Owasp top 10 vulnerabilities

OWASPdelhi 5,249 views 19 slides Apr 01, 2019
Slide 1
Slide 1 of 19
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19

About This Presentation

Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring

Size: 659.5 KB
Language: en
Added: Apr 01, 2019
Slides: 19 pages

Slide Content

OWASP Top 10 Vulnerabilities By: Saman Fatima and Aarti Bala

Agenda OWASP Top 10 Vulnerabilities Injection Sensitive Data Exposure Cross Site Scripting (XSS) Insufficient logging and monitoring

OWASP Top 10:2017 release Injection Broken Authentication & Session Management Sensitive Data Exposure XML External Entities(XXE) Broken Access Control Security Misconfiguration Cross-Site Scripting(XSS) Insecure Deserialization Using components with known vulnerabilities Insufficient logging & monitoring

#1: Injection Injections are at the head of the OWASP Top 10 and Injection flaws, particularly SQL Injection , are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker’s hostile data tricks the interpreter into executing unintended commands or changing data.

#2: Broken Authentication & Session Management Broken Authentication & Session Management allows anonymous attacks aimed at attempting to steal valuable data, especially personally identifiable information.

#3: Sensitive Data Exposure Sensitive data, such as credit card numbers, health data, or passwords should have extra protection given the potential of damage if it falls into the wrong hands. If data is stored or transferred as plain text, if older/weaker encryption is used, or if data is decrypted carelessly, attacker can gain access and exploit the data.

#4: XML External Entities XML is a data format used to describe different data elements. XML also uses “entities” to help define related data, but entities can access remote or local content, as harmless as pulling a current stock price from a third party website. If a developer uses a common or default filename in a common location, an attacker’s job is easy.

#5: Broken Access Control Access control, or authorization, is how web apps let different users access different content, data or functions. Sometimes gaining unauthorized access is as simple as manually entering an unlinked URL in a browser, such as http://example.com/admin As with other vulnerabilities, attackers can gain access to(or modify)data, accounts and functions that they shouldn’t.

#6: Security Misconfiguration Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Example #1: The app server admin console is automatically installed and not removed Example #2: Directory listing is not disabled on your server Example #3: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws Example #4: App server comes with sample applications that are not removed from your production server

#7: Cross-Site Scripting Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.  The actual attack occurs when the victim visits the web page or web application that executes the malicious code. he web page or web application becomes a vehicle to deliver the malicious script to the user’s browser.

#8: Insecure deserialization It occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being  deserialized . It’s frequently possible for an attacker to abuse these deserialization features when the application is deserializing untrusted data which the attacker controls.

#9: Using components with known vulnerabilities Known vulnerabilities are vulnerabilities that were discovered in open source components and published in the NVD, security advisories or issue trackers. From the moment of publication , a vulnerability can be exploited by hackers who find the documentation. The possible impact of open source vulnerabilities ranges from minor to some of the largest breaches known. It’s estimated that well over 80% of all software includes, at least, some open source components. 

#10: Insufficient logging and monitoring As per the study of Insider Threat showed by Ponemon Institute, companies come across more than 52 incidents due to insider fraud annually. WHY??? Insufficient logging and monitoring vulnerability occurs when the security-critical events aren’t logged properly, and the system is not monitoring the current happenings. The lack of these functionalities can make the malicious activities harder to detect and it affects effective incident handling when an attack happens.

How to achieve logging and monitoring:

NEXT STEPS Nessus Burp Suite WebGoat Nexpose Metasploit Framework

References: https://www.veracode.com/directory/owasp-top-10 https://www.tutorialspoint.com/security_testing/testing_security_misconfiguration.htm https://www.acunetix.com/blog/articles/what-is-insecure-deserialization/ https://www.cloudflare.com/learning/security/threats/cross-site-scripting/ https://resources.whitesourcesoftware.com/blog-whitesource/owasp-a9-using-components-with-known-vulnerabilities https://www.hack2secure.com/blogs/insufficient-logging-and-monitoring--a-brief-walk-through https://www.slideshare.net/SecurityInnovation/the-new-owasp-top-ten-lets-cut-to-the-chase/12

THANK YOU!!! You may reach us/follow us on… [email protected] https://www.linkedin.com/in/saman-fatima-025230b1 [email protected] www.linkedin.com/in/aarti-bala-188324129
Tags
owasptop10 owasp delhi application security xss injection owasp
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 5,249
  • Slides 19
  • Favorites 3
  • Age 2437 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category