OWASP has categorized the top 10 vulnerability for web application, website hacking is very common now a days so the security testing on a web application is very important because it seems to be very difficult to recover a data after a hacking attack. OWASP top 10 is a standard to conduct a penetration testing on a web server, we have discussed the first part of this article before and this article will discuss the remaining part.
Broken Authentication and Session Management
is the step to know about the visitor (user) of a web application after
authentication process session management establish. But what if an
attacker steals or hijacks the session of authentication process? If a
web application authentication process is vulnerable then an external
attacker or the legitimate users may try to steal the account
information of other users. This attack may occur when the session ID is
visible or when end-to-end encryption (SSL) is not used or cracked. The
flaw can occur when the user forgets their password, changes their
password, gets an account up-grade or during other related procedures.
common type of attack on authentication is brute force or dictionary
based attacks on web forms by using tool like THC Hydra. So the point to
discuss is about creating a strong password because whether it is HTTP
authentication or HTML authentication – they both can be cracked.
- Add N Edit Cookies (Firefox add-ons,not available for latest Firefox)
- HackBar (Firefox add-ons)
Insecure Direct Object References
is a type of attack in which an authorized user changes a parameter of
the system object to refer a page, database or any system object that
they are not authorized for. The most common attack is directory
traversal (or path traversal) and refers to a file or account by
mishandling the URL.
- Burp Suite
Cross-Site Request Forgery (CSRF)
request forgery is also known as a session riding attack. An attacker
uses different techniques to execute or submit a request to a website by
using authorized users (the victims). There is a difference between
cross-site scripting and cross-site request forgery because the XSS
exploit will break the trust of a user for an application while on CSRF
it will break the trust of an application for the user (the victim in
this case). In CSRF an attacker may send malicious code (HTML or Java)
via email or by using the XSS flaw.
side is very clear because an attacker can cause a victim to change the
data and perform the desired function.
- OWASP ZAP
- Tamper data
- OWASP CSRFTester
misconfiguration is a dangerous attack because it can lead to the whole
system being compromised. Security misconfiguration may occur at the
system level while the common security misconfiguration for web
applications is default accounts, default pages, unpatched software and
unprotected directories that contain relevant information. In security
misconfiguration an attacker might be a third-person or an authorized
simple practices an administrator may be able to protect their
- Disable all unnecessary software
- Change all the default passwords
- Keep all software’ up-to-date, including the server and database software
Insecure Cryptographic Storage
the title suggests, insecure cryptographic storage is about storage.
Insecure cryptographic storage vulnerability occurs when an attacker
gains access to a file that contains the confidential information in
plain text. It means there is no encryption policy for the data that is
meant to be encrypted. In insecure cryptographic storage the attacker
does not break the encryption policy, but finds a way to get the desired
information. For example, an application stores credit card information
of their users in simple text (plain text) and then an attacker finds
an SQL injection vulnerability to enter into the database so the
attacker can easily get the credit card information of the users because
all the information is available in plain text.
to fight against insecure cryptographic storage is to apply encryption
to all backup data, use strong encryption algorithms, so in the event an
attacker gets the file, he/she is not able to get the data.
Failure to Restrict URL Access
might count under the authentication vulnerability because the failure
to restrict URL access is a result of improper authentication. In simple
words, it is a forced browsing where an authorized user or maybe a
third-person tries to access a URL for which they are not supposed to.
other possibilities of this vulnerability is to call some scripts from
other website or simply use the redirection vulnerability.
Insufficient Transport Layer Protection
risk of insufficient transport layer protection is high for your user
because the user information might be monitored and sniffed. An attacker
can use different sniffers for both wired and wireless networks on the
user side to monitor and catch the confidential information of a user.
Nowadays web applications use SSL/TSL in the process of authentication
to protect the user information – but keep in mind SSL can be cracked.
So the point is to use strong SSL for authentication and session cookies
on all the important pages.
- SSLScan (An old tool)
- Calomel SSL Validation (Firefox add-ons)
- SSL Test (Bash script to find the weak cipher)
Unvalidated Redirects and Forwards
is dangerous because it can lead a user to phishing and malware
websites. An attacker can take the advantage of redirects and trick the
victim to click on a link. The user will most likely click on it because
the link seems to be valid.
a web application is vulnerable then an attacker sends an email to the
user like you have received an email to purchase something with a low
rate and a URL like:
I just want to mention the wonderful option of w3af because it provides
the ability to conduct web application based penetration testing on
the OWASP Top 10 vulnerabilities.
has categorized the most dangerous vulnerabilities in web applications
and it is a reference point for web developers and penetration testers
to make sure that the application does not contain these top
vulnerabilities. Besides the application level vulnerabilities we need
to take care of the system software and the vulnerabilities that can
cause all of the information to be compromised. The key tip is to remain
- Update all of the software, both at the system and the application level.
- Keep engaged with the online community to learn about new vulnerabilities and application weaknesses.