CHARUTAR VIDYA MANDAL UNIVERSITY

A D PATEL I NSTITUTE O F T ECHNOLOGY

P REPARED BY:
P ROF. A XIT K ACHHIA
CP D EPARTMENT
OWASP
➢It is known as Open Web Application Security Project.
➢It is an online community that produces freely-available articles,
methodologies, documentation, tools, and technologies in the field of web
application security.
➢The Open Web Application Security Project (OWASP) provides free and open
resources.
➢It is led by a non-profit called The OWASP Foundation.
➢The OWASP Top 10 - 2021 is the published result of recent research based
on comprehensive data compiled from over 40 partner organizations

2
OWASP
➢OWASP Top 10 web application security.

3
 OWASP
➢1. Broken Access Control:
➢Access controls are critical for securing applications against unauthorized
access to data and resources.
➢Broken access controls can lead to data compromise, obtaining permissions
beyond what’s intended for standard users, or account takeover attacks where
outsiders hijack user accounts and initiate fraudulent transactions.
➢This vulnerability jumped from 5th position in 2017 to 1st in 2021, reflecting
that it was found in 94% of tested applications.

4
OWASP
➢From a decision-making perspective, it’s critical to emphasize the importance
of shifting security left in the development cycle.
➢Access controls are harder to implement later, so communicate the
importance of implementing proper access controls, such as denying requests
by default and rate limiting APIs early on in web app development

5
OWASP
➢2. Cryptographic Failures:
➢Cryptographic failures refer to either a bad implementation of encryption or a
complete lack of encryption.
➢The major consequence of a cryptographic failure is that you can potentially
expose sensitive data.
➢The exposure of sensitive data can pose compliance, reputational, or
competitive business risks depending on what information is not adequately
protected by encryption.

6
OWASP
➢With the average data breach cost at an all-time high of $4.35 million in 2022,
businesses can’t afford to slip up with cryptography.
➢A modern encryption solution that uses up-to-date and strong standard
algorithms centralizes encryption and encryption key configuration, and
manages the encryption key lifecycle is a prudent investment.

7
OWASP
➢3. Injection:
➢Injection is a risk category that refers to the ability of threat actors to provide
malicious input to web applications that result in the app executing
unexpected and unwanted commands.
➢Injection occurs when the app can’t distinguish malicious input from its code.
➢Common injection attacks include SQL injections that insert malicious SQL
queries into input fields or JavaScript injections that load malicious code into
the client-side of the web app.

8
OWASP
➢Injection attacks can lead to various negative outcomes, including denial of
service, privilege elevation, and data breaches.
➢An important strategic element of mitigation is encouraging the use of tools
that help to detect injection vulnerabilities in code.
➢Since there are several different injection attacks, you may need more than
one tool for thorough testing

9
OWASP
➢4. Insecure Design:
➢This is an entirely new category for the OWASP Top Ten, focusing broadly on
application design and architectural flaws that lead to increased security risks.
➢When an application is inherently designed in an insecure way, even a perfect
implementation of security controls and risks can’t compensate for those
design weaknesses.
➢Sophisticated threat actors will eventually find and exploit design flaws.
➢Threat modeling should use the structure and data flow inherent to a specific
web app to trace out the key technical threats that could exploit the system.

1
0
OWASP
➢5. Security Misconfiguration:
➢This category of risks relates to the security components in an application
being incorrectly configured.
➢Misconfigurations are increasingly common due to the cloud being used as a
development environment and web apps being built with container images.
➢The infrastructural complexity adds more points at which security
misconfigurations can occur.
➢In the data gathered by OWASP current the Top Ten, there were over
200,000 detected instances of security misconfigurations in web apps.

1
1
OWASP
➢The challenge with mitigating security misconfiguration risks from a strategic
standpoint is that they cover the whole application stack and the app’s
infrastructure.
➢Individual errors are often at play here, such as opening unnecessary ports,
not changing default passwords, or leaving cloud storage buckets open.

1
2
OWASP
➢6. Vulnerable and Outdated Components:
➢Web apps comprise many components or building blocks from external
sources (libraries, frameworks, etc.). These components handle both back-end
and front-end functionality.
➢When threat factors try to compromise an application, they look at its
component parts and attempt to exploit any vulnerabilities.
➢Often, these vulnerabilities come from using out-of-date frameworks or
libraries that are easy to exploit.

1
3
OWASP
➢The overall strategic mitigation here is to ensure an effective patch
management strategy is in place.
➢Part of that strategy entails maintaining an inventory of all the components in
your apps and the respective versions of those components the app is
running.
➢Ideally, you’ll be able to automate the inventory step with a digital inventory
solution.

1
4
OWASP
➢7. Identification and Authentication Failures:
➢Failures in authentication and identity management make applications
vulnerable to threat actors masked as legitimate users.
➢Some examples of vulnerabilities include not setting validity periods for
session IDs, permitting weak passwords that are easy to guess, and not rate
limiting login attempts against automated attacks.
➢The solutions include implementing multi-factor authentication in apps and
communicating the importance of complying with recommended password
length, complexity, and rotation policies to developers.

1
5
OWASP
➢8. Software and Data Integrity Failures:
➢This is another new risk category in the OWASP Top Ten, and it’s all about
making faulty default assumptions within development pipelines about the
integrity of software or data.
➢Since web apps regularly rely on plugins and libraries from external sources, a
lack of verification of the integrity of these sources introduces the risk of
malicious code, unauthorized access, and compromise.
➢The main mitigation strategy is ensuring external code or data hasn’t been
tampered with by requiring digital signatures.

1
6
OWASP
➢9. Security Logging and Monitoring Failures:
➢Logging and monitoring help to provide security accountability, visibility
into events, incident alerting, and forensics.
➢When there are failures in these capabilities, your company’s ability to detect
and respond to application breaches becomes severely compromised.
➢To mitigate, use open source or proprietary tools to correlate logs, implement
monitoring and alerting, and create an incident recovery and response
strategy using established guidelines, such as NIST 800-61r2.

1
7
OWASP
➢10. Server-Side Request Forgery (SSRF):
➢SSRF is one of the two OWASP Top Ten risks added based on the community
survey rather than data from web apps. Most web apps today require
external resources for their functionality, which are usually accessed at URLs.
➢SSRF occurs when hackers can get servers to make requests that they control.
➢The typical vulnerability is that the web application doesn’t validate the user-
supplied URL, potentially allowing access to internal services or resources by
bypassing access controls.

1
8
OWASP
➢The strategic concept of defense in depth is important here; multiple controls
at the application and network layers can help to prevent SSRF.
➢ Client-supplied input data should be validated and sanitized, while network
segmentation can also help.

1
9
Application Inspection Tools
➢Zed Attack Proxy:
➢It is an open-source security software written in Java programming language
and released in 2010.
➢It is used to scan web applications and find vulnerabilities in it. It was started
as a small project by the Open Web Application Security Project (OWASP) and
now it is the most active project maintained by thousands of individuals
around the globe.
➢It is available for Linux, Windows, and mac in 29 languages. It can also be used
as a proxy server like a burp suite to manipulate the request including the
HTTPS request.

2
0
Application Inspection Tools-Zed Attack Proxy
➢Features:
• Passive Scanner
• Automated Scanner
• Proxy Server
• Port Identification
• Directory Searching
• Brute Force Attack

2
1
Application Inspection Tools-Zed Attack Proxy
➢Why do we use Zed Attack Proxy?
➢Zed Attack Proxy is used to detect vulnerabilities present on any web server
and try to remove them. Here is some big vulnerability that could be present
in the web server:
➢SQLinjection
➢Broken access control
➢Security miss-configuration
➢Broken authentication
➢Using components with known vulnerabilities.

2
2
Application Inspection Tools-Zed Attack Proxy

2
3
SQL Map
➢SQLmap is a SQL Injection Tool used to performing Automated Injection in
Database and try to fetch tables out of it.
➢SQLmap used by WhiteHat and BlackHat hackers. BlackHat try to Exploit
random or targeted sites using this tool as a challenge or harming sites.
➢But White-hat Hackers (Security Researchers) use that tool for scanning their
clients’ website for any injectable query if they found they report to
Administrator and get bug bounty or Earn Reward from it!
➢sqlmap is an open source penetration testing tool that automates the process
of detecting and exploiting SQL injection flaws and taking over of database
servers

2
4
SQL Map
➢It comes with a powerful detection engine, many features for the ultimate
penetration tester and a broad range of switches lasting from database
fingerprinting, over data fetching from the database, to accessing the
underlying file system and executing commands on the operating system via
out-of-band connections

2
5
SQL Map

2
6
DVWA
➢It is known as Damn Vulnerable Web Application.
➢Damn Vulnerable Web Application, shorter DVWA, is a PHP/MySQL web
application that is damn vulnerable.
➢The main goal of this pentesting playground is to aid penetration testers and
security professionals to test their skills and tools.

2
7
DVWA
➢DVWA is a damn vulnerable web application coded in PHP that uses MySQL
database.
➢With this amazing pen testing web app you can practice some of the most
common web vulnerabilities (different levels of difficulty) using its very simple
GUI.
➢You can play around and try to discover as many issues as possible in order to
deepen your knowledge/skill set.

2
8
DVWA Attacks:
➢Brute-force
➢Command Injection
➢File Inclusion
➢File Upload
➢Insecure CAPTCHA
➢SQL Injection / SQL Injection(Blind)
➢Weak Session IDs

2
9
DVWA Attacks:
➢Requirements:
➢web server (XAMPP as an alternative)
➢PHP
➢MySQL
➢Other possible dependencies (depending on the OS)

3
0
DVWA Attacks:
➢Windows:
➢If you don’t have a ready web server, the easiest steps are the following:
➢Download DVWA
➢Install XAMPP
➢Unzip [Link] and place files into public html folder
➢Browse to [Link]

3
1