Application Security Risks 2017

UHAMK @2018

https://dyangalih.com

Who Am I?

A Simple Person Who Love Code, Share Knowledge and Always Learning about Java, PHP, Linux DevOps, Android, Javascript.

 

IT Enthusiast, Web And Mobile Security Enthusiast, Public speaker

 

Community:

YAC - Yogyakarta Android Club
NgeSec - Ngelab Security

Php Indonesia

GDG Jogja

@DyanGalih

Hacker?

Nothing Is Save

Average financial Losses

Application Security Approach

OWASP

The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security

Injection

Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.

 

https://www.owasp.org/index.php/Top_10-2017_A1-Injection

Broken Authentication

Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.

 

https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication

Sensitive Data Exposure

Rather than directly attacking crypto, attackers steal keys, execute man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s client, e.g. browser. A manual attack is generally required. Previously retrieved password databases could be brute forced by Graphics Processing Units (GPUs).

 

https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure

XML External Entities (XXE)

Attackers can exploit vulnerable XML processors if they can upload XML or include hostile content in an XML document, exploiting vulnerable code, dependencies or integrations.

 

https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)

Broken Access Control

Exploitation of access control is a core skill of attackers. SAST and DAST tools can detect the absence of access control but cannot verify if it is functional when it is present. Access control is detectable using manual means, or possibly through automation for the absence of access controls in certain frameworks.

 

https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control

Security Misconfiguration

Attackers will often attempt to exploit unpatched flaws or access default accounts, unused pages, unprotected files and directories, etc to gain unauthorized access or knowledge of the system.

 

https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration

Insecure Deserialization

Exploitation of deserialization is somewhat difficult, as off the shelf exploits rarely work without changes or tweaks to the underlying exploit code.

 

https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization

Using Components with Known Vulnerabilities

While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.

 

https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities

Using Components with Known Vulnerabilities

While it is easy to find already-written exploits for many known vulnerabilities, other vulnerabilities require concentrated effort to develop a custom exploit.

 

https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities

Insufficient Logging&Monitoring

Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident.
Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.

 

https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring

Thank You

Made with Slides.com