SP
Uploaded bySampath Bhargav Pinnam
PPTX, PDF275 views

Owasp top 10 web application security risks 2017

The document outlines the OWASP Top 10 application security risks for 2017. It discusses the top 10 risks which are injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, use of vulnerable components, and insufficient logging and monitoring. It provides details on each risk such as examples and how attackers can exploit them. The document also discusses OWASP's goal of raising awareness of application security needs and best practices for developers and organizations.

Technology
Related topics:
Website Design

Embed presentation

Downloaded 10 times
TABLE OF CONTENTS • About OWASP • OWASP Top 10 Application Security Risks–2017 • What changed from 2013 to 2017? • A1 : 2017-Injection • A2 : 2017-Broken Authentication • A3 : 2017-Sensitive Data Exposure • A4 : 2017-XML External Entities (XXE) • A5 : 2017-Broken Access Control • A6 : 2017-Security Misconfiguration • A7 : 2017-Cross-Site Scripting (XSS) • A8 : 2017-Insecure Deserialization • A9 : 2017-Using Components with Known Vulnerabilities • A10 : 2017-Insufficient Logging & Monitoring • What’s Next for Developers • Organizations • Conclusion
WHY 2017 Basically they started this top 10 project from 2003 and started delivering the top 10 vulnerabilities of major platforms like mobile and webapps . 2004 Updates OWASP Top Ten Project Top 10 2007 Top 10 2010 Top 10 2013 Top 10-2017 Top 10
ABOUT OWASP The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Project Sponsorship : Autodesk Learn more at : https://www.owasp.org.
OWASP TOP 10 APPLICATION SECURITY RISKS–2017 A1 : 2017-Injection A2 : 2017-Broken Authentication A3 : 2017-Sensitive Data Exposure A4 : 2017-XML External Entities (XXE) A5 : 2017-Broken Access Control A6 : 2017-Security Misconfiguration A7 : 2017-Cross-Site Scripting (XSS) A8 : 2017-Insecure Deserialization A9 : 2017-Using Components with Known Vulnerabilities A10 : 2017-Insufficient Logging & Monitoring
WHAT CHANGED FROM 2013 TO 2017?
A1 : 2017-INJECTION Injection flaws, such as SQL, NoSQL, OS commands, XML parsers and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Injection flaws are easy to discover when examining code. Scanners and fuzzers can help attackers find injection flaws. Eg: SQL injection : insert some sql queries into the URL or some text fields which are vulnerable. Eg : www.sitename.com inurl:php?id= ------ finds the php sites of that domain www.sitename.com/indexsinglepost.php?postid=34’ ---- check for any changes appeared union select 1,version(),3,4,5,6,7,8,9 - - -> tells the version of server
IS THE APPLICATION VULNERABLE? An application is vulnerable to attack when: User-supplied data is not validated, filtered, or sanitized by the application. Dynamic queries or non-parameterized calls without contextaware escaping are used directly in the interpreter. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
A2 : 2017-BROKEN AUTHENTICATION Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks sessionID : 1gLXXEnpGbaQjUGvjOFdnN2viP3Wqb7DP4b70 Unencrypted connections (Man in the middle attack) Predictable login credentials
SOME OF THE WEAK PASSWORDS
A3 : 2017-SENSITIVE DATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Bad/no encryption techniques(listening anonymously) See the SSL certificate provided(HTTPS) Lot many Bugs which acts as a backdoors
A4 : 2017-XML EXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Eg : Billion laughs attack
A5 : 2017-BROKEN ACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. Using APPSCAN we can get to know these vulnerability  Eg: webapp.com/admin_info  Webapp.com/accfiles?act=1234
A6 : 2017-SECURITY MISCONFIGURATION Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Default accounts Configuring the servers as we need , by changing the default ones Run an APPSCAN
A7 : 2017-CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. <script>alert("hi")</script> Eg: http://demo.testfire.net/search.jsp?query=%3Cscript%3Ealert%28%22hi%22%29%3C%2F script%3E
A8 : 2017-INSECURE DESERIALIZATION Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Complicated vulnerability Eg : JSON and XML files which obviously go through some serialization and deserialization techniques.
A9 : 2017-USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Heartbleed : a buffer overflow vulnerability in widely used encryption library SSL Shellshock : a shell command injection vulnerability in the ubiquitious bash unix command line CVE & NVD
A10 : 2017-INSUFFICIENT LOGGING & MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Log files --- monitoring (Brute forcing attacks)
WHAT’S NEXT FOR DEVELOPERS Application Security Requirements Standard Security Controls Secure Development Lifecycle Application Security Education
ORGANIZATIONS THAT CONTRIBUTED THEIR VULNERABILITY DATA TO SUPPORT THE 2017 UPDATE :
CONCLUSION The main aim of OWASP top 10 project is is to raise the awareness among the developers and the managers about the security needs and implementations. “Make it work, make it right, make it fast.” – Kent Beck “Fix the cause, not the symptom.” – Steve Maguire
REFERENCES https://www.owasp.org/images/7/72/OWASP_Top_10- 2017_%28en%29.pdf.pdf https://www.youtube.com/watch?v=02mLrFVzIYU&list=PLjo3i9XN49 YLcY9mlW7-Z5nd8XP1Gt9n1 https://www.sytechlabs.com/
Owasp top 10 web application security risks 2017

More Related Content

PPTX
Owasp
bypenetration Tester
 
PPTX
Owasp top 10 Vulnerabilities by cyberops infosec
byCyberops Infosec LLP
 
PPT
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
PPTX
Owasp 2017 oveview
byShreyas N
 
PDF
OWASP Top 10 - 2017
byHackerOne
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
PPTX
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 
Owasp
bypenetration Tester
 
Owasp top 10 Vulnerabilities by cyberops infosec
byCyberops Infosec LLP
 
OWASP Top 10 And Insecure Software Root Causes
byMarco Morana
 
Owasp 2017 oveview
byShreyas N
 
OWASP Top 10 - 2017
byHackerOne
 
OWASP Top 10 2017 - New Vulnerabilities
byDilum Bandara
 
OWASP -Top 5 Jagjit
byJagjit Singh Brar
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
byIshan Mathur
 

What's hot

PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
PPT
Owasp top 10
byAravindharamanan S
 
PPTX
OWASP
bygehad hamdy
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PPT
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
PPTX
Web Application Security 101
byJannis Kirschner
 
PPT
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
PDF
Owasp top 10
byYasserElsnbary
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
PDF
Owasp Top 10
byShivam Porwal
 
PDF
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
PPTX
Web application security
byKapil Sharma
 
PDF
OWASP TOP TEN 2017 RC1
byChema Alonso
 
PDF
OWASP Top 10 2017
bySiddharth Phatarphod
 
PPTX
Software Development Weaknesses - SecOSdays Sofia, 2019
byBalázs Tatár
 
PPTX
Owasp top 10 2017
byibrahimumer2
 
PDF
t r
byelectronicmingle01
 
Application Security Vulnerabilities: OWASP Top 10 -2007
byVaibhav Gupta
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
byAndre Van Klaveren
 
Owasp top 10
byAravindharamanan S
 
OWASP
bygehad hamdy
 
OWASP Top 10 - 2017 Top 10 web application security risks
byKun-Da Wu
 
Owasp top 10 security threats
byVishal Kumar
 
Owasp top 10 & Web vulnerabilities
byRIZWAN HASAN
 
Web Application Security 101
byJannis Kirschner
 
Owasp Top 10 And Security Flaw Root Causes
byMarco Morana
 
Owasp top 10
byYasserElsnbary
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
byabhijitapatil
 
The New OWASP Top Ten: Let's Cut to the Chase
bySecurity Innovation
 
Owasp Top 10
byShivam Porwal
 
Oh, WASP! Security Essentials for Web Apps
byTechWell
 
Web application security
byKapil Sharma
 
OWASP TOP TEN 2017 RC1
byChema Alonso
 
OWASP Top 10 2017
bySiddharth Phatarphod
 
Software Development Weaknesses - SecOSdays Sofia, 2019
byBalázs Tatár
 
Owasp top 10 2017
byibrahimumer2
 
t r
byelectronicmingle01
 

Similar to Owasp top 10 web application security risks 2017

PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
CyberSecurityppt. pptx
byiamayesha2526
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
PDF
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
PPTX
OWASP Top Ten 2017
byMichael Furman
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
PDF
Application Security - Your Success Depends on it
byWSO2
 
PDF
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
DOCX
supraja technologies material for secure coding
bySri Latha
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
PDF
OWASP Top Ten in Practice
bySecurity Innovation
 
PPTX
Web Application Security
bysudip pudasaini
 
PDF
Secure coding guidelines
byZakaria SMAHI
 
PDF
Owasp Top 10-2013
byn|u - The Open Security Community
 
PDF
C01461422
byIOSR Journals
 
PDF
Security Awareness
byLucas Hendrich
 
PDF
DataMindsConnect2018_SECDEVOPS
byTobias Koprowski
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
PDF
Threat Modeling and OWASP Top 10 (2017 rc1)
byMike Tetreault
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
CyberSecurityppt. pptx
byiamayesha2526
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Web_Appication_Security_Training_For_Developers.pptx
byxobewe1102
 
Secure coding presentation Oct 3 2020
byMoataz Kamel
 
OWASP Top Ten 2017
byMichael Furman
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
byAll Things Open
 
Application Security - Your Success Depends on it
byWSO2
 
OWASP Top 10 List Overview for Web Developers
byBenjamin Floyd
 
supraja technologies material for secure coding
bySri Latha
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
byPhilippe Gamache
 
OWASP Top Ten in Practice
bySecurity Innovation
 
Web Application Security
bysudip pudasaini
 
Secure coding guidelines
byZakaria SMAHI
 
Owasp Top 10-2013
byn|u - The Open Security Community
 
C01461422
byIOSR Journals
 
Security Awareness
byLucas Hendrich
 
DataMindsConnect2018_SECDEVOPS
byTobias Koprowski
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
byPhilippe Gamache
 
Threat Modeling and OWASP Top 10 (2017 rc1)
byMike Tetreault
 

Recently uploaded

PPTX
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PPTX
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Enhancing Web Security: Key Concepts & Strategies.pptx
byParham Abolghasemi
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Odoo_by_Infinys_All_in_One_Business_Solution_for_Small_Companies.pptx
byAgusto Sipahutar
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
ENTSO-E's Response to the European Commission Call for Evidence on the Strate...
byReynir Orn Bachmann Gudmundsson
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Create, View and Edit Text Files - RHCSA (RH124).pdf
byLinuxCert Guru
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
A GREEN BUSINESS TOOLKIT FOR EARLY-STAGE ENTREPRENEURS (1).pptx.pptx
bylearnskillsofficial1
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 

Owasp top 10 web application security risks 2017

  • 2.
    TABLE OF CONTENTS •About OWASP • OWASP Top 10 Application Security Risks–2017 • What changed from 2013 to 2017? • A1 : 2017-Injection • A2 : 2017-Broken Authentication • A3 : 2017-Sensitive Data Exposure • A4 : 2017-XML External Entities (XXE) • A5 : 2017-Broken Access Control • A6 : 2017-Security Misconfiguration • A7 : 2017-Cross-Site Scripting (XSS) • A8 : 2017-Insecure Deserialization • A9 : 2017-Using Components with Known Vulnerabilities • A10 : 2017-Insufficient Logging & Monitoring • What’s Next for Developers • Organizations • Conclusion
  • 3.
    WHY 2017 Basically theystarted this top 10 project from 2003 and started delivering the top 10 vulnerabilities of major platforms like mobile and webapps . 2004 Updates OWASP Top Ten Project Top 10 2007 Top 10 2010 Top 10 2013 Top 10-2017 Top 10
  • 4.
    ABOUT OWASP The OpenWeb Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. Project Sponsorship : Autodesk Learn more at : https://www.owasp.org.
  • 5.
    OWASP TOP 10APPLICATION SECURITY RISKS–2017 A1 : 2017-Injection A2 : 2017-Broken Authentication A3 : 2017-Sensitive Data Exposure A4 : 2017-XML External Entities (XXE) A5 : 2017-Broken Access Control A6 : 2017-Security Misconfiguration A7 : 2017-Cross-Site Scripting (XSS) A8 : 2017-Insecure Deserialization A9 : 2017-Using Components with Known Vulnerabilities A10 : 2017-Insufficient Logging & Monitoring
  • 6.
    WHAT CHANGED FROM2013 TO 2017?
  • 7.
    A1 : 2017-INJECTION Injectionflaws, such as SQL, NoSQL, OS commands, XML parsers and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Injection flaws are easy to discover when examining code. Scanners and fuzzers can help attackers find injection flaws. Eg: SQL injection : insert some sql queries into the URL or some text fields which are vulnerable. Eg : www.sitename.com inurl:php?id= ------ finds the php sites of that domain www.sitename.com/indexsinglepost.php?postid=34’ ---- check for any changes appeared union select 1,version(),3,4,5,6,7,8,9 - - -> tells the version of server
  • 8.
    IS THE APPLICATION VULNERABLE? Anapplication is vulnerable to attack when: User-supplied data is not validated, filtered, or sanitized by the application. Dynamic queries or non-parameterized calls without contextaware escaping are used directly in the interpreter. Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. Hostile data is directly used or concatenated, such that the SQL or command contains both structure and hostile data in dynamic queries, commands, or stored procedures.
  • 9.
    A2 : 2017-BROKEN AUTHENTICATION Applicationfunctions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently. Attackers can detect broken authentication using manual means and exploit them using automated tools with password lists and dictionary attacks sessionID : 1gLXXEnpGbaQjUGvjOFdnN2viP3Wqb7DP4b70 Unencrypted connections (Man in the middle attack) Predictable login credentials
  • 10.
    SOME OF THEWEAK PASSWORDS
  • 11.
    A3 : 2017-SENSITIVEDATA EXPOSURE Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Bad/no encryption techniques(listening anonymously) See the SSL certificate provided(HTTPS) Lot many Bugs which acts as a backdoors
  • 12.
    A4 : 2017-XMLEXTERNAL ENTITIES (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Eg : Billion laughs attack
  • 13.
    A5 : 2017-BROKENACCESS CONTROL Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc. Using APPSCAN we can get to know these vulnerability  Eg: webapp.com/admin_info  Webapp.com/accfiles?act=1234
  • 14.
    A6 : 2017-SECURITY MISCONFIGURATION Securitymisconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Default accounts Configuring the servers as we need , by changing the default ones Run an APPSCAN
  • 15.
    A7 : 2017-CROSS-SITE SCRIPTING(XSS) XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. <script>alert("hi")</script> Eg: http://demo.testfire.net/search.jsp?query=%3Cscript%3Ealert%28%22hi%22%29%3C%2F script%3E
  • 16.
    A8 : 2017-INSECURE DESERIALIZATION Insecuredeserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Complicated vulnerability Eg : JSON and XML files which obviously go through some serialization and deserialization techniques.
  • 17.
    A9 : 2017-USING COMPONENTSWITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Heartbleed : a buffer overflow vulnerability in widely used encryption library SSL Shellshock : a shell command injection vulnerability in the ubiquitious bash unix command line CVE & NVD
  • 18.
    A10 : 2017-INSUFFICIENT LOGGING& MONITORING Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring. Log files --- monitoring (Brute forcing attacks)
  • 19.
    WHAT’S NEXT FOR DEVELOPERS ApplicationSecurity Requirements Standard Security Controls Secure Development Lifecycle Application Security Education
  • 20.
    ORGANIZATIONS THAT CONTRIBUTED THEIR VULNERABILITYDATA TO SUPPORT THE 2017 UPDATE :
  • 21.
    CONCLUSION The main aimof OWASP top 10 project is is to raise the awareness among the developers and the managers about the security needs and implementations. “Make it work, make it right, make it fast.” – Kent Beck “Fix the cause, not the symptom.” – Steve Maguire
  • 22.