OWASP Top 10 Vulnerabilities - same old list

Hi Everyone,

Work has been crazy lately, but I would like to brief you about the OWASP Top 10 2013 which was released recently. As expected, SQL injection is top on the list. Here are the Top 10:

  1. A1 - Injection
  2. A2 - Broken Authentication and Session Management
  3. A3 - Cross-Site Scripting (XSS)
  4. A4 - Insecure Direct Object References
  5. A5 - Security Misconfiguration
  6. A6 - Sensitive Data Exposure
  7. A7 - Missing Function Level Access Control
  8. A8 - Cross-Site Request Forgery (CSRF)
  9. A9 - Using components with known vulnerabilities
  10. A10 - Unvalidated Redirects and Forwards
I wont go into the breakdown of each of these components, further details can be gotten at the official OWASP site. From the list above, it is disappointing to note that about a decade after the first OWASP top 10 was released, the major vulnerabilities have not been eliminated. Developers are still too focused on functionality and paying less attention to security. There is a need to engrave this list on the forehead of every developer. Working as a penetration tester, everyday I find myself trying to educate the developers on the need to properly sanitize user inputs and proper user session management.
OWASP has done their own part by sensitizing us with this list. The onus is on us to preach the gospel and change the status quo. Every organization should inculcate this list and then we can talk about being safe.

Comments

Post a Comment

Popular posts from this blog

Pentesting Android applications

Image
Hi all, I would like to talk about the coolness of android applications. So if you want to perform a security review an android app, how will you go about it? There are so many ways to go about this, i will highlight some of the ways I use. 1) Most android applications work just like Web applications, they send out HTTP requests using POST and GET methods. So a cool thing to do is to intercept and capture these requests, make modifications and monitor responses (which can also be intercepted and modified). So how can this be done? A sweet way to achieve this is by proxying all traffic from the application on your phone through a proxy tool such as Burp Suite (coolest tool for me). Now how can you direct that phone traffic to your Burp Suite which is probably running on a laptop or system? Well, you can use a great android tool called "Proxy Droid" to direct the traffic to the IP address and port on which the burp suite is listening. You can connect them to the same wire...
Read more

Global Cyberlympics Finals 2015 Write-up - Tracker.7z

Image
Hi all , It has been a while since I updated this blog. Just want to share one of the challenges my team solved at the Cyberlympics finals held in Washington DC, USA. Tools used : wireshark, chaosreader, vncviewer, tightVNC, online QR code scanner. We were given a zipped pcap file - tracker.7z and asked to analyse it as it contains some information about a meeting location for a suspect in the whole storyline. We were to get the location of the meeting. Well, we loaded the pcap into wireshark to have a first look at it. Screenshot below: From the screenshot above, one can notice the VNC protocol being used during the capture, probably the suspect communicated with a remote person via VNC. So we need to reassemble the VNC session and see if that gives us any valuable information. A tool of choice, or probably the only tool I know that can do this is Chaosreader  by Brendan G. Gregg.   An index.html file is generated after run with chaosreader. Th...
Read more

Red Teaming with Covenant and Donut

Image
Red Teaming has rapidly transitioned from Living off the Land (LotL) to Bringing Your Own Land (BYOL). It is now possible to execute .NET assemblies entirely within memory. By developing custom C#-based assemblies, attackers no longer need to rely on the tools present on the target system; they can instead write and deliver their own tools, a technique called Bring Your Own Land (BYOL).  This has led to transitions from PowerShell tools (e.g. PowerShell Empire) to frameworks targeted for .NET assemblies. {shamelessly copied from  https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html } About Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. Covenant is an ASP.NET Core, cross-platform application that includes a web-based ...
Read more