Post on 07-Jan-2017
Web Application Security Tools
(GEIT-862)Information Risk Assessment and Security Management
I am Nico PenaredondoSoftware Developer @ UP-ITDC
Web Application Security
is a branch of Information Security that deals specifically with security of websites, web applications and web services.
2013 OWASP Top 10 # 2010 2013
1 Injection Injection
2 Cross-Site Scripting(XSS)
Broken Authentication &
Session Management
3Broken
Authentication & Session
Management
Cross-Site Scripting(XSS)
4 Insecure Direct Object Reference
Insecure Direct Object Reference
5 Cross-Site Request Forgery(CSRF)
Security Misconfiguration
Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
2013 OWASP Top 10 # 2010 2013
6 Security Misconfiguration
Sensitivate Data Exposure
7Insecure
Cryptographic Storage
Missing Function Level Access
Control
8 Failued to Restrict URL Access
Cross-Site Request Forgery(CSRF)
9Insufficiend
Transport Layer Protection
Using Components w/ known
vulnerabilities
10Unvalidated
Forwards and Redirects
Unvalidated Forwards and
RedirectsSource : https://www.owasp.org/index.php/Top_10_2013-Top_10
(OWASP)Open Web Application Security
Projectis a worldwide non-profit charitable organization focused on
improving the security of software
Web Application Attack Statistics
Source : https://www.owasp.org/index.php/Top_10_2013-Top_10
$3,100,000/yrAverage Cost of
Web Application AttacksSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-
infographic.pdf
78%Organizations that have had web applications
COMPROMISEDSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-
infographic.pdf
69% Said that a web application firewall (WAF)
is necessary or criticalSource : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-
infographic.pdf
Top 3 Reasons to Secure Web Applications
Protection ofData
RevenueLoss
Compliance
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
Number of full-time employees needed to manage a web application firewall
Source : https://www.stateoftheinternet.com/downloads/pdfs/resources-web-security-2015-web-app-attack-stats-ponemon-infographic.pdf
117,339Average security incidents around the world per day
(2014)Source :http://www.cgma.org/magazine/news/pages/201411089.aspx
This slide is intentionally left blank
(ZAP)Zed Attack Proxy
is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and
functional testers who are new to penetration testing.
ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.
AcunetixAutomatically crawls and scans off-the-shelf and custom-
built websites and web applications for SQL Injection, XSS, XXE, SSRF, Host Header Attacks & over 500 other web
vulnerabilities.
Acunetix is a fully automated web browser that can understand and interact with complex web technologies such as AJAX, SOAP/WSDL, SOAP/WCF, REST/WADL, XML,
JSON, Google Web Toolkit (GWT) and CRUD operations just like a regular browser would.
Acunetix can crawl complex web application architectures including JavaScript-heavy HTML5 Single Page Applications while being able to scan restricted areas automatically and
with ease.
Vega is a free and open source scanner and testing platform to
test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS),
inadvertently disclosed sensitive information, and other vulnerabilities.
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other
vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner
finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in
the language of the web: Javascript.
Thank you