SlideShare uma empresa Scribd logo

OWASP TOP 10 VULNERABILITIS

Transferir como PPTX, PDF
Null Bhubaneswar
Null Bhubaneswar

OWASP top 10 Vulnerabilities Null Bhubaneswar January 2023 Meet

Tecnologia
1 de 17
Internal to Wipro OWASP TOP 10 VULNERABILITES BY: ARYA ANINDYARATNA BAL
Internal to Wipro # ABOUT ME > 6 yr. in Application Security OSCP, CRTP, ECSA MTech In CSIR, GFSU (NFSU) Like to Travel
Internal to Wipro AGENDA OWASP Top 10 Vulnerabilities Injection Cross Site Scripting Cross Site Request Forgery
Internal to Wipro OWASP TOP 10 : 2021 RELEASE A1 Broken Access Control A2 Cryptographic Failures A3 Injection A4 Insecure Design A5 Security Misconfiguration A6 Vulnerable and Outdated Components A7 Identification and Authentication Failures A8 Software and Data Integrity Failures A9 Security Logging and Monitoring Failures A10 Server-Side Request Forgery
Internal to Wipro # WHO IS OWASP Worldwide not-for-profit organisation • Founded in 2001 OWASP – Open Web Application Security Project Mission to make the software security visible.
Internal to Wipro OWASP TOP HISTORY 2003 2004 2007 2010 2013 2017 2021 A1 Unvalidated Input Unvalidated Input Cross Site Scripting (XSS) Injection Injection Injection Broken Access Control A2 Broken Access Control Broken Access Control Injection Flaws Cross-Site Scripting Broken Authentication and Session Management Broken Authentication Cryptographic Failures A3 Broken Authentication and Session Management Broken Authentication and Session Management Malicious File Execution Broken Authentication and Session Management Cross-Site Scripting Sensitive Data Exposure Injection A4 Cross Site Scripting Cross Site Scripting Insecure Direct Object Reference Insecure Direct Object References Insecure Direct Object References XML External Entities (XXE) Insecure Design A5 Buffer Overflow Buffer Overflow Cross Site Request Forgery (CSRF) Cross-Site Request Forgery Security Misconfiguration Broken Access Control Security Misconfiguration A6 Injection Flaws Injection Flaws Information Leakage and Improper Error Handling Security Misconfiguration Sensitive Data Exposure Security Misconfiguration Vulnerable and Outdated Components A7 Improper Error Handling Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Missing Function Level Access Control Cross-Site Scripting Identification and Authentication Failures A8 Insecure Storage Insecure Storage Insecure Cryptographic Storage Failure to Restrict URL Access Cross-Site Request Forgery Insecure Deserialization Software and Data Integrity Failures A9 Application Denial of Service Application Denial of Service Insecure Communications Insufficient Transport Layer Protection Using Components with Known Vulnerabilities Using Components with Known Vulnerabilities Security Logging and Monitoring Failures A10 Insecure Configuration Management Insecure Configuration Management Failure to Restrict URL Access Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards Insufficient Logging & Monitoring Server-Side Request Forgery
Internal to Wipro # INJECTION Injection is most persistence vulnerability in the OWASP Top 10 list over the decade, particularly SQL Injection are the common in web applications as well as Mobile. Some of the more common injections are SQL, NoSQL, OS command, Server Sire Template Injection, LDAP injection etc... Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The hostile data tricks the interpreter into executing unintended commands or changing data.
Internal to Wipro # HOW TO PREVENT • Do not pass user input directly to executable statements. • Use of Prepared Statements (with Parameterized Queries) • Use of Properly Constructed Stored Procedures • Allow-list Input Validation • Escaping All User Supplied Input • Enforcing Least Privilege • Performing Allow-list Input Validation as a Secondary Defense
Internal to Wipro # CROSS SITE SCRIPTING Cross-Site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious JavaScript's in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the use’s browser.
Internal to Wipro # TYPES OF XSS • Reflected XSS • Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. • Stored XSS • Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. • DOM XSS • DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML.
Internal to Wipro # HOW TO PREVENT Encode data on output Validate input on arrival Safe Sinks
Internal to Wipro # CROSS SITE REQUEST FORGERY Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally like state change activity.
Internal to Wipro # WHY CSRF
Internal to Wipro # HOW TO PREVENT Synchronizer Token Pattern SameSite Cookie Attribute User Interaction Based CSRF Defense • One-time Token • CAPTCHA • 2MFA (2nd Multi Factor Authentication) Double Submit Cookie Verifying Origin • CHECKING THE ORIGIN HEADER • CHECKING THE REFERER HEADER
Internal to Wipro • CHECKING THE ORIGIN HEADER CHECKING THE REFERER HEADER # EXAMPLE
Internal to Wipro
Internal to Wipro

Recomendados

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 

Recomendados

Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Owasp zap
Owasp zapOwasp zap
Owasp zapColdFusionConference
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
zero day exploits
zero day exploitszero day exploits
zero day exploitsAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 

Mais conteúdo relacionado

Mais procurados

What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonAlex Cachia
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10NowSecure
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 

Mais procurados (20)

What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn WilsonOWASP Top 10 2021 - let's take a closer look by Glenn Wilson
OWASP Top 10 2021 - let's take a closer look by Glenn Wilson
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
OWASP Mobile Top 10
OWASP Mobile Top 10OWASP Mobile Top 10
OWASP Mobile Top 10
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
zero day exploits
zero day exploitszero day exploits
zero day exploits
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 

Semelhante a OWASP TOP 10 VULNERABILITIS

Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecCyberops Infosec LLP
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWSAPIsecure_ Official
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniquesSri Latha
 
supraja technologies material for secure coding
supraja technologies material for secure codingsupraja technologies material for secure coding
supraja technologies material for secure codingSri Latha
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Braindev Kyiv
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap ItManjyot Singh
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEAjith Kp
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Semelhante a OWASP TOP 10 VULNERABILITIS (20)

Owasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosecOwasp top 10 Vulnerabilities by cyberops infosec
Owasp top 10 Vulnerabilities by cyberops infosec
 
2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS2022 APIsecure_Secure your APIs with WAF in AWS
2022 APIsecure_Secure your APIs with WAF in AWS
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
t r
t rt r
t r
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
owasp features in secure coding techniques
owasp features in secure coding techniquesowasp features in secure coding techniques
owasp features in secure coding techniques
 
supraja technologies material for secure coding
supraja technologies material for secure codingsupraja technologies material for secure coding
supraja technologies material for secure coding
 
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
Sergey Kochergan - OWASP Top 10 Web Application Vulnerabilities
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Security Testing - Zap It
Security Testing - Zap ItSecurity Testing - Zap It
Security Testing - Zap It
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap it
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 

Mais de Null Bhubaneswar

Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse EngineeringNull Bhubaneswar
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrepNull Bhubaneswar
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Null Bhubaneswar
 

Mais de Null Bhubaneswar (16)

WAF 101
WAF 101WAF 101
WAF 101
 
Online_financial_fraud3
Online_financial_fraud3Online_financial_fraud3
Online_financial_fraud3
 
Web App Pen Test
Web App Pen TestWeb App Pen Test
Web App Pen Test
 
BurpSuiteOverview
BurpSuiteOverviewBurpSuiteOverview
BurpSuiteOverview
 
Blue Team
Blue TeamBlue Team
Blue Team
 
Linux Basic Commands
Linux Basic CommandsLinux Basic Commands
Linux Basic Commands
 
Intro to Reverse Engineering
Intro to Reverse EngineeringIntro to Reverse Engineering
Intro to Reverse Engineering
 
Lightweight static code analysis with semgrep
Lightweight static code analysis with semgrepLightweight static code analysis with semgrep
Lightweight static code analysis with semgrep
 
Saying Hello to Bug Bounty
Saying Hello to Bug BountySaying Hello to Bug Bounty
Saying Hello to Bug Bounty
 
Information Security 201
Information Security 201Information Security 201
Information Security 201
 
Online_financial_fraud Episode 2
Online_financial_fraud Episode 2Online_financial_fraud Episode 2
Online_financial_fraud Episode 2
 
Information Security 101
Information Security 101Information Security 101
Information Security 101
 
Cloud_PT
Cloud_PT Cloud_PT
Cloud_PT
 
Online Financial Fraud
Online Financial FraudOnline Financial Fraud
Online Financial Fraud
 
Introduction_to_Cloud
Introduction_to_CloudIntroduction_to_Cloud
Introduction_to_Cloud
 
how_to_get_into_infosec
how_to_get_into_infosechow_to_get_into_infosec
how_to_get_into_infosec
 

Último

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 

Último (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 

OWASP TOP 10 VULNERABILITIS

  • 1. Internal to Wipro OWASP TOP 10 VULNERABILITES BY: ARYA ANINDYARATNA BAL
  • 2. Internal to Wipro # ABOUT ME > 6 yr. in Application Security OSCP, CRTP, ECSA MTech In CSIR, GFSU (NFSU) Like to Travel
  • 3. Internal to Wipro AGENDA OWASP Top 10 Vulnerabilities Injection Cross Site Scripting Cross Site Request Forgery
  • 4. Internal to Wipro OWASP TOP 10 : 2021 RELEASE A1 Broken Access Control A2 Cryptographic Failures A3 Injection A4 Insecure Design A5 Security Misconfiguration A6 Vulnerable and Outdated Components A7 Identification and Authentication Failures A8 Software and Data Integrity Failures A9 Security Logging and Monitoring Failures A10 Server-Side Request Forgery
  • 5. Internal to Wipro # WHO IS OWASP Worldwide not-for-profit organisation • Founded in 2001 OWASP – Open Web Application Security Project Mission to make the software security visible.
  • 6. Internal to Wipro OWASP TOP HISTORY 2003 2004 2007 2010 2013 2017 2021 A1 Unvalidated Input Unvalidated Input Cross Site Scripting (XSS) Injection Injection Injection Broken Access Control A2 Broken Access Control Broken Access Control Injection Flaws Cross-Site Scripting Broken Authentication and Session Management Broken Authentication Cryptographic Failures A3 Broken Authentication and Session Management Broken Authentication and Session Management Malicious File Execution Broken Authentication and Session Management Cross-Site Scripting Sensitive Data Exposure Injection A4 Cross Site Scripting Cross Site Scripting Insecure Direct Object Reference Insecure Direct Object References Insecure Direct Object References XML External Entities (XXE) Insecure Design A5 Buffer Overflow Buffer Overflow Cross Site Request Forgery (CSRF) Cross-Site Request Forgery Security Misconfiguration Broken Access Control Security Misconfiguration A6 Injection Flaws Injection Flaws Information Leakage and Improper Error Handling Security Misconfiguration Sensitive Data Exposure Security Misconfiguration Vulnerable and Outdated Components A7 Improper Error Handling Improper Error Handling Broken Authentication and Session Management Insecure Cryptographic Storage Missing Function Level Access Control Cross-Site Scripting Identification and Authentication Failures A8 Insecure Storage Insecure Storage Insecure Cryptographic Storage Failure to Restrict URL Access Cross-Site Request Forgery Insecure Deserialization Software and Data Integrity Failures A9 Application Denial of Service Application Denial of Service Insecure Communications Insufficient Transport Layer Protection Using Components with Known Vulnerabilities Using Components with Known Vulnerabilities Security Logging and Monitoring Failures A10 Insecure Configuration Management Insecure Configuration Management Failure to Restrict URL Access Unvalidated Redirects and Forwards Unvalidated Redirects and Forwards Insufficient Logging & Monitoring Server-Side Request Forgery
  • 7. Internal to Wipro # INJECTION Injection is most persistence vulnerability in the OWASP Top 10 list over the decade, particularly SQL Injection are the common in web applications as well as Mobile. Some of the more common injections are SQL, NoSQL, OS command, Server Sire Template Injection, LDAP injection etc... Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The hostile data tricks the interpreter into executing unintended commands or changing data.
  • 8. Internal to Wipro # HOW TO PREVENT • Do not pass user input directly to executable statements. • Use of Prepared Statements (with Parameterized Queries) • Use of Properly Constructed Stored Procedures • Allow-list Input Validation • Escaping All User Supplied Input • Enforcing Least Privilege • Performing Allow-list Input Validation as a Secondary Defense
  • 9. Internal to Wipro # CROSS SITE SCRIPTING Cross-Site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious JavaScript's in a web browser of the victim by including malicious code in a legitimate web page or web application. The actual attack occurs when the victim visits the web page or web application that executes the malicious code. The web page or web application becomes a vehicle to deliver the malicious script to the use’s browser.
  • 10. Internal to Wipro # TYPES OF XSS • Reflected XSS • Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. • Stored XSS • Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. • DOM XSS • DOM-based XSS vulnerabilities usually arise when JavaScript takes data from an attacker-controllable source, such as the URL, and passes it to a sink that supports dynamic code execution, such as eval() or innerHTML.
  • 11. Internal to Wipro # HOW TO PREVENT Encode data on output Validate input on arrival Safe Sinks
  • 12. Internal to Wipro # CROSS SITE REQUEST FORGERY Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally like state change activity.
  • 14. Internal to Wipro # HOW TO PREVENT Synchronizer Token Pattern SameSite Cookie Attribute User Interaction Based CSRF Defense • One-time Token • CAPTCHA • 2MFA (2nd Multi Factor Authentication) Double Submit Cookie Verifying Origin • CHECKING THE ORIGIN HEADER • CHECKING THE REFERER HEADER
  • 15. Internal to Wipro • CHECKING THE ORIGIN HEADER CHECKING THE REFERER HEADER # EXAMPLE

Notas do Editor

  1. As double submit cookie verifies only the token in the cookie and body are same, then there a possibility that if application have session fix-session(if session token used as part of double submit cookie) or XSS (with HttpOnly flag not set) attacker can set the cookie value manually and same cookie value set in the CSRF POC.