Owasp top 10 Vulnerabilities by cyberops infosec
Download as PPTX, PDF0 likes147 views
The document discusses web penetration testing and the OWASP Top 10 vulnerabilities. It defines vulnerability as a flaw that can be exploited to compromise security, and threat as anything that can harm assets by exploiting vulnerabilities. Web penetration testing systematically evaluates application security controls. OWASP is dedicated to developing secure applications and APIs, and maintains the OWASP Top 10 list of the most critical web application security risks, including injection, broken authentication, sensitive data exposure, and more. Each risk is described in terms of what it is and its potential impacts.
Owasp top 10 Vulnerabilities by cyberops infosec
- 2. WEB PENETRATION Session Flow What is Vulnerability What is Threat? What is Web Penetration What is OWASP OWASP Top 10 Vulnerabilities Cyberops Infosec 2
- 3. WEB PENETRATION What is Vulnerability A vulnerability is a flaw or weakness in a system's design, implementation, operation or management that could be exploited to compromise the system's security objectives. Cyberops Infosec 3
- 4. WEB PENETRATION What is Threat A threat is anything (a malicious external attacker, an internal user, a system instability, etc) that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability. Cyberops Infosec 4
- 5. WEB PENETRATION What is Web Penetration A security test is a method of evaluating the security of a computer system or network by methodically validating and verifying the effectiveness of application security controls. Cyberops Infosec 5
- 6. WEB PENETRATION What is OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Cyberops Infosec 6
- 7. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A1 – Injection • 2017-A2 – Broken Authentication and Session Management • 2017-A3 –Sensitive Data Exposure • 2017-A4 – XML External Entities (XXE) • 2017-A5 – Broken Access Control • 2017-A6 – Security Misconfiguration • 2017-A7 – Cross Site Scripting • 2017-A8 – Insecure Deserialization • 2017-A9 – Using Component with known Vulnerabilities • 2017-A10 – Insufficient Logging & Monitoring Cyberops Infosec 7
- 8. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A1 – Injection Describe : Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. Impact : The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Cyberops Infosec 8
- 9. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A2 – Broken Authentication Describe : Application functions related to authentication and session management are often implemented incorrectly by developers. Impact : Vulnerability allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Cyberops Infosec 9
- 10. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A3 – Sensitive Data Exposure Describe : Web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Impact : Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Cyberops Infosec 10
- 11. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A4 – XML External Entities (XSS) Describe : Many older or poorly configured XML processors evaluate external entity references within XML documents. Impact : External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Cyberops Infosec 11
- 12. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A5 – Broken Access Control Describe : Restrictions on what authenticated users are allowed to do are often not properly enforced. Impact : Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc. Cyberops Infosec 12
- 13. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A6 – Security Misconfiguration Describe : Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Impact : Due to security misconfiguration all data, packages and messages can be compromised. Cyberops Infosec 13
- 14. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A7 – Cross Site Scripting Describe : XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. Impact : XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Cyberops Infosec 14
- 15. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A8 – Insecure Deserialization Describe : Insecure deserialization often leads to remote code execution. Impact : If deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, Cyberops Infosec 15
- 16. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A9 – Using Components with known vulnerabilities Describe : Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. Impact : If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known Cyberops Infosec 16
- 17. WEB PENETRATION OWASP Top 10 – 2017 has evolved: • 2017-A10 – Insufficient Logging & Monitoring Describe : Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Impact : Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Cyberops Infosec 17