OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Don’t Teach Developers Security Caleb Sima Armorize Technologies.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing
OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
The Web Hacking Incident Database (WHID) Report for 2010 Ryan Barnett WASC WHID Project Leader Senior Security Researcher.
A Demo of and Preventing XSS in.NET Applications.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Solving Real-World Problems with an Enterprise Security API (ESAPI) Chris Schmidt ESAPI Project Manager ESAPI4JS Project Owner Application Security Engineer.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Glass Box Testing: Thinking Inside the Box Omri Weisman Manager, Security Research Group IBM Rational.
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
PV213 Enterprise Information Systems in Practice 09 – Security, Configuration management PV213 EIS in Practice: 09 – Security, Configuration management.
Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
The OWASP Way Understanding the OWASP Vision and the Top Ten.
Security Management prepared by Dean Hipwell, CISSP
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet of Things Top Ten. Agenda -Introduction -Misconception -Considerations -The OWASP Internet of Things Top 10 Project -The Top 10 Walkthrough.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Snakes and Ladders OWASP Newcastle 24 th November 2015.
Deconstructing API Security
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Getting Started with OWASP The Top 10, ASVS, and the Guides Dave Wichers COO, Aspect Security OWASP Board Member OWASP Top 10 and ASVS Projects Lead.
//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
Ken De Souza KWSQA, April 2016 V. 1.0
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Web Application Security
OpenSAMM Best Practices, Lessons from the Trenches
Web Application Vulnerabilities
An Introduction to Web Application Security
Intro to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
Vulnerability Chaining Every Low Issue Has its big impact
Penetration Testing following OWASP
1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.
Hub architecture Security.
Bill Riggins III OWASP Orlando Co-Chapter Lead
OWASP in favor of a more secure world
Riding Someone Else’s Wave with CSRF
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources

OWASP The OWASP Guide

OWASP Threat Agent Attack Vector Weakness Prevalence Weakness Detectability Technical Impact Business Impact ? EasyWidespreadEasySevere ? AverageCommonAverageModerate DifficultUncommonDifficultMinor

OWASP Warning  Risk analysis  Insiders  Architecture  Modular  Clarity  SDLC  Knowledge  Predictability

OWASP Top Injection 2.Cross site scripting (XSS) 3.Broken authentication and session management 4.Insecure direct object reference 5.Cross site request forgery (CSRF) 6.Security missconfiguration 7.Insecure cryptograpic storage 8.Failure to restrict URL access 9.Insufficient transoport layer protection 10.Unvalidated redirects and forwards

OWASP A1 – Injection ClientAppl DB Shell PgmCPU

OWASP A1 – Injection String query = "SELECT * FROM accnts WHERE ID='" + request.getParameter("id") +"'"; id="foo';DROP accnts;--" SELECT * FROM accnts WHERE ID='foo';DROP accnts;--'; id="foo" SELECT * FROM accnts WHERE ID='foo';

OWASP A2 - Cross site scripting (XSS) Browser ApplDB

OWASP A2 - Cross site scripting (XSS) (String) page += " "; CC= "> window.location= x=document.cookie window.location= '> CC=“ "

OWASP A2 - Cross site scripting (XSS) &#x003c &#X3c &#x3C C; \x3c \x3C \u003c \u003C < %3C &lt < &LT &LT; &#60 &#060 < <img src= onmoseover= <body onload=

OWASP A3 - Broken authentication and session mngmnt  Unpredictable passwords, sessions-ID, security- questions  No sessions-id/credentials i URL  Avoid session-fixation  Time out of sessions & logout buttons  Different sessions id outside/inside TLS  No clear text passwords

OWASP A4 - Insecure direct object references 2010q1 2011q2 period=2011q3 period=2011q2

OWASP A5 - Cross-site request forgery (CSRF)

OWASP A6 - Security missconfiguration  Patching  OS  Application  Frameworks / libraries  Disable unnecessary services  Stack traces  Configuration

OWASP A7 - Insecure cryptographig storage  Keep track on sensitive data  Password one-way-hashed & salted  Password/Key management  TLS key pass phrase  M2M lösenord (obfuscation)

OWASP A8 - Failure to restrict URL access /user/getAccounts /admin/getAccounts

OWASP A9 - Insufficient transport layer protection  Use SSL/TLS  No mixed content  Use secure cookies  Example FireSheep exploits poor solutions

OWASP A10 - Unvalidated redirects and forwards  ks.com ks.com  %65%2E%63%6F%6D %65%2E%63%6F%6D

OWASP OWASP resurser  OWASP Secure Software Contract Annex OWASP Secure Software Contract Annex  OWASP Developer’s Guide OWASP Developer’s Guide  OWASP Enterprise Security API (ESAPI) OWASP Enterprise Security API (ESAPI)  OWASP Software Assurance Maturity Model (SAMM) OWASP Software Assurance Maturity Model (SAMM)  OWASP WebGoat OWASP WebGoat

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.