1 / 7

OWASP Top Ten

OWASP Top Ten. Ten most critical WebApp security flaws. The top 2 are: XSS – Cross Site Scripting Unvalidated data sent to a browser Injection Flaws User supplied data (unvalidated) sent to SQL This is the consensus of security experts globally

Download Presentation

OWASP Top Ten

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OWASP Top Ten • Ten most critical WebApp security flaws. The top 2 are: • XSS – Cross Site Scripting • Unvalidated data sent to a browser • Injection Flaws • User supplied data (unvalidated) sent to SQL • This is the consensus of security experts globally • Some of the best are right here in Central Texas! • http://www.youtube.com/watch?v=GsRbpshqqII Application Security

  2. SQL Basic Terminology • SQL is a Relational Database Management System - RDBMS • Table - Rows that have the same attributes • Row - collection of related information • Column - attributes of an object, e.g., an Employee • Primary Key - unique for each row Employee Table Application Security

  3. SQL Basic Query Format • Select – From – Where • SELECT * FROM employee WHERE (emp# = 102) • This will returnwhich can beused or printed. • SELECT * FROM employee WHERE (TRUE)will return all rows. tablename condition Application Security

  4. Other SQL Syntax • -- is the comment sequence used for documenting code. It causes the SQL interpreter to ignore all else that follows. • ; ends one SQL statement and starts another. • ‘ in matched sets is used to enclose a character string. Application Security

  5. SQL Injection Tutorial (YouTube) • www.youtube.com/watch?v=z7eXjBvB2B4&feature=channel_page • Note: there are plenty of SQL Injection automated tools available, and of course, some are better than others. Application Security

  6. Simple XSS Tutorial (YouTube) • Stored and Reflected XSS • Similar, but reflected doesn’t require login credentials! • Failure on both due to no input or output sanitization. Storedwww.youtube.com/watch?v=7M-R6U2i5iI&feature=related Reflectedwww.youtube.com/watch?v=V79Dp7i4LRM&feature=channel Application Security

  7. Final Thoughts… • Why consider Application Security? • It’s the most current category of vulnerabilities and attacks, it is widespread, and it is devastating. • Barriers to entry (code skilz) are high but coming down, i.e., more tools like MetaSploit • On Whitehat side: more teaching of secure coding practices, groups like OWASP • More tools like MetaSploit, WebGoat • Significant local expertise! • Rsnake, Matt Tesauro, The Denim Group, others in OWASP Application Security

More Related