The Essentials of Offensive Security in Web Applications
Comprehensive overview of key aspects of offensive security in web applications including testing areas, OWASP guidelines, top 10 vulnerabilities, essential tools, web scoping, handling dangerous portions, understanding request types, and following a specialized methodology for exploitation. The content emphasizes the importance of securing web applications amidst increasing complexity and risks.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Web Offensive Security
Web Overview Web called out specifically Because web is different than just testing services More services are moving to the web, often more exposed As web apps have become more important, they have also become more complex Offensive Security 2
OWASP Open Web Application Security Project Offensive Security 3 https://www.owasp.org/index.php/Main_Page
OWASP Testing Areas Information Gathering Configuration and Deploy Management Testing Identity Management Testing Authentication Testing Authorization Testing Session Management Testing Data Validation Testing Error Handling Offensive Security Cryptography Business Logic Testing Client Side Testing 4 https://www.owasp.org/index.php/Testing_Checklist
OWASP Top 10 1. Injection 7. Cross Site Script (XSS) 2. Broken Authentication 8. Insecure Deserialization 3. Sensitive Data Exposure 9. Using Components with Know Vulnerabilities 4. XML External Entities (XXE) 10. Insufficient Logging & Monitoring 5. Broken Access Control 6. Security Misconfiguration Offensive Security 5
Tools Burp Zap Dirbuster/Gobuster Nikto Sslscan Nmap scripts Offensive Security Google dorks/wayback machine 6
Web Scoping What does the application do? Identify functionality and important functionality Offensive Security 7
Dangerous Portions of Web Apps Automated crawlers click links Think about delete portions of websites Update pages What if your crawlers gets into the site as admin? With delete and update functionality Offensive Security 8
Request Types Offensive Security 9
Web Methodology Big surface area, requires its own methodology Recon Mapping Recon Discovery Exploitation Offensive Security Exploitation Mapping Just like our regular methodology Discovery 10
Enumeration Manually browse every Spidering with Burp/Zap Offensive Security 11
Nikto Offensive Security 12
Resources https://www.redsiege.com/wp- content/uploads/2018/10/WA101-LayoftheLand.pdf https://www.owasp.org/images/1/19/OTGv4.pdf https://github.com/qazbnm456/awesome-web-security Offensive Security 13