Web application

Security
Sudhakar Muthumani
Table of contents
01 02
Introduction OWASP TOP 10
Introduction to Web Describing OWASP Top 10
Application Security bugs

03 04
Hands on VAPT
Hands on Intro to the
Introduction about VAPT
labs
01 iNTRODUCTION
Introduction to Web Application
Security
What is web application
Security?
● Securing the custom code that
drives a web application.
● Securing libraries
● Securing backend systems
● Securing the web application
and servers.
Owasp top 2003 2021
10 First release Latest Release
02 OWASP TOP 10
Introduction to OWASP Top 10
 WHY OWASP TOP 10

Safeguarding the Strengthen the Reduce security

code against encryption of the bugs in
vulnerabilities. software. the code.
 Apps
Failed In
Top 10
 oWASP TOP 10
● Broken Access Control
● Cryptographic Failures
● Injection
● Insecure Design
● Security Misconfiguration
● Vulnerable and Outdated Components
● Identification and Authentication Failures
● Software and Data Integrity Failures
● Security Logging and Monitoring Failures
● Server-Side Request Forgery (SSRF)
Broken Access Control
● Bypassing access control checks.
● Permitting viewing or editing someone
else's account, by providing its unique
identifier.
● Accessing API with missing access
controls for POST, PUT and DELETE.
● Elevation of privilege.
Cryptographic Failures
● Data transmitted in clear text. Using old
or weak cryptographic algorithms or
protocols.
● Using default crypto keys, weak crypto
keys, etc.
● Using deprecated hash functions such as
MD5 or SHA1.
Injection
● Cross-site Scripting is now part of this
category in this edition.
● User-supplied data is not validated,
filtered, or sanitized by the application.
● The SQL or command contains the
structure and malicious data in dynamic
queries, commands, or stored
procedures.
Insecure Design
● Focus on risks related to design flaws.
● Must know what and where the control
works?
Security Misconfiguration
● Unnecessary features are enabled or
installed Default accounts and their
passwords are still enabled and
unchanged.
● Error handling reveals stack traces or
other overly informative messages.
Vulnerable and
Outdated Components
● Not regularly scanning for vulnerabilities.
● Software is vulnerable, unsupported, or
out of date.
● Not securing the components’
configurations.
Identification and
Authentication Failures
● Permits brute force or other automated
attacks.
● Permits default, weak, or well-known
passwords, such as "Password1" or
"admin/admin".
● Has missing or ineffective multi-factor
authentication.
● Exposes session identifier in the URL.
● Reuse session identifier after successful
login.
Software and Data
Integrity Failures
● Use digital signatures or similar
mechanisms to verify the software or
data.
● Ensure libraries and dependencies, such
as npm or Maven, are consuming trusted
repositories.
● Ensure that there is a review process for
code and configuration changes.
● Ensure that unsigned or unencrypted
serialized data is not sent to untrusted
clients.
Security Logging and
Monitoring Failures
● Logs are only stored locally.
● Warnings and errors generate no,
inadequate, or unclear log messages.
● Logs of applications and APIs are not
monitored for suspicious activity.
● Auditable events, such as logins, failed
logins, and high-value transactions, are
not logged.
Server-Side Request
Forgery (SSRF)
● SSRF flaws occur whenever a web
application is fetching a remote resource
without validating the user-supplied URL.
● Disable HTTP redirection.
03 LABS
Hands on labs to practice
 labs
OWASP JUICE SHOP
PORTSWIGGER

TRY HACKME
BWAPP
HACK THE BOX
VULNHUB
hACKER 101 CTF
04 VAPT
Introduction to Vulnerability
Assessment and Penetration
Testing
 SCANNING Vulnerability
TARGET assessment

VAPT
Penetration REPORT
testing WRITING
 Thanks
Should you have any questions?

Ping me @ [email protected]

sudhakarmuthumani00 @sudhakar_._m sudhakarmuthumani @sudhakarmuthu04