SlideShare a Scribd company logo

Web application Security tools

Download as PPTX, PDF
Nico Penaredondo
Nico Penaredondo

My report for GEIT-862 class.

Software
1 of 21
Web Application Security Tools (GEIT-862) Information Risk Assessment and Security Management
I am Nico Penaredondo Software Developer @ UP-ITDC
Web Application Security is a branch of Information Security that deals specifically with security of websites, web applications and web services.
2013 OWASP Top 10 # 2010 2013 1 Injection Injection 2 Cross-Site Scripting(XSS) Broken Authentication & Session Management 3 Broken Authentication & Session Management Cross-Site Scripting(XSS) 4 Insecure Direct Object Reference Insecure Direct Object Reference 5 Cross-Site Request Forgery(CSRF) Security Misconfiguration Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
2013 OWASP Top 10 # 2010 2013 6 Security Misconfiguration Sensitivate Data Exposure 7 Insecure Cryptographic Storage Missing Function Level Access Control 8 Failued to Restrict URL Access Cross-Site Request Forgery(CSRF) 9 Insufficiend Transport Layer Protection Using Components w/ known vulnerabilities 10 Unvalidated Forwards and Redirects Unvalidated Forwards and Redirects Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
(OWASP) Open Web Application Security Project is a worldwide non-profit charitable organization focused on improving the security of software
Web Application Attack StatisticsSource : https://www.owasp.org/index.php/Top_10_2013-Top_10
$3,100,000/yr Average Cost of Web Application Attacks Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
78% Organizations that have had web applications COMPROMISED Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
69% Said that a web application firewall (WAF) is necessary or critical Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
Top 3 Reasons to Secure Web Applications Protection of Data Revenue Loss Compliance Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
Number of full-time employees needed to manage a web application firewall Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
117,339Average security incidents around the world per day (2014) Source :http://www.cgma.org/magazine/news/pages/201411089.aspx
This slide is intentionally left blank
(ZAP) Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
Acunetix Automatically crawls and scans off-the-shelf and custom-built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 500 other web vulnerabilities.
Acunetix is a fully automated web browser that can understand and interact with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON, Google Web Toolkit (GWT) and CRUD operations just like a regular browser would. Acunetix can crawl complex web application architectures including JavaScript-heavy HTML5 Single Page Applications while being able to scan restricted areas automatically and with ease.
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.
Thank you

Recommended

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 

Recommended

How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Social engineering
Social engineeringSocial engineering
Social engineeringMaulik Kotak
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingn|u - The Open Security Community
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chainAnkita Ganguly
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
BUZZ #MTL
BUZZ #MTLBUZZ #MTL
BUZZ #MTLtnmediagroup
 

More Related Content

What's hot

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Frameworkjpubal
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Abhinav Mishra
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseSurya Subhash
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 

What's hot (20)

OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test Professionals
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Introduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & DefenseIntroduction to CSRF Attacks & Defense
Introduction to CSRF Attacks & Defense
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Cyber kill chain
Cyber kill chainCyber kill chain
Cyber kill chain
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Security testing
Security testingSecurity testing
Security testing
 

Viewers also liked

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012David Mirza
 
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998Catina Feresin
 
USA & Canada including Latin America 2017 - Globus
USA & Canada including Latin America 2017 - GlobusUSA & Canada including Latin America 2017 - Globus
USA & Canada including Latin America 2017 - Globusglobusaustralia
 
Kira Mandon Portfolio 2015
Kira Mandon Portfolio 2015Kira Mandon Portfolio 2015
Kira Mandon Portfolio 2015Kira Mandon
 
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hungĐức Mạnh Ngô
 
20150316 wbpf training short presentation for SlideShare
20150316 wbpf training short presentation for SlideShare20150316 wbpf training short presentation for SlideShare
20150316 wbpf training short presentation for SlideShareJun Ito
 
6 tips to help you float through a depressive episode
6 tips to help you float through a depressive episode6 tips to help you float through a depressive episode
6 tips to help you float through a depressive episodeJocelyn Steffen
 
Apprendimento e multimedialità
Apprendimento e multimedialitàApprendimento e multimedialità
Apprendimento e multimedialitàCatina Feresin
 
Vitamin D is Now the Most Popular Vitamin
Vitamin D is Now the Most Popular VitaminVitamin D is Now the Most Popular Vitamin
Vitamin D is Now the Most Popular Vitamingreedycabin1256
 

Viewers also liked (13)

Subgraph vega countermeasure2012
Subgraph vega countermeasure2012Subgraph vega countermeasure2012
Subgraph vega countermeasure2012
 
BUZZ #MTL
BUZZ #MTLBUZZ #MTL
BUZZ #MTL
 
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998
Feresin Catina, Agostini Tiziano, Nila Saviolo Negrin, 1998
 
USA & Canada including Latin America 2017 - Globus
USA & Canada including Latin America 2017 - GlobusUSA & Canada including Latin America 2017 - Globus
USA & Canada including Latin America 2017 - Globus
 
Kira Mandon Portfolio 2015
Kira Mandon Portfolio 2015Kira Mandon Portfolio 2015
Kira Mandon Portfolio 2015
 
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung
[Vnmath.com] bai giang-trong_tam_ve_ham_so_thay_dang_viet_hung
 
20150316 wbpf training short presentation for SlideShare
20150316 wbpf training short presentation for SlideShare20150316 wbpf training short presentation for SlideShare
20150316 wbpf training short presentation for SlideShare
 
Promoting Greece
Promoting GreecePromoting Greece
Promoting Greece
 
6 tips to help you float through a depressive episode
6 tips to help you float through a depressive episode6 tips to help you float through a depressive episode
6 tips to help you float through a depressive episode
 
richardjohnz
richardjohnzrichardjohnz
richardjohnz
 
тренинг
тренингтренинг
тренинг
 
Apprendimento e multimedialità
Apprendimento e multimedialitàApprendimento e multimedialità
Apprendimento e multimedialità
 
Vitamin D is Now the Most Popular Vitamin
Vitamin D is Now the Most Popular VitaminVitamin D is Now the Most Popular Vitamin
Vitamin D is Now the Most Popular Vitamin
 

Similar to Web application Security tools

Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerComguard India
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptjangomanso
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scannerswensheng wei
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 

Similar to Web application Security tools (20)

Acunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability ScannerAcunetix - Web Vulnerability Scanner
Acunetix - Web Vulnerability Scanner
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
T04505103106
T04505103106T04505103106
T04505103106
 
OWASP
OWASPOWASP
OWASP
 
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.pptOWASP_Top_10_Introduction_and_Remedies_2017.ppt
OWASP_Top_10_Introduction_and_Remedies_2017.ppt
 
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Top 10 Web Vulnerability Scanners
Top 10 Web Vulnerability ScannersTop 10 Web Vulnerability Scanners
Top 10 Web Vulnerability Scanners
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 

Recently uploaded

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningVitsRangannavar
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 

Recently uploaded (20)

cybersecurity notes for mca students for learning
cybersecurity notes for mca students for learningcybersecurity notes for mca students for learning
cybersecurity notes for mca students for learning
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 

Web application Security tools

  • 1. Web Application Security Tools (GEIT-862) Information Risk Assessment and Security Management
  • 2. I am Nico Penaredondo Software Developer @ UP-ITDC
  • 3. Web Application Security is a branch of Information Security that deals specifically with security of websites, web applications and web services.
  • 4. 2013 OWASP Top 10 # 2010 2013 1 Injection Injection 2 Cross-Site Scripting(XSS) Broken Authentication & Session Management 3 Broken Authentication & Session Management Cross-Site Scripting(XSS) 4 Insecure Direct Object Reference Insecure Direct Object Reference 5 Cross-Site Request Forgery(CSRF) Security Misconfiguration Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 5. 2013 OWASP Top 10 # 2010 2013 6 Security Misconfiguration Sensitivate Data Exposure 7 Insecure Cryptographic Storage Missing Function Level Access Control 8 Failued to Restrict URL Access Cross-Site Request Forgery(CSRF) 9 Insufficiend Transport Layer Protection Using Components w/ known vulnerabilities 10 Unvalidated Forwards and Redirects Unvalidated Forwards and Redirects Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 6. (OWASP) Open Web Application Security Project is a worldwide non-profit charitable organization focused on improving the security of software
  • 7. Web Application Attack StatisticsSource : https://www.owasp.org/index.php/Top_10_2013-Top_10
  • 8. $3,100,000/yr Average Cost of Web Application Attacks Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
  • 9. 78% Organizations that have had web applications COMPROMISED Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
  • 10. 69% Said that a web application firewall (WAF) is necessary or critical Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
  • 11. Top 3 Reasons to Secure Web Applications Protection of Data Revenue Loss Compliance Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
  • 12. Number of full-time employees needed to manage a web application firewall Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
  • 13. 117,339Average security incidents around the world per day (2014) Source :http://www.cgma.org/magazine/news/pages/201411089.aspx
  • 14. This slide is intentionally left blank
  • 15. (ZAP) Zed Attack Proxy is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
  • 16. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
  • 17. Acunetix Automatically crawls and scans off-the-shelf and custom-built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 500 other web vulnerabilities.
  • 18. Acunetix is a fully automated web browser that can understand and interact with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML, JSON, Google Web Toolkit (GWT) and CRUD operations just like a regular browser would. Acunetix can crawl complex web application architectures including JavaScript-heavy HTML5 Single Page Applications while being able to scan restricted areas automatically and with ease.
  • 19. Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities.
  • 20. Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.