Application security

What is application security and why is it important?

Most common application vulnerabilities (OWASP TOP 10)

A1:2017 - Injection

A2:2017 - Broken Authentication

A3:2017 - Sensitive Data Exposure

A4:2017 - XML External Entities (XXE)

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE foo [ 
    <!ENTITY xxe SYSTEM "file:///etc/passwd"> 
]>
<foo>&xxe;</foo>

<?xml version="1.0"?>
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>


A5:2017 - Broken Access Control

https://www.website.com/userpage.aspx?id=12

A6:2017 - Security Misconfiguration

A7:2017 - Cross-Site Scripting (XSS)

A8:2017 - Insecure Deserialization

{
    "id":123,
    "name":"john",
    "role":"user"
}

{
    "id":1,
    "name":"admin",
    "role":"admin"
}

A9:2017 - Using Components with Known Vulnerabilities

A10:2017 - Insufficient Logging & Monitoring

Buffer overflow

BONUS

Thank you for your attention.