4. Internal to Wipro
OWASP TOP 10 : 2021 RELEASE
A1 Broken Access
Control
A2 Cryptographic
Failures
A3 Injection
A4 Insecure
Design
A5 Security
Misconfiguration
A6 Vulnerable
and Outdated
Components
A7 Identification
and
Authentication
Failures
A8 Software and
Data Integrity
Failures
A9 Security
Logging and
Monitoring
Failures
A10 Server-Side
Request Forgery
5. Internal to Wipro
# WHO IS OWASP
Worldwide not-for-profit organisation
• Founded in 2001
OWASP – Open Web Application Security
Project
Mission to make the software security visible.
6. Internal to Wipro
OWASP TOP HISTORY
2003 2004 2007 2010 2013 2017 2021
A1 Unvalidated Input Unvalidated Input
Cross Site Scripting
(XSS)
Injection Injection Injection
Broken Access
Control
A2
Broken Access
Control
Broken Access
Control
Injection Flaws Cross-Site Scripting
Broken Authentication
and Session
Management
Broken Authentication
Cryptographic
Failures
A3
Broken Authentication
and Session
Management
Broken Authentication
and Session
Management
Malicious File
Execution
Broken Authentication
and Session
Management
Cross-Site Scripting
Sensitive Data
Exposure
Injection
A4
Cross Site Scripting Cross Site Scripting
Insecure Direct Object
Reference
Insecure Direct Object
References
Insecure Direct Object
References
XML External Entities
(XXE)
Insecure Design
A5
Buffer Overflow Buffer Overflow
Cross Site Request
Forgery (CSRF)
Cross-Site Request
Forgery
Security
Misconfiguration
Broken Access
Control
Security
Misconfiguration
A6
Injection Flaws Injection Flaws
Information Leakage
and Improper Error
Handling
Security
Misconfiguration
Sensitive Data
Exposure
Security
Misconfiguration
Vulnerable and
Outdated Components
A7
Improper Error
Handling
Improper Error
Handling
Broken Authentication
and Session
Management
Insecure
Cryptographic Storage
Missing Function
Level Access Control
Cross-Site Scripting
Identification and
Authentication Failures
A8 Insecure Storage Insecure Storage
Insecure
Cryptographic Storage
Failure to Restrict URL
Access
Cross-Site Request
Forgery
Insecure
Deserialization
Software and Data
Integrity Failures
A9
Application Denial of
Service
Application Denial of
Service
Insecure
Communications
Insufficient Transport
Layer Protection
Using Components
with Known
Vulnerabilities
Using Components
with Known
Vulnerabilities
Security Logging and
Monitoring Failures
A10
Insecure Configuration
Management
Insecure Configuration
Management
Failure to Restrict URL
Access
Unvalidated Redirects
and Forwards
Unvalidated Redirects
and Forwards
Insufficient Logging &
Monitoring
Server-Side Request
Forgery
7. Internal to Wipro
# INJECTION
Injection is most persistence vulnerability in the
OWASP Top 10 list over the decade, particularly SQL
Injection are the common in web applications as
well as Mobile.
Some of the more common injections are SQL,
NoSQL, OS command, Server Sire Template Injection,
LDAP injection etc...
Injection occurs when user-supplied data is sent to
an interpreter as part of a command or query. The
hostile data tricks the interpreter into executing
unintended commands or changing data.
8. Internal to Wipro
# HOW TO
PREVENT
• Do not pass user input directly to executable
statements.
• Use of Prepared Statements (with Parameterized
Queries)
• Use of Properly Constructed Stored Procedures
• Allow-list Input Validation
• Escaping All User Supplied Input
• Enforcing Least Privilege
• Performing Allow-list Input Validation as a
Secondary Defense
9. Internal to Wipro
# CROSS SITE
SCRIPTING
Cross-Site Scripting (XSS) is a client-side code
injection attack.
The attacker aims to execute malicious JavaScript's in
a web browser of the victim by including malicious
code in a legitimate web page or web application.
The actual attack occurs when the victim visits the
web page or web application that executes the
malicious code.
The web page or web application becomes a vehicle
to deliver the malicious script to the use’s browser.
10. Internal to Wipro
# TYPES OF XSS
• Reflected XSS
• Reflected attacks are those where the injected script
is reflected off the web server, such as in an error
message, search result, or any other response that
includes some or all of the input sent to the server as
part of the request.
• Stored XSS
• Stored attacks are those where the injected script is
permanently stored on the target servers, such as in a
database, in a message forum, visitor log, comment
field, etc.
• DOM XSS
• DOM-based XSS vulnerabilities usually arise when
JavaScript takes data from an attacker-controllable
source, such as the URL, and passes it to a sink that
supports dynamic code execution, such as eval() or
innerHTML.
11. Internal to Wipro
# HOW TO
PREVENT
Encode data on output
Validate input on arrival
Safe Sinks
12. Internal to Wipro
# CROSS SITE
REQUEST
FORGERY
Cross-site request forgery (also
known as CSRF) is a web security
vulnerability that allows an attacker
to induce users to perform actions
that they do not intend to perform.
In a successful CSRF attack, the
attacker causes the victim user to
carry out an action unintentionally
like state change activity.
As double submit cookie verifies only the token in the cookie and body are same, then there a possibility that if application have session fix-session(if session token used as part of double submit cookie) or XSS (with HttpOnly flag not set) attacker can set the cookie value manually and same cookie value set in the CSRF POC.