Content

Title
Tittle Pages
I. Introduction ...............................................................................................................................................01

II. What is OWASP? ......................................................................................................................................01

III. What is OWASP TOP 10? .......................................................................................................................01

IV. Understanding about OWSP Top 10 .......................................................................................................01

1. Injection .................................................................................................................................................03
1.1. Introduction Injection attack ...................................................................................................................04

1.2. What is Injection? ...................................................................................................................................05

1.3. What Are Injection Attack Types? .........................................................................................................06

1.4. What Is OGNL Injection? .......................................................................................................................06

1.5. What is Command Injection?..................................................................................................................07

1.6. Types of Command injection ..................................................................................................................07

1.7. What is Expression Language Injection? ................................................................................................08

1.8. What is SQL Injection? ...........................................................................................................................09

1.9. Meaning and Examples SQL injection ...................................................................................................09

1.10. Solution and Introduction to Application Security Testing ..................................................................10

1.10.1. DAST (Dynamic Application Security Testing)................................................................................10

1.10.2. IAST (Interactive Application Security Testing) ...............................................................................11

1.10.3. SAST (Static Application Security Testing) ......................................................................................11

2. Broken Authentication ....................................................................................................................12

1. Introduction A2: Broken Authentication ...................................................................................................13

2.2. What is authentication and session management? ..................................................................................14

2.3. Introduction Authentication Techniques.................................................................................................14

2.4. What is broken authentication? ..............................................................................................................15

2.5. What is Attack scenarios Broken Authentication? .................................................................................16

2.6. How to prevent the man-in-the-middle attacks .......................................................................................17

?
2.7. Credential stuffing / Brute force .............................................................................................................17

2.8. How to Prevent Credential stuffing / Brute force ...................................................................................19

Force
Stuffing
2.9. No Session Timeouts ..............................................................................................................................19

2.10. How to Prevent Broken Authentication ................................................................................................20

3. Sensitive Data Exposure .................................................................................................................22

1. Introduction Sensitive Data Exposure .......................................................................................................23

3.2. What is Sensitive Data Exposure? ..........................................................................................................23

3.3. Types of Sensitive Data Exposure ..........................................................................................................24

3.4. Difference between Data Exposure & Data Breach ...............................................................................24

3.5. Ways in Which Sensitive Data Can Be Exposed ....................................................................................25

3.6. Attacks That Expose Sensitive Data .......................................................................................................25

Lead
3.7. The Security pitfalls that lead to sensitive data exposure .......................................................................26
Pitfalls
3.8. How to test for information disclosure sensitive data exposure .............................................................27

3.9. Example Sensitive Data Exposure by Phishing attack ...........................................................................27

3.10. How to Prevent Sensitive Data Exposure .............................................................................................28

3.10.1 Recommend Application Security Platform APP TRANA ................................................................29

3.10.2 Recommend Application Security Platform Indus face WAS ............................................................29

3.10.3. Application Security Platform INDUSFACE WAS ..........................................................................30

4. XML External Entities (XXE) ......................................................................................................31

4.1. Introduction A4: XML External Entities (XXE) ....................................................................................32

4.2. What are XML External Entities (XXE)? ...............................................................................................32

4.3. What is XML external entity injection?..................................................................................................33

4.4. The Impact of XXE Injection .................................................................................................................33

4.5. Classification of XXE Attacks ................................................................................................................33

4.6. The Billion Laughs Attack ......................................................................................................................34

4.7. The OOB (Out-of-Band) Data Retrieval.................................................................................................34

4.8. Server-Side Request Forgery (SSRF) .....................................................................................................35

4.9. The Internal Entity Injection ...................................................................................................................35

4.10. The Blind XXE .....................................................................................................................................35

4.10.1. How Do XXE Attacks Work?............................................................................................................36

4.10.2. XXE Attack Examples .......................................................................................................................36

4.10.3. How to Detect XXE Attacks ..............................................................................................................37

4.10.4. How to Prevention XXE Attack ........................................................................................................37

4.10.5. Recommendation Application Testing ..............................................................................................37

4.10.6. DAST (Dynamic Application Security Testing)................................................................................38

4.10.7. DAST (Dynamic Application Security Testing)................................................................................38

4.10.8. IAST (Interactive Application Security Testing)...............................................................................39

4.10.9. SAST (Static Application Security Testing) ......................................................................................39

5. Broken Access Controls ...................................................................................................................40

5.1. What is access control? ...........................................................................................................................41

5.2. The 3 main types of access control .........................................................................................................41

5.3. What is Broken Access Controls?...........................................................................................................42

5.4. Types of access control lists ...................................................................................................................43

5.5. How is access control carried out?..........................................................................................................43

5.6. When does access control become vulnerable? ......................................................................................44

5.7. Examples for broken access control .......................................................................................................44

5.8. How to detect broken access control? .....................................................................................................45

5.9. How to prevent broken access control ....................................................................................................45

6. Security Misconfiguration .............................................................................................................46

6.1 Introductions Security Misconfiguration .................................................................................................47

6.2. What is Security Misconfiguration? .......................................................................................................47

6.3. How to Identify Security Misconfiguration ............................................................................................48

Types
6.4. Nine Common types of Security Misconfiguration ................................................................................49

6.5. How to Prevent Security Misconfiguration ............................................................................................50

6.6. Test network Infrastructure Configuration .............................................................................................50

6.7. Test Alternative HTTP Method ..............................................................................................................51

6.8. Recommend Using on Web browser ......................................................................................................52

6.9. Test HTTP Strict Transport Security ......................................................................................................53

6.10. Cloud Storage Misconfiguration ...........................................................................................................54

6.10.1 Test Application Platform Configuration ...........................................................................................55

6.10.2. How to minimize security misconfiguration......................................................................................55

6.10.3. How to Fix Security Misconfiguration ..............................................................................................56

6.10.4. SAAS Security Posture Management (TERAMIND Software Monitoring) ................................................... 56

7. Cross-Site Scripting ..........................................................................................................................59

7.1. Introduction Cross-site Scripting .......................................................................................................................... 60

7.2. What is Cross-Site Scripting (XSS)? .................................................................................................................... 60

an XSS
7.3. The Goals of Exploiting a XSS vulnerability ....................................................................................................... 61

7.4. Cross-Site Scripting (XSS) attack flow................................................................................................................. 61

7.5. Types of Cross-Site Scripting (XSS) .................................................................................................................... 61

7.6. Reflected Cross-Site Scripting (XSS) ................................................................................................................... 62

7.7. Stored or Non-Persistent) Cross-Site Scripting (XSS).......................................................................................... 62

7.8. DOM-Based Cross-Site Scripting (XSS) .............................................................................................................. 63

7.9. Example Cross-Site Scripting (XSS) .................................................................................................................... 63

7.10. How to Countermeasures Cross-Site Scripting (XSS) ........................................................................................ 64

7.10.1. How to prevent cross-site scripting (XSS) ....................................................................................................... 64

7.10.2. Recommend Using Cloud flare to Prevent....................................................................................................... 65

Flare
7.10.3. Cloud flare processing flow ............................................................................................................................. 65

8. Insecure Deserialization ..................................................................................................................66

8.1. Introduction Insecure Deserialization ................................................................................................................... 67

8.2. What is Insecure Deserialization? ......................................................................................................................... 67

8.3. The Basics about Serialization and Deserialization .............................................................................................. 67

8.4. How to Insecure Deserialization Attacks .............................................................................................................. 68

8.5. What is “denial of service” (DOS)? ...................................................................................................................... 68

8.6. Denial of service (DOS) attack examples ............................................................................................................. 69

8.7. How to prevent a denial-of-service attack ............................................................................................................ 70

8.8. What is a Remote Code Execution? ...................................................................................................................... 70

8.9. Impact of the RCE attack ...................................................................................................................................... 71

8.10. Remote code execution attack types ................................................................................................................... 71

8.10.1. Picture Show RCE Attack Example................................................................................................................. 72

8.10.2. How to detect and prevent remote code execution .......................................................................................... 72

8.10.3. What Is SQL Injection?.................................................................................................................................... 73

8.10.4. Types of SQL Injection Attacks....................................................................................................................... 73

Injection
8.10.5. How to Prevent SQL injection Attacks ............................................................................................................ 74

8.10.6. What is Directory Traversal in Cyber Security? .............................................................................................. 75

8.10.7. Approaches to Prevent Directory Traversal Attacks ........................................................................................ 75

8.10.8. How to Test for Insecure Deserialization......................................................................................................... 75

8.10.9. How to Prevent Insecure Deserialization ......................................................................................................... 76

9. Using Components with Known Vulnerabilities ....................................................................77

9.1. Introduction Using Components with Known Vulnerabilities .............................................................................. 78

9.2. What is Using Components with Known Vulnerabilities? ................................................................................... 78

9.3. How to Find a Vulnerability in a Website ............................................................................................................ 78

9.4. The 4 Dangers of Using Components with Known Vulnerabilities...................................................................... 80

9.5. How to avoid the use of components with known vulnerabilities?....................................................................... 81

9.6. Preventing Components with Known Vulnerability Attacks ................................................................................ 82

9.7. Popular Tools to Prevent Known Vulnerabilities ................................................................................................. 83

10. Insufficient Logging and Monitoring ......................................................................................84

10.1. Introduction Insufficient Logging and monitoring ............................................................................................. 85

10.2. Threats Associated with Insufficient Logging & Monitoring Botnet Attacks .................................................... 85

10.3. DNS Attacks ....................................................................................................................................................... 85

10.4. Insider Threats .................................................................................................................................................... 86

10.5. How Attackers Leverage Insufficient Logging and Monitoring ......................................................................... 86

10.6. Examples of Insufficient Logging and Monitoring Attacks ............................................................................... 87

10.7. Preventing Insufficient Logging and Monitoring Attacks .................................................................................. 87

10.8. Security Logging and Monitoring Best practices................................................................................................ 88

 Solutions
10.9. Popular Logging and Monitoring solutions ........................................................................................................ 88

11. References Information ................................................................................................................89