In the course of performing thousands of human-driven pentests each year, the security team at Cobalt is in a unique position to deliver valuable insights about web application security. In this real training for free session, we’ll explore the top 5 vulnerabilities they find: how attackers abuse them and how you can fix them.
1. Server Security Misconfigurations
These vulnerabilities usually reside at the OS (e. g. Windows, Linux) or web server level (e. g. IIS, Apache) or in server-based web application hosting components like Apache Tomcat, ASP.Net.
These holes creep in through default configurations, inexperienced developers who focus only on the application environment, and immature DevSecOps practices that overlook proper server configuration.
2. Missing Access Control
Access control vulnerabilities occur when the application fails to enforce the principle of least privileges and proper restrictions on authenticated users, allowing unauthorized users to perform sensitive operations or access restricted resources. There could be multiple reasons behind access control vulnerabilities, such as insufficient validation of user roles or permissions in APIs, user interfaces, direct object references and others.
3. Cross-Site Scripting
XSS is a client-side injection attack where malicious scripts are injected into trusted websites or applications – from other sites. These scripts run in the context of the user’s browser, enabling attackers to steal sensitive information, hijack sessions, or perform unauthorized actions on behalf of the user.
4. Sensitive Data Exposure
Sensitive data can refer to system level secrets or the actual business data handled by the application. At the system level, it ranges from credentials hardcoded in source code or improper key management. At the business level, it may be publicly accessible cloud storage or unsecured backups.
5. Authentication and Session
The underlying technology at the core of web applications (e. g. HTTP) completely omits the concept of a logon session and authentication. So web app developers have to implement this using a dizzying variety of protocols and frameworks that leave much of the burden of security on the developer. It’s no wonder there are so many ways to impersonate users, hijack sessions, or otherwise defeat authentication.
For each of these vulnerabilities we will:
- Explain the generalized definition of the vulnerability
- Discuss specific examples found again and again in the real world
- Explore remediation approaches
Joining me for this session are Luke Doherty and Anne Nielsen, from the pentesting team at Cobalt. They will share their perspective on real-world web application security and provide a glimpse into Cobalt's human-centric approach to Pentesting as a Service.
Please join us for this real training for free session.