Browsed by
Category: OWASP

OWASP Mobile Top 10 Part 1: Improper Platform Usage

OWASP Mobile Top 10 Part 1: Improper Platform Usage

The improper platform usage vulnerability is the first vulnerability in the OWASP Mobile Top 10. This blog will provide some insight into what it is and how it’s actually exploited in the wild while also telling you how to protect your own mobile applications. What is Improper Platform Usage? The improper platform usage vulnerability refers to a vulnerability that is derived from the improper usage of platforms in use by an application. In other words, this category covers the misuse…

Read More Read More

What is the OWASP Mobile Top 10?

What is the OWASP Mobile Top 10?

If you ever heard of web application security, you probably heard of OWASP. And if you heard of OWASP, you probably heard about the OWASP Top 10. The Open Web Application Security Project, or OWASP for short, is an international non-profit organization dedicated to web-application security. OWASP is widely known for publishing materials covering their projects – one of their projects is OWASP Top 10 which is a regularly-updated report outlining security concerns for web application security. The OWASP Top…

Read More Read More

CSRF Tokens? What Tokens?

CSRF Tokens? What Tokens?

In a previous blog post where I covered Cross-Site Request Forgery and what potential impacts and consequences such an attack may have, I wrote that a popular way to prevent such an attack from unfolding is to generate tokens. In that blog post, I noted that when a website generates tokens, a CSRF attack might be stopped. One thing I did not cover though is that whether the attack will be stopped or not depends on how the tokens are implemented. Confused?…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 10: Insufficient Logging & Monitoring

2017 OWASP Top 10 for PHP Developers Part 10: Insufficient Logging & Monitoring

Another day, another web application gets hacked. Most of the time web application hacks fly under the radar and are discovered years after the data breach occurred, but every so often, after learning what had happened, website administrators hire computer forensic experts in order to help reconstruct and solve high-tech (computer-related) crimes. Every computer forensic expert (or a team of computer forensic experts) has different methods of approaching and solving the problem – but in many cases, the very first thing computer…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 9: Using Components with Known Vulnerabilities

2017 OWASP Top 10 for PHP Developers Part 9: Using Components with Known Vulnerabilities

Attacks on today’s web are an unsurprising reality – websites are hacked daily, data is being stolen and leaked left, right and centre. In many (though not all) cases, attacks on web applications are successful because a targeted web application is susceptible to security vulnerabilities – vulnerabilities which derive from its components. In the penultimate segment of the 2017 OWASP Top 10 series, I will cover how using components with known vulnerabilities can affect your web application, tell how such risks are…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 8: Insecure Deserialization

2017 OWASP Top 10 for PHP Developers Part 8: Insecure Deserialization

When developing a web application, web developers sometimes need to first turn data into a proper format so that it can be processed. Occasionally, converting data into a proper format is a requirement in order for it to be stored in a file, database or simply to boost effectiveness. Here’s where serialization comes in – serialization in web applications covers turning data into a stream of bytes so that it can be, for example, stored in a database or in a…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 7: Cross-Site Scripting (XSS)

2017 OWASP Top 10 for PHP Developers Part 7: Cross-Site Scripting (XSS)

We have all seen search forms, haven’t we? Take a look at mine: The above search form is pretty basic – when a search query is provided, the page will respond with “You’ve searched for …” and display the results. This search form does not have anything unusual compared to the other search forms out there – except that it does not sanitize the input.. What happened here is we have entered a different search term. Here’s what was provided: <script>alert(“2017…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 6: Security Misconfiguration

2017 OWASP Top 10 for PHP Developers Part 6: Security Misconfiguration

Web applications can be susceptible to all sorts of vulnerabilities: a web application can be vulnerable to at least one of the 2017 OWASP Top 10 vulnerabilities, it can have remote or local file inclusion flaws or be vulnerable to other types of weaknesses. A web application can even be compromised by utilizing social engineering – there are all sorts of ways. With that being said, web applications can also be configured in ways that make them vulnerable. Such a vulnerability is…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 5: Broken Access Control

2017 OWASP Top 10 for PHP Developers Part 5: Broken Access Control

Let’s take a scenario like so: I have a web application that allows people to buy software I created – after a person has bought the software, an account must be made. After the individual creates an account, the software can be downloaded. After the purchase, the customer is also granted access to some resources available exclusively to customers. Should any issues arise, support tickets can be lodged. Now imagine you’re an attacker who wants to gain access to the resources available…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 4: XML External Entities (XXE)

2017 OWASP Top 10 for PHP Developers Part 4: XML External Entities (XXE)

Ever processed XML files in your web application? If you did, you probably parsed their contents. And if you parsed their contents, your web application might have been vulnerable to an attack known as XML External Entities (XXE). What is XXE? An XXE attack is a security vulnerability often found in XML parsers. An XML External Entities attack often exploits the XML parsing functionality in a web application making it parse data of interest to an attacker. How does it…

Read More Read More