‭OWASP‬

‭OWASP‬‭– Open Web Application Security Project‬

-‭ - It is an international non-profit organization‬

‭-- It provides guidance on how to develop, purchase and maintain‬
‭trustworthy and secure software applications‬

‭ ain Goal:‬
M
‭-- The main goal of owasp is to educate and raise awareness about web‬
‭application security(improving the security of software applications(Secure‬
‭from hackers))‬

‭ ore Principles:‬
C
‭-- All of their materials be freely available and easily accessible on their‬
‭website(It includes documentation, tools, videos & Methodologies to‬
‭pentest)‬
‭-- making it easy possible for anyone to improving their own web‬
‭application security‬

‭ WASP Chapters:‬
O
‭-- Every country conducts meetings at least once in a month – worldwide‬
‭India – Hyderabad, Chennai, Mumbai, Pune & Bengaluru(Most Famous)‬

‭How to Test :‬
‭ esting web application security is crucial to identify and mitigate‬
T
‭potential vulnerabilities and protect against potential threats.‬
‭There are various tools available that can assist in testing web‬
‭application security. Some tools are OWASP ZAP, Burp Suite, Nessus,‬
‭Acunetix etc...‬
‭Here, I'm using the BURP SUITE tool for testing web application‬
‭security.‬
‭Why we choose Burp Suite Tool only:‬
I‭t depends on various factors including the requirements of the testing,‬
‭The expertise of the tester, the specific features needed, and personal‬
‭preferences.‬
‭Here are some reasons why burp suite is commonly used web‬
‭application security testing‬

‭Burp Suite:‬
‭Burp suite is a widely used cyber security testing tool for web‬
‭application security purposes. It includes features like scanning, crawling‬
‭and advanced testing methods to identify security vulnerabilities.‬
‭It is widely used by security professionals, ethical hackers and‬
‭developers to identify, analyze and exploit security vulnerabilities in web‬
‭applications.‬
‭The tool is divided into various modules and features, each serving a‬
‭specific purpose in the web application security assessment process. Here‬
‭are some key components and features of Burp Suite.‬
‭1)Proxy‬‭: It allows users to intercept and inspect‬‭HTTP/S requests and‬
‭responses between the client and web application. It’s crucial for‬
‭understanding how the application functions and identifying potential‬
‭vulnerabilities.‬
‭2)Intercept:‬‭As the user interacts with the web application,‬‭the requests and‬
‭responses are intercepted by proxy. The proxy captures these interactions‬
‭before they reach the target web server and after the server responds‬
‭3)HTTP History:‬‭Typically refers to a record or log‬‭of HTTP requests and‬
‭responses that have been intercepted and captured during a testing or‬
‭browsing session.‬
‭4)Intruder:‬‭It is a module within burp suite that‬‭is used to automate and‬
‭customize attacks against a web application.(Automate and customize‬
‭attacks on application inputs)‬
‭Example:‬

‭ )Install Burp suite tool using :‬

1
‭https://linux.how2shout.com/how-to-install-burp-suite-on-ubuntu-20-04-22-0‬
‭4-lts/‬
‭2)After installing, open Burp Suite Tool to create or open a testing project.‬
‭3)Here we didn’t do any changes directly click on Next‬
‭4)and click Start Burp‬
‭5)We are preparing to utilize the features in burp suite for security testing‬
‭and analysis like this‬
‭6)Now go to Proxy, click on Intercept and enable intercept on to allow the‬
‭interception and analysis of HTTP requests and responses during testing‬
‭7)Now, open browser and enter the URL of the project you intend to test‬
‭8)Now go back to Burp suite, click on HTTP History and review the logged‬
‭HTTP requests and responses for the ongoing testing session and select‬
‭the‬
‭specific response that you intend to test and analyze in detail‬
‭9)Send this request to the intruder for further analysis and testing‬
‭purposes. Now open intruder to proceed‬
‭10)Here we can see position, payload and some other options. By default it‬
‭is on the position. You have to select which type of attack you want to‬
‭perform, choose that and provide the payload accordingly.‬
‭11)Now please disable the URL – encode these characters checkbox to‬
‭ensure safe transmission within HTTP requests‬
‭12)Then click on start attack and click ok now we got some results‬

‭ WASP Top 10:‬

O
‭-- It is incorporated by all organization all over the world during the security‬
‭assessment of their applications as a standard‬
‭-- The report is put together by a team of security experts from all over the‬
‭world‬
‭-- It gets updated every 3-4 years‬
‭-- The first version of the OWASP Top 10 list was published in 2003‬
‭Updates followed in 2004, 2007, 2010, 2013, 2017 & 2021‬
-‭ - Most recent Release of OWASP Top 10 is 2017 & 2021 draft release is‬
‭out‬
‭-- OWASP Top 10 is the list of Top 10 most common application‬
‭vulnerabilities‬
‭-- It shows their risks, impacts and countermeasures‬
‭-- These are assigned the identifier of A01:2021 – A10:2021. Here “A” –‬
‭AppSec, “01” – Its rank in the list and year‬
‭List of 2017 & 2021 OWASP Top 10:‬

‭1)Broken Access Control :‬

‭ roken‬ ‭Access‬ ‭Control‬ ‭refers‬ ‭to‬ ‭a‬ ‭security‬ ‭vulnerability‬ ‭in‬ ‭a‬ ‭web‬
B
‭application‬‭or‬‭system‬‭where‬‭users‬‭can‬‭gain‬‭unauthorized‬‭access‬‭to‬‭certain‬
‭resources,‬ ‭perform‬ ‭actions‬ ‭or‬ ‭assume‬‭roles‬‭that‬‭they‬‭should‬‭not‬‭have‬‭due‬
‭to inadequate or improperly implemented access restrictions.‬

‭ xample‬ ‭:‬ ‭Suppose‬ ‭we‬ ‭are‬ ‭having‬ ‭a‬ ‭web‬ ‭application‬ ‭for‬ ‭an‬ ‭online‬
E
‭marketplace with different user roles : Admin, Seller, Buyer‬
‭Scenarios :‬

‭ )Admin‬ ‭Panel‬ ‭Oversight‬ ‭:‬ ‭The‬ ‭admin‬ ‭panel,‬ ‭intended‬ ‭only‬ ‭for‬
1
‭administrators‬ ‭to‬ ‭manage‬ ‭the‬ ‭website,‬ ‭is‬ ‭accessible‬ ‭to‬ ‭regular‬ ‭buyers‬
‭without‬ ‭proper‬‭controls.(A‬‭regular‬‭buyer,‬‭by‬‭manipulating‬‭the‬‭URL‬‭or‬‭using‬
‭a‬ ‭browser‬ ‭extension,‬ ‭discovers‬ ‭they‬ ‭can‬ ‭access‬ ‭the‬ ‭admin‬ ‭panel‬ ‭and‬
‭modify product listings or user accounts.)‬

‭ )Unauthorized‬ ‭Data‬ ‭Access‬ ‭:‬ ‭The‬ ‭system‬ ‭does‬ ‭not‬ ‭check‬ ‭user‬ ‭roles‬
2
‭when‬ ‭accessing‬ ‭sensitive‬ ‭data,‬ ‭leading‬ ‭to‬ ‭unauthorized‬ ‭access.(A‬ ‭seller,‬
‭without‬ ‭the‬ ‭proper‬ ‭authorization‬ ‭checks,‬ ‭can‬ ‭view‬ ‭or‬ ‭modify‬ ‭the‬ ‭other‬
‭seller’s product listings or gain access to buyers information.)‬

‭ )Inadequate‬ ‭Session‬ ‭Management‬ ‭:‬ ‭Session‬ ‭tokens‬ ‭are‬ ‭not‬ ‭securely‬

3
‭managed,‬ ‭allowing‬ ‭an‬ ‭attacker‬ ‭to‬ ‭hijack‬ ‭another‬ ‭user’s‬ ‭session.(An‬
‭attacker‬ ‭intercepts‬ ‭a‬ ‭session‬ ‭token‬ ‭or‬ ‭discovers‬ ‭a‬ ‭predictable‬ ‭session‬ ‭ID,‬
‭gaining unauthorized access to a legitimate user’s account.‬

I‭n‬ ‭these‬ ‭examples,‬ ‭broken‬ ‭access‬ ‭control‬ ‭allows‬ ‭users‬ ‭to‬‭perform‬‭actions‬

‭or‬ ‭access‬ ‭data‬ ‭that‬ ‭should‬ ‭be‬ ‭restricted‬ ‭based‬ ‭on‬ ‭their‬ ‭assigned‬ ‭roles.‬
‭Implementing‬ ‭proper‬ ‭access‬ ‭controls‬ ‭would‬ ‭mitigate‬ ‭these‬ ‭vulnerabilities,‬
‭ensuring‬‭that‬‭users‬‭only‬‭have‬‭access‬‭to‬‭resources‬‭and‬‭actions‬‭appropriate‬
‭for their roles.‬

‭Differences between Authorization & Authentication :‬

‭Authentication‬ ‭Authorization‬
‭What It Is‬ ‭ he‬
T ‭process‬ ‭of‬ ‭ he‬
T ‭process‬ ‭of‬
‭verifying‬ ‭the‬ ‭identity‬ ‭of‬ ‭granting‬ ‭or‬ ‭denying‬
‭a‬ ‭user,‬ ‭system‬ ‭or‬ ‭access‬ ‭rights‬ ‭and‬
‭entity.‬ ‭permissions‬ ‭to‬
‭authenticated users.‬
 ‭Goal‬ ‭ o‬ ‭ensure‬ ‭that‬ ‭the‬
T ‭ o‬ ‭determine‬ ‭what‬
T
‭person‬ ‭or‬ ‭a‬ ‭system‬ ‭actions‬ ‭or‬ ‭resources‬ ‭a‬
‭trying‬ ‭to‬ ‭access‬ ‭user,‬ ‭system‬ ‭or‬ ‭entity‬
‭something‬ ‭is‬ ‭who‬ ‭they‬ ‭is‬ ‭allowed‬ ‭to‬‭access‬‭or‬
‭claim to be.‬ ‭perform.‬
‭Example‬ ‭ ogging‬ ‭into‬ ‭an‬ ‭email‬
L ‭ fter‬ ‭logging‬ ‭into‬ ‭an‬
A
‭account‬ ‭by‬ ‭entering‬ ‭a‬ ‭email‬
‭username‬ ‭and‬ ‭account(Authentication‬
‭password‬ ‭),‬ ‭authorization‬
‭determines‬ ‭whether‬
‭the‬ ‭user‬ ‭can‬ ‭read,‬
‭send or delete emails.‬

I‭n‬‭summary,‬‭authentication‬‭is‬‭about‬‭verifying‬‭identity,‬‭while‬‭authorization‬‭is‬
‭about‬ ‭granting‬ ‭or‬ ‭denying‬ ‭access‬ ‭based‬ ‭on‬ ‭that‬ ‭verified‬ ‭identity.‬
‭Authentication‬ ‭is‬ ‭like‬ ‭proving‬ ‭who‬ ‭you‬ ‭are,‬ ‭and‬ ‭authorization‬ ‭is‬ ‭deciding‬
‭what you’re allowed to do once your identity is confirmed.‬

‭Categories :‬‭There are 2 types of categories :‬

‭ )Privilege Escalation‬
1
‭2)Insecure Direct Object Reference‬

‭Privilege Escalation :‬

I‭magine‬ ‭we‬ ‭have‬ ‭a‬ ‭certain‬ ‭level‬ ‭of‬ ‭access‬‭or‬‭permissions‬‭within‬‭a‬‭system‬

‭or‬ ‭application,‬ ‭like‬ ‭a‬ ‭regular‬ ‭user‬ ‭account.‬ ‭It‬ ‭occurs‬ ‭when‬ ‭you‬ ‭somehow‬
‭gain‬ ‭higher‬ ‭level‬ ‭access‬ ‭or‬ ‭permissions‬ ‭that‬ ‭you‬ ‭weren’t‬ ‭originally‬
‭supposed to have.‬

‭Types of privilege escalations :‬

‭ )Horizontal Privilege Escalation‬

1
‭2)Vertical Privilege Escalation‬
‭ )Horizontal‬‭Privilege‬‭EScalation‬‭:‬‭In‬‭this‬‭case,‬‭the‬‭goal‬‭is‬‭to‬‭acquire‬‭the‬
1
‭same‬ ‭level‬ ‭of‬ ‭access‬ ‭but‬ ‭for‬ ‭a‬ ‭different‬ ‭user‬ ‭account.‬ ‭For‬ ‭example,‬
‭switching‬ ‭from‬ ‭one‬ ‭regular‬ ‭user‬ ‭account‬ ‭to‬ ‭another‬ ‭without‬ ‭going‬ ‭up‬ ‭the‬
‭hierarchy.(normal user - normal user)‬

‭ )Vertical‬ ‭Privilege‬ ‭Escalation‬ ‭:‬ ‭This‬ ‭typically‬ ‭happens‬ ‭gaining‬ ‭higher‬

2
‭access‬ ‭levels,‬ ‭such‬ ‭as‬ ‭moving‬ ‭from‬ ‭a‬ ‭regular‬ ‭user‬ ‭to‬ ‭an‬ ‭administrator‬ ‭or‬
‭standard employee to a manager.(normal user - admin)‬

‭ )Insecure‬ ‭Direct‬ ‭Object‬ ‭Reference‬ ‭:‬ ‭In‬ ‭a‬ ‭system‬ ‭there‬ ‭are‬ ‭various‬
2
‭objects(like‬ ‭files,‬ ‭database‬ ‭records‬ ‭or‬‭user‬‭profiles)‬‭and‬‭each‬‭object‬‭has‬‭a‬
‭reference‬ ‭or‬ ‭identifier.‬ ‭Insecure‬ ‭Direct‬ ‭Object‬ ‭Reference‬ ‭involves‬ ‭when‬
‭there’s‬ ‭a‬ ‭flaw‬ ‭in‬ ‭the‬ ‭system‬ ‭that‬ ‭allows‬ ‭a‬ ‭user‬ ‭to‬ ‭access‬ ‭or‬ ‭manipulate‬
‭objects they’re not supposed to by directly referring to them.‬

I‭n‬‭simpler‬‭terms,‬‭privilege‬‭escalation‬‭is‬‭like‬‭finding‬‭a‬‭way‬‭to‬‭get‬‭more‬‭power‬
‭or‬ ‭access‬ ‭than‬ ‭you‬ ‭should‬ ‭have,‬ ‭and‬ ‭insecure‬ ‭direct‬ ‭object‬ ‭reference‬ ‭is‬
‭about‬‭exploiting‬‭flaws‬‭to‬‭access‬‭or‬‭manipulate‬‭things‬‭you‬‭are‬‭not‬‭supposed‬
‭to within a system.‬

‭How to Attack:‬

‭ hen attackers may manipulate inputs, such as modifying a URL or‬

W
‭changing parameters, they may access resources or functionalities directly‬
‭without appropriate authorization. This manipulation can lead to‬
‭unauthorized access to sensitive data or functionalities meant for other‬
‭users, posing a significant security risk.‬

‭Example:‬

‭Set Position:‬
‭Provide Payload:‬
‭Results:‬

‭Prevention Techniques :‬

‭ )Implement proper access controls:‬

1
‭a)Role based Access control: Assign specific roles to users and grant‬
‭access based on those roles.‬
‭b)Attribute based Access control: Use attributes and policies to determine‬
‭access‬
‭c)Ensure principle of least privilege: Grant the least amount of privilege‬
‭necessary for a user to perform their job functions.‬

‭ )Enforce Access controls server side:‬‭validate access‬‭permissions on‬

2
‭the server-side to prevent bypassing client-side controls‬

‭ )Use strong session management:‬‭ensure sessions are‬‭securely‬

3
‭managed and access rights are appropriately checked at each request‬
‭implement proper logout mechanisms to invalidate sessions‬
‭ )Implement Access control checks at the object level:‬‭Utilize server‬
4
‭side checks to validate whether a user has permission to access or modify‬
‭specific objects or data.‬

‭ )Apply Indirect Object References Prevention measures:‬‭Use unique‬

5
‭and hard to guess identifiers rather than exposing direct references to‬
‭objects(id’s) in urls & parameters.‬

‭ )Regular security testing and code reviews:‬‭Conduct‬‭regular security‬

6
‭assessments, penetration testing and code reviews to identify and fix‬
‭potential access control vulnerabilities‬

‭ )Education & Training:‬‭Train developers and other‬‭relevant staff about‬

7
‭secure coding practices, including proper implementation of access‬
‭controls.‬

‭ )Use Access Control lists:‬‭Implement access control‬‭lists to define‬

8
‭permissions and access rules for different users or user groups‬

‭ )Cryptographic Failures(2021-2)/ Sensitive Data Exposure‬

2
‭(2017-3):‬

‭ ailure to properly protect sensitive data, such as passwords, credit‬

F
‭card numbers or personal information which could be exposed to‬
‭unauthorized users.‬
‭It refers to instances where the cryptographic systems or algorithms in‬
‭use fail to provide the intended security and protection against‬
‭unauthorized access, data manipulation or other security breaches. These‬
‭failures can occur due to various reasons, including weaknesses in the‬
‭cryptographic algorithms, poor implementation, key management issues or‬
‭advancements in cryptanalysis techniques.‬
‭Impacts‬‭:‬

‭ )Data Breaches:‬‭Encrypted data may be compromised,‬‭leading to‬

1
‭unauthorized access and potential exposure of sensitive information‬
‭2)Data integrity Compromised:‬‭Tampering with encrypted‬‭data may go‬
‭undetected, undermining the trust and reliability of the information‬
‭3)Loss of confidentiality:‬‭Sensitive data may become‬‭accessible to‬
‭unauthorized parties, violating privacy and confidentiality.‬
‭4)Legal & Compliance issues:‬‭Failure to maintain proper‬‭cryptographic‬
‭security can lead to legal repercussions and non-compliance with‬
‭regulatory standards.‬

‭Example:‬

‭Set Position:‬

‭Results:‬
‭ rotection:‬
P
‭1)Use Strong Algorithms:‬‭Employ well established,‬‭standardized, and‬
‭strong cryptographic algorithms that are resistant to known attacks.‬
‭2)Regular updates & Patching:‬‭Stay updated with the‬‭latest security‬
‭patches and updates for cryptographic libraries and tools to address any‬
‭identified vulnerabilities.‬
‭3)Key management best practices:‬‭Ensure secure key‬‭storage and‬
‭distribution mechanisms. Rotate keys regularly to minimize exposure in‬
‭case of a compromise. Use proper key lengths and randomness for‬
‭generating keys.‬
‭4)Secure Implementation:‬‭Follow best practices and‬‭guidelines for‬
‭implementing cryptographic algorithms to minimize vulnerabilities.‬
‭5)Security Audit & Testing:‬‭Conduct thorough security‬‭audits and testing,‬
‭including penetration testing, code reviews to identify vulnerabilities and‬
‭weaknesses‬
‭ )Monitor & Intrusion Detection:‬‭Implement monitoring and intrusion‬
6
‭detection systems to detect suspicious activities and potential attacks on‬
‭cryptographic systems.‬
‭7)Education & Training:‬‭Train developers & staff involved‬‭in implementing‬
‭and managing cryptographic systems and about best practices, security‬
‭protocol & protection risks.‬
‭8)Backup & Redundancy:‬‭Implement backup & redundancy‬‭mechanisms‬
‭to ensure availability and integrity of cryptographic keys and data.‬
‭9)Incident Response Plan:‬‭Develop a robust incident‬‭response plan to‬
‭efficiency and effectively respond to any cryptographic failures or security‬
‭breaches.‬
‭10)Engage Experts & Consultants:‬‭Seek advice and assistance‬‭from‬
‭experts in cryptography and security to ensure the soundness of our‬
‭cryptographic implementations and systems.‬

‭3)Injection(2017-1, 2021-3):‬
‭Attackers send malicious data as part of a command or query to‬
‭manipulate the application and gain unauthorized access to the system’s‬
‭data or functions.‬
‭These are a type of security flaw that allows attackers to manipulate an‬
‭application's input to execute unintended commands or access‬
‭unauthorized data. This typically occurs in web applications where user‬
‭input is not properly validated or sanitized before being used in the‬
‭application‬

‭Types:‬

‭ )SQL Injection: Attackers inject malicious SQL code into an applications‬

1
‭input fields, tricking the system into executing intended SQL‬
‭commands.This can lead to unauthorized access, data manipulation or‬
‭even data deletion‬

‭Example:‬
‭Set Position:‬

‭Provide Payload:‬
‭Results:‬

‭ )Cross site scripting: Attackers inject malicious scripts into web‬

2
‭applications, which then get executed in the browsers of other users. This‬
‭can lead to theft of users data, session hijacking, or defacements of‬
‭websites.‬
‭3)Command Injection: Attackers inject malicious commands into system‬
‭commands or scripts executed by the application. This can lead to‬
‭unauthorized access to the system, data leakage, or remote code‬
‭execution.‬

‭Protection:‬
‭ )Input Validation & Sanitization:‬‭Validate & sanitize‬‭all user input to‬
1
‭ensure it adheres to accepted formats and does not contain malicious‬
‭code.‬
‭2)Use Parameterized Queries:‬‭Use parameterized queries‬‭or prepared‬
‭statements in database interactions to prevent SQL injection attacks‬
‭ )Avoid Dynamic SQL Queries:‬‭Avoid constructive SQL queries‬
3
‭dynamically based on user input, as this can introduce vulnerabilities.‬
‭4)Least Privilege Principle:‬‭Limit the privileges and‬‭permissions of‬
‭application components to the minimum necessary for their operation. This‬
‭reduces the potential damage that an attacker can cause‬
‭5)Escape Special Characters:‬‭Escape special characters‬‭in user input‬
‭before using them in SQL Queries or HTML to prevent injection attacks‬
‭6)Content security policy:‬‭Implement CSP to mitigate‬‭the risk of cross‬
‭site scripting attacks by specifying which sources of content are allowed to‬
‭be executed in the application.‬
‭7)Regular Security Audits & Code reviews:‬‭Conduct‬‭regular security‬
‭audits and code reviews to identify and fix vulnerabilities, including injection‬
‭issues.‬
‭8)Web Application Firewalls:‬‭Utilize these to filter‬‭and block malicious‬
‭traffic, including attempts at injection attacks.‬
‭9)Education & Training:‬‭Train developers and users‬‭on secure coding‬
‭practices, highlighting the importance of input validation and protection‬
‭against injection attacks.‬
‭10)Security Headers:‬‭Implement security headers such‬‭as‬
‭X-Content-Type-Options, X-Frame-Options, X-XSS-Protection to enhance‬
‭the security of our web application.‬

‭A04-2021: Insecure Design:‬

I‭nsecure design is a vulnerability that occurs when the overall plan or‬
‭structure of a system or application has weaknesses or flaws that can be‬
‭exploited by attackers. It’s like having a building with a poorly thought-out‬
‭floor plan or weak foundation, making it easier for burglars to break in or for‬
‭the building to collapse.‬

‭In the context of computer systems :‬

‭ )Flawed Architecture :‬‭Imagine a website without‬‭proper security checks,‬

1
‭allowing anyone to access sensitive information without proper‬
‭ uthorization. This is an example of insecure design where the architecture‬
a
‭of the system doesn’t adequately protect valuable data.‬

‭ )Weak boundaries :‬‭Insecure design might involve‬‭poorly defined‬

2
‭boundaries between different parts of a system. If these boundaries are‬
‭unclear or easily bypassed, it becomes easier for attackers to manipulate‬
‭or compromise the system.‬

‭ )Lack of Encryption :‬‭If a system doesn’t use encryption‬‭to protect data‬

3
‭during transmission, it’s vulnerable to eavesdropping. It’s like sending a‬
‭postcard instead of a sealed letter - anyone who intercepts it can read the‬
‭contents.‬

‭ ddressing insecure design involves creating a robust and well-thought-out‬

A
‭plan for how a system should function securely, considering aspects like‬
‭user access, data protection, and communication security.‬

‭Attacks on insecure designs can take various forms:‬

‭ . **Injection Attacks:** Malicious code is inserted into a system, such as‬

1
‭SQL or JavaScript, giving the attacker control.‬

‭ . **Broken Authentication and Session Management:** Flaws allow‬

2
‭attackers to steal or hijack session tokens for unauthorized access.‬

‭ . **Sensitive Data Exposure:** Vulnerabilities permit access to sensitive‬

3
‭data like passwords or personal information.‬

‭ . **Insecure Direct Object References:** Attackers bypass proper‬

4
‭channels to directly access objects, potentially leading to unauthorized‬
‭actions or data access.‬

‭To prevent insecure designs:‬

‭ . **Security Threat Modeling:** Identify and assess potential security‬
1
‭threats early in the design process to address flaws.‬

‭ . **Follow Secure Coding Practices:** Adhere to guidelines for writing‬

2
‭secure code to prevent common design flaws.‬

‭ . **Comprehensive Testing:** Employ both manual and automated testing‬

3
‭to thoroughly evaluate all aspects of a system.‬

‭ . **Vulnerability Management:** Continuously identify, assess, and fix‬

4
‭vulnerabilities in a system.‬

‭Additionally, consider these practices:‬

-‭ **Security by Default:** Enable all security features by default, requiring‬

‭users to opt out if necessary.‬

-‭ **Least Privilege:** Grant users only the permissions they need to perform‬
‭their tasks.‬

-‭ **Simplicity:** Avoid overly complex systems, as they can be harder to‬

‭secure.‬

-‭ **Use Established Patterns and Frameworks:** Trusted patterns and‬

‭frameworks have been vetted by security experts.‬

-‭ **Seek Expert Feedback:** Have security experts review designs before‬

‭implementation.‬

‭ y following these practices, you can prevent insecure designs and‬

B
‭enhance the security of your systems.‬
‭Ex:‬

‭5)Security Misconfiguration(6-2017, 5-2021):‬

‭ ecurity misconfiguration refers to the improper setup or configuration of a‬
S
‭system, application, or network, which leaves it vulnerable to unauthorized‬
‭access, data breaches, or other security risks. It occurs when security‬
‭settings or protections are not properly implemented, or default‬
‭configurations are not changed, exposing potential weaknesses.‬

‭**Examples of Security Misconfiguration:**‬

*‭ 1. **Default Credentials:** Leaving default usernames and passwords‬

‭unchanged for applications, databases, or network devices, making it easy‬
‭for attackers to gain unauthorized access.‬

‭ . **Unnecessary Services:** Running unnecessary services or ports that‬

2
‭are not required for the system's operation, providing additional attack‬
‭vectors.‬

*‭ 3. **Improper Access Controls:** Failing to set up proper access controls,‬

‭allowing users or processes to have more privileges than necessary.‬

*‭ 4. **Unrestricted Directory Listing:** Allowing directory listings on web‬

‭servers, which can reveal sensitive information about the system's file‬
‭structure.‬

‭ . **Excessive Information Disclosure:** Providing verbose error messages‬

5
‭that reveal too much information about the system, which can be exploited‬
‭by attackers.‬

‭ . **Lack of Encryption:** Not using encryption for sensitive data in transit‬

6
‭or at rest, making it susceptible to interception or theft.‬

‭**How Attacks Exploit Security Misconfigurations:**‬

‭ . **Enumeration and Scanning:** Attackers can use tools to scan for open‬
1
‭ports, services, and vulnerabilities in improperly configured systems.‬
‭ . **Brute Force Attacks:** Default credentials or weak passwords can be‬
2
‭exploited through automated brute force attacks.‬

‭ . **Directory Traversal:** Improperly configured web servers can allow‬

3
‭attackers to navigate to directories they shouldn't have access to.‬

‭ . **Information Leakage:** Overly verbose error messages can reveal‬

4
‭information about the system's configuration, which attackers can use to‬
‭their advantage.‬

‭**Preventing Security Misconfiguration:**‬

‭ . **Regular Audits and Assessments:** Conduct regular security audits‬

1
‭and assessments to identify and rectify misconfigurations.‬

‭ . **Utilize Security Tools:** Employ automated scanning tools that can‬

2
‭detect common misconfigurations.‬

‭ . **Follow Secure Configuration Guides:** Refer to security guidelines‬

3
‭provided by the software or system vendors to ensure proper setup.‬

‭ . **Access Controls and Least Privilege:** Apply strong access controls‬

4
‭and grant users the minimum level of privileges needed to perform their‬
‭tasks.‬

‭ . **Patch and Update Systems:** Keep software, applications, and‬

5
‭operating systems up-to-date to ensure they have the latest security‬
‭patches.‬

‭ . **Disable Unnecessary Services:** Turn off or remove any services,‬

6
‭ports, or functionalities that are not required for the system's operation.‬

‭ . **Use Strong Authentication:** Avoid default or weak credentials and‬

7
‭implement multi-factor authentication where possible.‬
‭ y addressing security misconfigurations, organizations can significantly‬
B
‭reduce the risk of unauthorized access and data breaches, creating a more‬
‭robust and secure environment.‬
‭ )Vulnerable & Outdated Components(6-2021) / Using‬
6
‭Components with known vulnerabilities(9-2017) :‬

‭ )Broken Access Control‬

1
‭2)Cryptographic Failures‬
‭3)Injection‬
‭4)Insecure Design‬
‭5)Security Misconfiguration‬
‭6)Vulnerable and outdated components‬
‭7)Identification and authentication failures‬
‭8)Security Logging and Monitoring Failures‬
‭9)Clickjacking‬
‭10)CSRF(Cross-Site Request Forgery)‬
‭11)SSRF(Server Site Request Forgery)‬
‭12)CORS‬
‭13)DOM‬
‭14)HTTP Request Smuggling‬
‭15)Software & Data Integrity Failures‬
‭16)Cross - Site Scripting(XSS)‬
‭17)Insecure Deserialization‬
‭18)API Testing‬

‭ erialization, Deserialization‬
S
‭Hashkey‬
‭Ports‬
‭CORS‬
‭DOM‬
‭Encryption, Decryption‬
‭Git‬

‭ )store‬
1
‭2)‬

‭ it clone‬
G
‭Git branch‬
‭Git checkout branchname‬
‭Git status‬
‭Git add .‬
‭Git status‬
‭Git commit -m “”‬
‭Git branch‬
‭Git pull origin branchname‬
‭Git push origin branchname‬
‭Git log‬
‭Git merge‬

‭Git‬

-‭ > storage purpose‬

‭-> version control‬
‭-> multiple member‬

‭ it init‬
G
‭Git status‬
‭U - untracked‬
‭A - add‬
‭M - modify‬

‭ it add filename - single file‬

G
‭Git add . / git add –all - multiple files‬

‭ it clone url‬
G
‭Git‬

‭ 9 – owasp introduction, owasp top 10 vulnerabilities, why choose‬

2
‭burp suite & how to use it , vulnerability assessment & Penetrating‬
‭testing(VAPT)‬
‭30 – holiday‬
‭1 – broken access control, cryptographic failures, security‬
‭misconfiguration‬
‭2 – insecure design, vulnerability & outdated components‬
‭3 – Identification & Authentication failures, security logging &‬
‭monitoring failures, clickjacking, injection(cross site scripting),‬
‭4 – Doubts explanation, audit report‬
‭5 – CSRF, SSRF‬
‭6,7 – holidays‬
‭8 – Document Review, Modifications in Document‬
‭9 – Doubts Clarification, Session‬
‭10 – Explain what is Cross Origin Resource Sharing(CORS)‬
‭11 – Practical Testing on CORS using Burp suite‬
‭12 – Discuss Previous Topics, GIT‬
‭13 - Practice on owasp and common vulnerabilities‬
‭14 - holiday‬
‭15 - Mobile Application Security Testing‬
‭16 - Postman installations‬
‭17 - GIT, Postman API Testing‬
‭ 8 - DOM Based vulnerabilities, Insecure Deserialization, Software‬
1
‭and Data Integrity Failures penetration testing, Assign projects‬
‭19 - Audit Report‬

‭A08-2021: Software and Data Integrity Failures :‬

‭Software Integrity Failures :‬

‭Description :‬

I‭t happens when the software you use is tampered with or altered without‬
‭permission. (Hackers add or modify parts of the software to make it do bad‬
‭things ). This can happens through‬

‭ ompromised Updates :‬‭When updates to your software‬‭come from‬

C
‭untrusted sources or are tampered with, they can introduce harmful‬
‭changes.‬

‭ ntrusted third party components :‬‭Using software‬‭libraries or‬

U
‭components from sources that may have been tampered with.‬

‭ xample :‬
E
‭-> Imagine you are baking a cake and someone secretly adds a harmful‬
‭ingredient into your recipe.‬
-‭ > Download game update - if the update is from a fake or‬
‭compromised source, it might include a virus that harms your‬
‭computer.‬

‭Data Integrity Failures :‬

‭Description :‬

I‭t occurs when the information stored or transmitted is changed or‬

‭tampered with. (Hackers alter or corrupt data to deceive or harm)‬
‭Unprotected Data Transmission :‬‭If data is sent over‬‭the internet‬
‭without proper authorization or security measures, it can be‬
‭intercepted and changed‬

I‭nsecure Data Storage :‬‭If data is not stored securely,‬‭it can be‬
‭accessed and altered by unauthorized people.‬

‭ xample :‬
E
‭-> Imagine sending a letter to a friend but someone intercepts it,‬
‭changes the content and then sends it on.‬
‭-> send a message to your friend. If someone intercepts the message‬
‭and changes it before it reached to your friend thats a data integrity‬
‭failure‬

‭Preventions :‬

‭ )Verify Sources : Always download software and updates from‬

1
‭trusted sources.‬
‭2)Use security measures : Encrypt data to protect it during‬
‭transmission and use secure storage methods.‬
‭3)Regular Checks : Regularly check and verify that your software and‬
‭data have not been altered‬
‭Insecure Deserialization :‬

‭ erialization :‬‭The process of converting an object‬‭or data structure into a‬

S
‭format that can be easily stored or transmitted.‬

‭ x : packing box - toy have many parts - disassemble - put all parts in box‬
E
‭- write instructions label on box - send‬

‭ eserialization :‬‭It converts the serialized format‬‭back into its original‬

D
‭object or data structure‬

‭Ex : unpacking box - reassemble toy‬

‭Insecure Deserialization :‬

I‭t's a security issue that happens when an application takes serialized data‬
‭from an untrusted source and converts it back into its original form without‬
‭properly checking or validating the data. This can lead to serious problems‬
‭if the data has been tampered with by attackers.‬

‭ xample : Imagine you receive a package (serialized data) from a friend‬

E
‭and you don’t know what’s inside. You just open it (deserialization) without‬
‭checking if it’s safe. If someone had secretly put a harmful device inside the‬
‭package, it could cause problems when you open it. Similarly, with insecure‬
‭deserialization, if an application blindly trusts and processes data from an‬
‭untrusted source, attackers can exploit this to introduce malicious code or‬
‭perform unauthorized actions‬

‭ revention‬‭: Use safer serialization formats (like‬‭JSON), validate and‬

P
‭sanitize data, and handle errors properly to prevent security issues.‬

‭DOM based vulnerabilities :‬

‭ hese are security issues that occur due to insecure processing or‬
T
‭manipulation of data within the Document Object Model (DOM) on the‬
‭client side (in the browser). They typically result from inadequate validation‬
‭or sanitization of user input before it's used or displayed on a web page.‬
‭Examples‬‭:‬

‭ ross-Site Scripting (XSS)‬‭: Attackers inject malicious‬‭scripts into web‬

C
‭pages that execute in other users' browsers, potentially stealing data or‬
‭performing unwanted actions.‬

‭ RL Manipulation‬‭: Attackers modify URL parameters‬‭to inject malicious‬

U
‭content into the page or trigger unintended behavior.‬