SlideShare a Scribd company logo

Owasp top 10 2017

Download as PPTX, PDF
I
ibrahimumer2

The OWASP Top 10 is a list published by OWASP that contains the ten most critical security vulnerabilities that threaten web applications. The document discusses the top 10 vulnerabilities including injection, broken authentication, sensitive data exposure, XML external entities, broken access control, security misconfiguration, cross-site scripting, insecure deserialization, using components with known vulnerabilities, and insufficient logging and monitoring. Prevention methods are provided for each vulnerability.

Education
Related topics:
Information Security
1 of 23
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
OWASP Top 10 Internship Program
OWASP Top 10 • Open Web Application Security Project (OWASP) is non-profit entity and an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. • OWASP published the 5th revision of their popular OWASP Top 10 list in November 2017. The list contains the ten most critical security vulnerabilities that threaten modern web applications • OWASP Top 10 has been revised several times to reflect changes in the way developers protect their web applications, and the methods attackers use to target them.
1: Injection • Injection is most common security vulnerabilities. • Injection flaws such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples: • SQL : writing different SQL commands on the username field (SELECT * from table) • OS: executing a router’s operating system's built-in ping command with the hostname the user supplied, potentially opening a security flaw.
Prevention • Using Query parameterization which separate statement from any kind of parameters. • Validate user input , preventing unnecessary symbols ( example * on username field) • Limiting maximum information on the database to be fetched. • Building web app using proper control. • Using web application firewall
2: Broken Authentication • Authentication in web applications is mostly used to control users' access to specific information. • The most common security risks related to authentication and session management are: password theft, stealing session tokens and impersonating legitimate users.
Broken Authentication allows users (bad users) getting into web apps without proper credential. The attacker may use: • Credential stuffing: known usernames and passwords. • Automated attacks: random usernames and passwords. • Default username & passwords: like Username Admin and Password Admin • Social engineering: by tricking the victim.
Prevention • Multifactor authentication: using multiple authentications like biometrics, tokens and fingerprint verification in addition to simple password. • Password checking: checking password with in database with top 10,000 passwords on the internet and informing the user. • recommend users to create strong passwords. • Limit failed login • Creating new session on the server side • Using web application firewall
3: Sensitive Data Exposure • Sensitive data stored in databases (or anywhere else) should be well protected. • Credit card details, social security numbers and other sensitive customer details should be encrypted at rest when stored in a database, even if they are not directly accessible through a web application. • The same applies for sensitive data that is transmitted to and from the web application, such as credentials or payment details. Such information should be also be transmitted over a secure and encrypted layer.
Prevention • Encrypting all pages with sensitive data using strong cipher (TLS, SSL) • Classify data and apply control to the sensitive data separately. • Encrypted data at rest when stored in a database, even if they are not directly accessible through a web application. • Avoid storing sensitive data unless it is absolutely necessary. • Avoiding file upload flow • Using web application firewall
4: XML External Entities (XEE) • XML gives you a way to define your own entities in order to make coding and configuration easier. An example (in an XML file) where this is necessary is in a customizable configuration file in a web application. • XML Entities are like variables: they will expand to a defined value once they are processed by the XML parser. • However: there is one problem. When it is possible to pass XML documents to a parser that supports external entities, attackers can retrieve content from a website behind a firewall, issue requests to certain services, and even disclose the content of files stored on the server. Because entities can be referenced within entity definitions. • attackers can craft an XML document that contains only 10 entities, but that will eventually expand to a billion entities once it is parsed. This is also known as the 'Billion Laughs Attack'.
Prevention • Disable XEE completely or partially per parsor. • Implement server side input validation. • Using source code analysis tools (SCAST) • Using Dynamic application security testing (DAST) • Using web application firewall.
5: Broken Access Control • Access Control is simply the process of granting and denying access to a user. • Different roles exits in different web app, these roles will have different level of access. Example Admin and normal user. • Broken Access Control refers to restrictions that are not properly enforced. It occurs for example when authenticated users without administrative authority can create new administrator accounts. • A common example of such vulnerability is an admin panel that relies heavily on JavaScript to execute certain actions, such as the creation of an admin account.
Prevention • Enforcing to trusted server side code. • Doing a lot of manual testing before publishing the web application. • Deny everything by default, and only give access to who need to use it. • Implement access control once and reuse it across the web application. • Logging failures and alerting admins whenever happens • Least privilege: giving the minimum extent they need to do the job or function and beyond that only giving access for the minimum amount of time they need to do the job. • Using web application firewall.
6: Security Misconfiguration Web application security is not just about secure web application coding. To ensure the security of a web application, it is also important to: • secure the configuration of the web server, • secure the operating system of the web server. • ensure that the server is always updated with the latest security patches. The same applies for the web frameworks used on the web server, such as PHP and NET, Database servers like oracles.
Prevention • Check default configuration and turn off ports and Delete features we don’t use. Default accounts example username: Admin and password: Admin • Don’t overshare information. Example: don’t project any information on error page , like disclosure of software versions. This may allow attackers to get vulnerabilities for your software easily. • Update softwares (example apache, oracle)with latest security patches regularly. • Use automated scanning capabilities.
7: Cross-site Scripting (XSS) • A cross-site scripting (XSS) vulnerability allows hackers to inject malicious client-side script, in a website or web application, that is later executed by the victims. Typically, cross-site scripting attacks are used to bypass access controls and to impersonate legitimate users, such as the web application administrator. • Attackers sends code they want your browser to execute in order to send them your secret (valuable) staff. • Attackers may try to steal cookies by sending post(<script>………….</script>) to the web application to get the cookies of the victim by making the victim send it to the attacker.
Prevention • Using latest and modern browsers and update regularly, since better browsers have improved detection of scripts with in HTML, on the victims browser. • When building web application, we need to separate untrusted data from Active browser content.
8: Insecure Deserialization • Insecure deserialization is the process of changing byte streams (which were created by serialization by saving and persisting the state of the object) in to the original object. • During this process , the attacker can modify the byte stream, When it is deserialized, Attack happens. • The malicious attacker (invalidated user) can give himself Admin role through Insecure deserialization.
Prevention • not to accept serialized objects from untrusted sources. • Isolating and running code that deserializes in low privilege environments when possible. • Logging deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions. • Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
9: Using Components with Known Vulnerabilities • successful attacks happen When the attacker exploited a known vulnerability in an outdated software that was still being used. • attacks happen When Administrators fail to regularly update all of the software used on their web servers and by web applications with the latest, most secure and most stable versions.
Prevention • Update the software immediately, whenever updates available. • Plan for the known components. • Monitor, patch, and configure the software regularly.
10: Insufficient Logging and Monitoring • Insufficient Logging and Monitoring refers to the inability to log and detect hacking attempts and breaches. • Statistics from 2016 show that, on average, it took an organization 191 days to detect a data breach! It is possible to reduce this time greatly, and prevent breaches before they happen, if sufficient logging and monitoring take place.
Prevention • Logging every failed login , warning, error messages etc. • Log files must not contain information, if accessed by attackers • Make it sufficient content, to help us find out pattern of failed logins. Example when someone trying dictionary attack. • Storing log files in good formats • Integrity control (checking) on log file. • Having response plan.

More Related Content

PDF
Owasp top 10
YasserElsnbary
 
PPTX
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
PDF
Owasp Top 10
Shivam Porwal
 
PPTX
Owasp 2017 oveview
Shreyas N
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PPTX
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PDF
OWASP TOP 10 & .NET
Daniel Krasnokucki
 
Owasp top 10
YasserElsnbary
 
OWASP Top 10 - 2017 Top 10 web application security risks
Kun-Da Wu
 
Owasp Top 10
Shivam Porwal
 
Owasp 2017 oveview
Shreyas N
 
Owasp first5 presentation
Ashwini Paranjpe
 
OWASP Top 10 2017 rc1 - The Ten Most Critical Web Application Security Risks
Andre Van Klaveren
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
OWASP TOP 10 & .NET
Daniel Krasnokucki
 

What's hot (20)

PPT
Owasp Top 10
Shivam Porwal
 
PPTX
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
PPTX
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
PDF
Top 10 Web Application vulnerabilities
Terrance Medina
 
PPTX
Web Application Vulnerabilities
Preetish Panda
 
PDF
OWASP Top 10 2017
Siddharth Phatarphod
 
PDF
OWASP Top 10 - 2017
HackerOne
 
PDF
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
PPTX
OWASP Top Ten 2017
Michael Furman
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PPTX
Beyond the OWASP Top 10
iphonepentest
 
PPTX
Web application security
Kapil Sharma
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
PPTX
OWASP TOP 10
Robert MacLean
 
PPTX
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Owasp Top 10
Shivam Porwal
 
OWASP Top 10 2017 - New Vulnerabilities
Dilum Bandara
 
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
 
Top 10 Web Application vulnerabilities
Terrance Medina
 
Web Application Vulnerabilities
Preetish Panda
 
OWASP Top 10 2017
Siddharth Phatarphod
 
OWASP Top 10 - 2017
HackerOne
 
The New OWASP Top Ten: Let's Cut to the Chase
Security Innovation
 
Owasp top 10 security threats
Vishal Kumar
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
All Things Open
 
OWASP Top Ten 2017
Michael Furman
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Beyond the OWASP Top 10
iphonepentest
 
Web application security
Kapil Sharma
 
How to Test for The OWASP Top Ten
Security Innovation
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
OWASP TOP 10
Robert MacLean
 
Analysis of web application penetration testing
Engr Md Yusuf Miah
 
Ad

Similar to Owasp top 10 2017 (20)

PPT
Secure code practices
Hina Rawal
 
PDF
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
PDF
Top 10 web application security risks akash mahajan
Akash Mahajan
 
PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Web and Mobile Application Security
Prateek Jain
 
PPTX
Owasp Proactive Controls for Web developer
Sameer Paradia
 
PPTX
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
PDF
Vulnerabilidades en sitios web (english)
Miguel de la Cruz
 
PPTX
Security testing
Khizra Sammad
 
PPTX
owasp features in secure coding techniques
Sri Latha
 
PDF
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
PDF
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PDF
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
aquacareser
 
PPTX
So Your Company Hired A Pentester
NorthBayWeb
 
PPTX
Exploitation techniques and fuzzing
Prachi Gulihar
 
PDF
Apache struts vulnerabilities compromise corporate web servers 
Jeff Suratt
 
PPTX
owasp top 10 security risk categories and CWE
Arun Voleti
 
Secure code practices
Hina Rawal
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
Top 10 web application security risks akash mahajan
Akash Mahajan
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Secure coding guidelines
Zakaria SMAHI
 
Web and Mobile Application Security
Prateek Jain
 
Owasp Proactive Controls for Web developer
Sameer Paradia
 
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Vulnerabilidades en sitios web (english)
Miguel de la Cruz
 
Security testing
Khizra Sammad
 
owasp features in secure coding techniques
Sri Latha
 
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017
Philippe Gamache
 
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017
Philippe Gamache
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
Web sever environmentA Web server is a program that uses HTTP (Hy.pdf
aquacareser
 
So Your Company Hired A Pentester
NorthBayWeb
 
Exploitation techniques and fuzzing
Prachi Gulihar
 
Apache struts vulnerabilities compromise corporate web servers 
Jeff Suratt
 
owasp top 10 security risk categories and CWE
Arun Voleti
 
Ad

Recently uploaded (20)

PPTX
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
PPTX
Introduction and Scope of Bichemistry.pptx
shantiyogi
 
PDF
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
PPTX
Odoo 18 Sales_ Managing Quotation Validity
Celine George
 
PPTX
Skill Development Program For Physiotherapy Students by SRY.pptx
Prof.Dr.Y.SHANTHOSHRAJA MPT Orthopedic., MSc Microbiology
 
PPTX
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
PDF
High Ground Student Revision Booklet Preview
jpinnuck
 
PPTX
Revamp in MTO Odoo 18 Inventory - Odoo Slides
Celine George
 
PDF
PG-BPSDMP 2 TAHUN 2025PG-BPSDMP 2 TAHUN 2025.pdf
AshifaRamadhani
 
PDF
Types of Literary Text: Poetry and Prose
kaelandreabibit
 
PDF
Phylum Arthropoda: Characteristics and Classification, Entomology Lecture
Miraj Khan
 
PPTX
IMMUNIZATION PROGRAMME pptx
AneetaSharma15
 
PPTX
PPTs-The Rise of Empiresghhhhhhhh (1).pptx
academysrusti114
 
PPTX
How to Manage Global Discount in Odoo 18 POS
Celine George
 
PPTX
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
PDF
UTS Health Student Promotional Representative_Position Description.pdf
Faculty of Health, University of Technology Sydney
 
PDF
LDMMIA Reiki Yoga S2 L3 Vod Sample Preview
LDMMia Reiki Lectures
 
DOCX
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 
PDF
Electrolyte Disturbances and Fluid Management A clinical and physiological ap...
Dr. AMRA. Ahmed Makram Riyadh Antar - MEZA. MedElite Zenith Academy
 
PDF
Cell Biology Basics: Cell Theory, Structure, Types, and Organelles | BS Level...
Miraj Khan
 
Introduction to Child Health Nursing – Unit I | Child Health Nursing I | B.Sc...
RAKESH SAJJAN
 
Introduction and Scope of Bichemistry.pptx
shantiyogi
 
5.Universal-Franchise-and-Indias-Electoral-System.pdfppt/pdf/8th class social...
Sandeep Swamy
 
Odoo 18 Sales_ Managing Quotation Validity
Celine George
 
Skill Development Program For Physiotherapy Students by SRY.pptx
Prof.Dr.Y.SHANTHOSHRAJA MPT Orthopedic., MSc Microbiology
 
Open Quiz Monsoon Mind Game Final Set.pptx
Sourav Kr Podder
 
High Ground Student Revision Booklet Preview
jpinnuck
 
Revamp in MTO Odoo 18 Inventory - Odoo Slides
Celine George
 
PG-BPSDMP 2 TAHUN 2025PG-BPSDMP 2 TAHUN 2025.pdf
AshifaRamadhani
 
Types of Literary Text: Poetry and Prose
kaelandreabibit
 
Phylum Arthropoda: Characteristics and Classification, Entomology Lecture
Miraj Khan
 
IMMUNIZATION PROGRAMME pptx
AneetaSharma15
 
PPTs-The Rise of Empiresghhhhhhhh (1).pptx
academysrusti114
 
How to Manage Global Discount in Odoo 18 POS
Celine George
 
An introduction to Dialogue writing.pptx
drsiddhantnagine
 
UTS Health Student Promotional Representative_Position Description.pdf
Faculty of Health, University of Technology Sydney
 
LDMMIA Reiki Yoga S2 L3 Vod Sample Preview
LDMMia Reiki Lectures
 
UPPER GASTRO INTESTINAL DISORDER.docx
BANDITA PATRA
 
Electrolyte Disturbances and Fluid Management A clinical and physiological ap...
Dr. AMRA. Ahmed Makram Riyadh Antar - MEZA. MedElite Zenith Academy
 
Cell Biology Basics: Cell Theory, Structure, Types, and Organelles | BS Level...
Miraj Khan
 

Owasp top 10 2017

  • 2. OWASP Top 10 • Open Web Application Security Project (OWASP) is non-profit entity and an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted. • OWASP published the 5th revision of their popular OWASP Top 10 list in November 2017. The list contains the ten most critical security vulnerabilities that threaten modern web applications • OWASP Top 10 has been revised several times to reflect changes in the way developers protect their web applications, and the methods attackers use to target them.
  • 3. 1: Injection • Injection is most common security vulnerabilities. • Injection flaws such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples: • SQL : writing different SQL commands on the username field (SELECT * from table) • OS: executing a router’s operating system's built-in ping command with the hostname the user supplied, potentially opening a security flaw.
  • 4. Prevention • Using Query parameterization which separate statement from any kind of parameters. • Validate user input , preventing unnecessary symbols ( example * on username field) • Limiting maximum information on the database to be fetched. • Building web app using proper control. • Using web application firewall
  • 5. 2: Broken Authentication • Authentication in web applications is mostly used to control users' access to specific information. • The most common security risks related to authentication and session management are: password theft, stealing session tokens and impersonating legitimate users.
  • 6. Broken Authentication allows users (bad users) getting into web apps without proper credential. The attacker may use: • Credential stuffing: known usernames and passwords. • Automated attacks: random usernames and passwords. • Default username & passwords: like Username Admin and Password Admin • Social engineering: by tricking the victim.
  • 7. Prevention • Multifactor authentication: using multiple authentications like biometrics, tokens and fingerprint verification in addition to simple password. • Password checking: checking password with in database with top 10,000 passwords on the internet and informing the user. • recommend users to create strong passwords. • Limit failed login • Creating new session on the server side • Using web application firewall
  • 8. 3: Sensitive Data Exposure • Sensitive data stored in databases (or anywhere else) should be well protected. • Credit card details, social security numbers and other sensitive customer details should be encrypted at rest when stored in a database, even if they are not directly accessible through a web application. • The same applies for sensitive data that is transmitted to and from the web application, such as credentials or payment details. Such information should be also be transmitted over a secure and encrypted layer.
  • 9. Prevention • Encrypting all pages with sensitive data using strong cipher (TLS, SSL) • Classify data and apply control to the sensitive data separately. • Encrypted data at rest when stored in a database, even if they are not directly accessible through a web application. • Avoid storing sensitive data unless it is absolutely necessary. • Avoiding file upload flow • Using web application firewall
  • 10. 4: XML External Entities (XEE) • XML gives you a way to define your own entities in order to make coding and configuration easier. An example (in an XML file) where this is necessary is in a customizable configuration file in a web application. • XML Entities are like variables: they will expand to a defined value once they are processed by the XML parser. • However: there is one problem. When it is possible to pass XML documents to a parser that supports external entities, attackers can retrieve content from a website behind a firewall, issue requests to certain services, and even disclose the content of files stored on the server. Because entities can be referenced within entity definitions. • attackers can craft an XML document that contains only 10 entities, but that will eventually expand to a billion entities once it is parsed. This is also known as the 'Billion Laughs Attack'.
  • 11. Prevention • Disable XEE completely or partially per parsor. • Implement server side input validation. • Using source code analysis tools (SCAST) • Using Dynamic application security testing (DAST) • Using web application firewall.
  • 12. 5: Broken Access Control • Access Control is simply the process of granting and denying access to a user. • Different roles exits in different web app, these roles will have different level of access. Example Admin and normal user. • Broken Access Control refers to restrictions that are not properly enforced. It occurs for example when authenticated users without administrative authority can create new administrator accounts. • A common example of such vulnerability is an admin panel that relies heavily on JavaScript to execute certain actions, such as the creation of an admin account.
  • 13. Prevention • Enforcing to trusted server side code. • Doing a lot of manual testing before publishing the web application. • Deny everything by default, and only give access to who need to use it. • Implement access control once and reuse it across the web application. • Logging failures and alerting admins whenever happens • Least privilege: giving the minimum extent they need to do the job or function and beyond that only giving access for the minimum amount of time they need to do the job. • Using web application firewall.
  • 14. 6: Security Misconfiguration Web application security is not just about secure web application coding. To ensure the security of a web application, it is also important to: • secure the configuration of the web server, • secure the operating system of the web server. • ensure that the server is always updated with the latest security patches. The same applies for the web frameworks used on the web server, such as PHP and NET, Database servers like oracles.
  • 15. Prevention • Check default configuration and turn off ports and Delete features we don’t use. Default accounts example username: Admin and password: Admin • Don’t overshare information. Example: don’t project any information on error page , like disclosure of software versions. This may allow attackers to get vulnerabilities for your software easily. • Update softwares (example apache, oracle)with latest security patches regularly. • Use automated scanning capabilities.
  • 16. 7: Cross-site Scripting (XSS) • A cross-site scripting (XSS) vulnerability allows hackers to inject malicious client-side script, in a website or web application, that is later executed by the victims. Typically, cross-site scripting attacks are used to bypass access controls and to impersonate legitimate users, such as the web application administrator. • Attackers sends code they want your browser to execute in order to send them your secret (valuable) staff. • Attackers may try to steal cookies by sending post(<script>………….</script>) to the web application to get the cookies of the victim by making the victim send it to the attacker.
  • 17. Prevention • Using latest and modern browsers and update regularly, since better browsers have improved detection of scripts with in HTML, on the victims browser. • When building web application, we need to separate untrusted data from Active browser content.
  • 18. 8: Insecure Deserialization • Insecure deserialization is the process of changing byte streams (which were created by serialization by saving and persisting the state of the object) in to the original object. • During this process , the attacker can modify the byte stream, When it is deserialized, Attack happens. • The malicious attacker (invalidated user) can give himself Admin role through Insecure deserialization.
  • 19. Prevention • not to accept serialized objects from untrusted sources. • Isolating and running code that deserializes in low privilege environments when possible. • Logging deserialization exceptions and failures, such as where the incoming type is not the expected type, or the deserialization throws exceptions. • Restricting or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
  • 20. 9: Using Components with Known Vulnerabilities • successful attacks happen When the attacker exploited a known vulnerability in an outdated software that was still being used. • attacks happen When Administrators fail to regularly update all of the software used on their web servers and by web applications with the latest, most secure and most stable versions.
  • 21. Prevention • Update the software immediately, whenever updates available. • Plan for the known components. • Monitor, patch, and configure the software regularly.
  • 22. 10: Insufficient Logging and Monitoring • Insufficient Logging and Monitoring refers to the inability to log and detect hacking attempts and breaches. • Statistics from 2016 show that, on average, it took an organization 191 days to detect a data breach! It is possible to reduce this time greatly, and prevent breaches before they happen, if sufficient logging and monitoring take place.
  • 23. Prevention • Logging every failed login , warning, error messages etc. • Log files must not contain information, if accessed by attackers • Make it sufficient content, to help us find out pattern of failed logins. Example when someone trying dictionary attack. • Storing log files in good formats • Integrity control (checking) on log file. • Having response plan.