Documente Academic
Documente Profesional
Documente Cultură
Sep 2013
Gain Access
Websit e
Sabotage
Steal Information
Security Impacts
Technical Impact Business Impact
Company Image
Data Corruption
Lost of Credential
Malfunction
Information Leaking
Legal Issues
OWASP Top 10
A1
Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 - Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
A1 Injection
A1 Injection Prevention
OK
Ah Ha!
Jared
Jobs
Buy Now
A2 Broken Authentication and Session Management - Prevention No cookie-less session Timeout mechanism Password encryption SCAN!!
Submit Comment
Submit Comment
www.abcfinance.com/viewprofile.php?id=50
Welcome back Jennette Tan
www.abcfinance.com/viewprofile.php?id=30
Welcome back Peter Lim
If directory listing not turned off, files in userfiles that suppose to be accessed by users only might exposed to everyone
Httpdocs/lib/MyBizClass.class.php
A4 Insecure Direct Object References - Prevention Scan NOT AVAILABLE PLAN, PLAN, PLAN Be careful of AJAX! Block direct access Control your file types Be careful of log file / backup file
A5 Security Misconfiguration
Default DB password Direct DB access Directory listing Exposed stack trace
A5 Security Misconfiguration
Work closely with hosting SCAN!!
Sensitive data stored in clear text Missing SSL while transmitting sensitive data Unsalted hash / hash w/o key
NEVER keep sensitive files to the public ENCRYPT, ENCRYPT, ENCTYPE SSL Disable form auto complete SCAN!!
www.abcfinance.com/member_listing.php
Welcome back Jennette Tan
www.abcfinance.com/user_management.php
Hacker Website
Click to Win $10000 <input type=hidden name=terget_uid value=109> <input type=hidden name=amount value=9999>
Process_payment.php
detectable by Vulnerability scanner Hosting engineer need to update security patches regularly
Dear customer We are running a campaign to update your bank credit card information. Participant will win a chance for lucky draw of $10000
www.citibank.com/redirect.php?url=hac kersite.com/creditcard-form.php
Validate host of redirect URL Use numbers / code instead of URL SCAN!!