Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
OWASP Top 10 Pt. 2
By Li-Wey Lu
Agenda
Homework
Quiz
OWASP Top 10
Next Week
Homework
Homework – Due Next Week
Find three vulnerabilities in CandyPal (http://10.15.1.10:9090)
Vulnerabilities must fall under the risks discussed during lecture
Provide the following per vulnerability:
Name
Image
Description
Quiz
Quiz – Answers
Q1. What does OWASP stand for?
A1. Open Web Application Security Project
Q2. Which of the OWASP Top 10 was removed from 2017’s list?
A2. Cross-Site Request Forgery
Q3. What is Session Fixation an example of?
A3. Broken Authentication
Q4. DTD stands for Document Type Description.
A4. False
Q5. There is more than one type of injection attack.
A5. True
OWASP Top 10
OWASP Top 10 – Risks
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration
Cross-Site Scripting
Cross-Site Request Forgery
Insecure Deserialization
Using Components with Known Vulnerabilities
Unvalidated Redirects and Forwards
Insufficient Logging & Monitoring
OWASP Top 10 – Cross-Site Scripting (Overview)
When an attacker gets their JavaScript to execute on a victim’s browser
OWASP Top 10 – Cross-Site Scripting (Examples)
Reflected XSS – Payload in HTTP request comes back in HTTP response body
Stored XSS – Payload is stored in the application’s database and returned in an HTTP response body
DOM-Based XSS – Normal JavaScript comes from the HTTP response body and retrieves the payload from the URL to place on the page
OWASP Top 10 – Cross-Site Scripting (Labs)
URL: http://10.15.1.10:8081
Lab 1 – Reflected XSS
Lab 2 – Stored XSS
Lab 3 – DOM-Based XSS (Try Different Browsers)
Lab 4 – XSS in Tag Attributes
Lab 5 – POST XSS
Discussion – Remediation
OWASP Top 10 – Cross-Site Request Forgery (Overview)
When an attacker gets a victim’s browser to perform an action with their session
OWASP Top 10 – Cross-Site Request Forgery (Examples)
Victim is logged into an application
Attacker sends an email containing a link to victim
Link leads to the application’s logout endpoint
Victim clicks on the link and gets logged out
OWASP Top 10 – Cross-Site Request Forgery (Labs)
URL: http://10.15.1.10:8081
Lab 1 – CSRF to XSS Chained Attack
Discussion – Remediation
Discussion – SOP & CORS
Lab 2 – Steal Comments
OWASP Top 10 – Insecure Deserialization (Overview)
Serialization is the process of converting an object into a format that can be stored or transferred
Deserialization is the process of converting serialized data back into an object
Insecure Deserialization occurs when untrusted input gets deserialized
OWASP Top 10 – Insecure Deserialization (Examples)
Application A serializes objects and sends them to Application B
Application B does not authenticate Application A
An attacker makes direct requests to Application B with serialized data
Attacker’s serialized data gets deserialized and the object’s functions are executed
OWASP Top 10 – Insecure Deserialization (Labs)
URL: http://10.15.1.10:8081
Lab 1 – PHP Object Injection
Discussion – Remediation
OWASP Top 10 – Using Components with Known Vulnerabilities (Overview)
Self explanatory
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
ONLINE |
Professional AccountantYou can award me any time as I am ready to start your project curiously. Waiting for your positive response. Thank you! |
$18 | Chat With Writer |
ONLINE |
Top Writing GuruHello, I an ranked top 10 freelancers in academic and contents writing. I can write and updated your personal statement with great quality and free of plagiarism |
$65 | Chat With Writer |
ONLINE |
Quick Finance MasterHello, I an ranked top 10 freelancers in academic and contents writing. I can write and updated your personal statement with great quality and free of plagiarism |
$75 | Chat With Writer |
ONLINE |
Study MasterYou can award me any time as I am ready to start your project curiously. Waiting for your positive response. Thank you! |
$83 | Chat With Writer |
ONLINE |
Phd WriterI am known as Unrivaled Quality, Written to Standard, providing Plagiarism-free woork, and Always on Time |
$124 | Chat With Writer |
ONLINE |
Premium SolutionsI am known as Unrivaled Quality, Written to Standard, providing Plagiarism-free woork, and Always on Time |
$126 | Chat With Writer |
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.