security is not a realistic goal, there are ways to keep your website monitored on a regular basis so you can take immediate action when something happens. ★ Not having an efficient logging and monitoring process in place can increase the damage of a website compromise. Sponsored by Insufficient Logging and Monitoring
  • 43. Examples of Insufficient Logging and Monitoring Sponsored by A major retailer reportedly had an internal malware analysis sandbox analyzing attachments. The sandbox software had detected potentially unwanted software, but no one responded to this detection. The sandbox had been producing warnings for some time before detecting the breach due to fraudulent card transactions by an external bank.
  • 44. How to Prevent Insufficient Logging and Monitoring ★ Keeping audit logs are vital to staying on top of any suspicious change to your website. An audit log is a document that records the events in a website so you can spot anomalies and confirm with the person in charge that the account hasn’t been compromised. ★ Whatever the reason for running out-of-date software on your web application, you can’t leave it unprotected. Both TrueTesters and OWASP recommend virtual patching for the cases where patching is not possible.
  • 46.
  • 48. References Sponsored by ★ https://sucuri.net/ ★ Google Images ★ https://owasp.org/www-project-top-ten/ ★ https://medium.com/@cxosmo/owasp-top-10-real-world-examples-part-2 -3cdb3bebc976