5. Common Web Application Vulnerabilities (1/2)
Source: https://www.edgescan.com/wp-content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-2019.pdf
6. Common Web Application Vulnerabilities (2/2)
Source: https://www.edgescan.com/wp-content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-2019.pdf
9. Vulnerability Stack
User – Login Form
Internet
Firewall
Web Server
Web Application
DBMS
OS System Call DB Output
10. Application Sub-Tiers and Components
App source
code
Internal code
External code
Server-side
infrastructure
Web server
CDN
Data storage
Server-side
frameworks
Authentication
Authorization
Identity
Federation
Encryption
Certificate
authorities
DNS servers
Registrars
Global ISPs
Last mile
Internet routing
Data flow within the application
Services Access Control Transport Domain Name Network
11. Application Threats at Each Tier
API attacks
Injection
Malware
DDoS
Cross-site scripting
Cross-site request
forgery
Man-in-the-middle
Abuse of
functionality
Credential theft
Credential stuffing
Session hijacking
Brute force
Phishing
DDoS
Key disclosure
Protocol abuse
Session hijacking
Certificate spoofing
Man-in-the-middle
DNS cache
poisoning
DNS spoofing
DNS hijacking
Dictionary attacks
DDoS
DDoS
Eavesdropping
Protocol abuse
Man-in-the-middle
Services Access Control Transport Domain Name Network
Client
Cross-site request forgery
Cross-site scripting
Man-in-the-middle
Session hijacking
Malware
Social Engineering
12. Sample Attack via Transport Layer
Source: https://www.f5.com/content/dam/f5-labs-v2/article/pdfs/F5Labs_2018_Application_Protection_Report.pdf
13. Sample Attack via Compromised Digital Certificate
Source: https://www.f5.com/content/dam/f5-labs-v2/article/pdfs/F5Labs_2018_Application_Protection_Report.pdf
14. Sample Attack via DNS
Source: https://www.f5.com/content/dam/f5-labs-v2/article/pdfs/F5Labs_2018_Application_Protection_Report.pdf
15. Web Hacking Tools
Source: https://www.statista.com/statistics/800916/worldwide-useful-software-hacking/
17. Primary Application Protection Steps
Understand your environment
Reduce your attack surface
Prioritize defenses based on RISK
Select flexible and integrated
defense tools
Integrate security into development
1
2
3
4
5