In this episode
We look at some vulnerabilities from the OWASP Top 10 in more detail and list some tools that can be used for testing these vulnerabilities. Some of these weaknesses reoccur consistently in almost every version of the top 10. One of the best examples that was also shown in our previous blogpost, is injection, which has been number 1 since 2010, but has been overthrown this year by Broken Access Control and Cryptographic Failures.
Injection deals with attacks like command injection or SQL injection, probably the most widely known type of weakness. Broken Access Control describes issues with authorization and permissions, where users can see and manipulate information that they are not allowed to, for example a regular user who can access administrator sections of the application. This is not to be confused with authentication (logging in to an application and thus authenticating the user), which has a category of its own. Cryptographic Failures was previously known as Sensitive Data Exposure, now with more focus on cryptographic shortcomings leading to data exposure. An important new category in 2021 is Insecure Design, which indicates a shift-left movement that can be found in software testing in general. It should be noted that testing the vulnerabilities might sometimes overlap, for example you could use injection to retrieve sensitive information.
When it comes to tools for testing security weaknesses, there are many options on the market. One of the most known solutions is Kali Linux, which provides several mostly command-line applications for penetration testing. An alternative to this is Metasploit, a framework that allows for scanning and assessing applications, and performing manual penetration testing. But one of our favorite tools by far is Burp Suite by PortSwigger.
At Brightest, we cannot ignore the need for testing the security of applications and keeping track of best security practices for developers. Keep an eye on our solutions page for more updates on this, as we continue to expand our services in this subject matter.
Written by Bart Taelemans