Sharp Circles

WTM18 - OWASP 10 A07 - Identification and Authentication Failures (Lab - OWASP Zed Attack Proxy pentesting) Diving into the security testing guidelines of OWASP for the 7th position, identification and authentication failures, an intersection point was the OWASP ZAP tool. Zed Attack Proxy is a pentesting tool that sits as a proxy between the browser and the targeted application. We were playing around with it on our latest lab using the Docker approach (Websing for the UI). We were able to catch 2 main problems during the execution of the tool: colliding ports and wrong address resolution (a subtle one that can easily go unnoticed) For extended pentesting: 1. API scanning 2. Manual scanning 3. Automation framework (new feature and 100% customizable through yml files) Article: https://lnkd.in/em98PZWH Repository: https://lnkd.in/e9nNFAax #appsec #owasp #cybersecurity #owasptop10 #authenticationfailures #identificationfailures #softwaresecurity #pentesting #zap #websecurity

⚠ Pentesting using OWASP ZAP Our latest lab dove into OWASP Top 10 A07 (Identification & Authentication Failures) using the powerful OWASP ZAP tool in a Dockerized environment (WebSwing UI). While the setup seemed straightforward, we quickly ran into two major roadblocks that are crucial for any ZAP user to know: 📍 Port collision: The classic issue where both ZAP and the target application (e.g., WebGoat) claim the same port (like 8080) on the host, preventing a proper connection. 📍 Docker network address resolution: When ZAP runs in a container and tries to attack localhost, it resolves the address inside its own container's context. The result is that ZAP ends up attacking itself. We had to ditch hostnames and target the vulnerable application using its internal docker IP addresses to ensure the scan was directed to the correct container. Learn how we navigated these critical steps to successfully launch our automated ZAP scan. Article: https://lnkd.in/eGctttUu  Repository: https://lnkd.in/eG3-HiAk #pentesting #owasp #zap #docker #appsec #cybersecurity #websecurity #troubleshooting #owasptop10 #appsec

Mastering OWASP Top 10 A07: Identification and Authentication Failures It's a complex risk with a wide attack surface, being a perfect example of the "defense-in-depth" strategy. Here's a quick look at the key takeaways for building robust authentication: 1. Prevent brute force attacks 2. Secure credential management 3. Strengthen session management 4. Avoid information leakage All of these layers must be properly understood and applied in order to harden and strengthen the different, sensitive points of your application in terms of authentication and identity. Article: https://lnkd.in/eNTw8NrA #appsec #owasp #cybersecurity #owasptop10 #authenticationfailures #identificationfailures #infosec #devsecops #supplychainsecurity #softwaresecurity

Hey people! We had our experience with the OWASP TOP 10's sixth position, Vulnerable and Outdated Components, and this is where it led us to: 📍 Problem: Finding a tool to identify vulnerabilities in third-party libraries, choosing OWASP Dependency Check. 📍 Challenge: opted for a more flexible Docker approach, taking advantage of dependencies' detachment. 📍 Process: usage of the original batch file provided in the Github with a few tweaks to adapt to our needs. 🚨 Discovery: The scan of a .NET web application revealed 25 CVEs tied to a single package: sqlite-net. This highlights how a single dependency can pose a significant security risk. 📄 Result: Generation of reports in multiple formats, including HTML, which provided clear insights into each vulnerability, including its CWE and potential impact. This lab was a great reminder of the importance of Software Composition Analysis (SCA) in securing the software supply chain. What are your go-to tools for this? Article: https://lnkd.in/eA5SFMdj Lab: https://lnkd.in/e8udFjJs #appsec #owasp #cybersecurity #owasptop10 #vulnerablecomponents #dependencycheck #infosec #devsecops #supplychainsecurity #softwaresecurity #vulnerabilitymanagement #wtm16 #docker #sca #dotnet #sqlite

Unpacking OWASP Top 10 A06: Vulnerable & Outdated Components. It's a critical risk that often goes unnoticed, and a key challenge for organizations. 📌 The Problem: We're navigating in the dark if we don't have a clear inventory of all components and their nested dependencies. 📌 The Landscape: The threat isn't just about code—it's about every layer: OS, web servers, databases, and third-party libraries. 📌 Automation is Key: Relying on manual updates is risky. Security checks must be integrated into CI/CD pipelines and performed regularly. 📌 Patching with a Plan: Timely patching is non-negotiable. Organizations must create policies to ensure updates are applied in a risk-based and timely manner. 📌 Beyond the Code: Prevention requires more than just patching. It includes reducing your attack surface, using signature checks, and having a virtual patching strategy for unmaintained components. Don't let vulnerable components be your Achilles' heel. Article here: https://lnkd.in/eEgQ8WGf #appsec #owasp #cybersecurity #owasptop10 #vulnerablecomponents #dependencycheck #infosec #devsecops #supplychainsecurity #softwaresecurity #vulnerabilitymanagement #wtm15

Just wrapped up an in-depth exploration of Security Misconfiguration (OWASP Top 10 A05)! 🛡️ Our latest research dives into practical approaches for tackling this pervasive vulnerability: 📌 Bridging Theory & Practice: We navigated NIST hardening guides and OWASP documentation to find actionable steps. 📌 Nikto in Action: Discovered how web vulnerability scanners like Nikto provide a powerful and accessible entry point for identifying misconfigurations. 📌 Real-World Scans: Put Nikto to the test against both a custom .NET application and the OWASP WebGoat, yielding valuable insights. 📌 Unveiling Mechanisms: Learned that experimenting with Nikto's CLI, especially evasion and mutate techniques, is key to understanding scanner behavior and optimizing results. 📌 Beyond the Scan: Identified crucial ongoing resources like CIS Benchmarks and OWASP's Testing Guide for Error Codes to continuously enhance security posture. Full details and the automation script in the repo: https://lnkd.in/gxD-ZPau Read the article here: https://lnkd.in/ga4i-gpD #appsec #owasp #cybersecurity #owasptop10 #securitymisconfiguration #nikto #webscanning #vulnerabilityscanning #serverhardening #infosec #pentesting #webgoat #devsecops #securitytools #applicationsecurity

📢 Security Misconfiguration: The silent threat lurking in your applications (OWASP Top 10 A05) Did you know 90% of applications tested show some form of security misconfiguration? This isn't just a technical glitch; it's a critical vulnerability often born from negligence, tight deadlines, or outdated information. It's time to shift our mindset from "Plug N' Play" to "Proactive Prevention." 1. Default settings are dangerous: Leaving default accounts/passwords enabled or sample applications on production servers is an open invitation for attackers. Always harden your configurations beyond defaults. 2. Error messages are information leaks: Overly verbose error messages (like stack traces) can expose critical system details. Craft messages carefully to be helpful to users without giving attackers a roadmap. 3. Context, environment and time are crucial: Staying updated with framework security features and applying secure values isn't possible without a supportive context, training, and, most importantly, adequate time. 4. Shift-Left & Automation: Integrating security early in the SDLC (SaC) and automating hardening processes ensures repeatable, secure deployments. 5. Reviewing process & critical thinking: Regularly review and update configurations, especially cloud storage permissions. Article here: https://lnkd.in/eQXuRyn2 #appsec #owasp #cybersecurity #owasptop10 #securitymisconfiguration #wtm13 #devsecops #infosec

𝗙𝘂𝘇𝘇𝗶𝗻𝗴 𝘄𝗶𝘁𝗵 𝗔𝗺𝗲𝗿𝗶𝗰𝗮𝗻 𝗙𝘂𝘇𝘇𝘆 𝗟𝗼𝗽, 𝗔𝗙𝗟++, 𝗦𝗵𝗮𝗿𝗽𝗙𝘂𝘇𝘇 𝗮𝗻𝗱 𝗪𝘂𝗽𝗽𝗶𝗲𝗙𝘂𝘇𝘇 Buenos días y la movida. This weekly post consisted in a practice lab around fuzzers and its application on real projects. We've been studying and executing the main tools provided by the OWASP site, checking their benefits and drawbacks. Our conclusions have been: 1. Many prominent open-source fuzzers, like AFL++, are primarily optimized for C/C++ projects; language-specific wrappers (e.g., SharpFuzz for C#) are essential for broader applicability. 2. Fuzzers are most effective when applied to "scoped" or isolated code segments; for APIs, a clever workaround involves fuzzing via HTTP client interactions while the API runs. 3. Careful input configuration and understanding instrumentation are crucial for successful fuzzing and effective vulnerability discovery. 4. Despite an initial steep learning curve, fuzzing offers significant long-term benefits for automated security testing and integration into development pipelines. 📌 Check out the post here: https://lnkd.in/e5e9NY2r 📌 Have a look at the practical lab here: https://lnkd.in/eTFFpM59 #appsec #owasp #cybersecurity #owasptop10 #insecuredesign #fuzzing #afl #afl++ #sharpfuzz #wuppiefuzz #wtm12 #fuzzers

𝗘𝘅𝘁𝗲𝗻𝗱𝗶𝗻𝗴 𝗦𝗔𝗦𝗧 𝗿𝗲𝘃𝗶𝗲𝘄𝘀: 𝗔𝗶𝗸𝗶𝗱𝗼, 𝗧𝗿𝗶𝘃𝘆 𝗮𝗻𝗱 𝗢𝗽𝗲𝗻𝗴𝗿𝗲𝗽 This week, we've decided to extend the analysis we did for SonarQube and completing it with a few more tools. Among other things, to have a grasp on what the differences between them could be and the services they can offer. The business model seems to lie down around the idea of a very tiny service deployed at the free tier option, which is practically a demo more than a service. Paid versions dramatically enhance the experience, extending both services and accessibility. Reddit gave us great insights with real user reviews of the main tools in the market, like Veracode, Fortify or Snyk. In an attempt to flip the coin, we went for more curious, open-source friendly alternatives like Opengrep, and gave it a try. 📌 Read the article here: https://lnkd.in/eAWiEGNB 📌 Check the repository with insights here: https://lnkd.in/eWmBeWsb #appsec #owasp #cybersecurity #owasptop10 #insecuredesign #aikido #trivy #opengrep #sast #securitytesting #wtm11

𝗪𝗲𝗲𝗸 𝘁𝗼𝗽𝗶𝗰: 𝗦𝗼𝗻𝗮𝗿𝗤𝘂𝗯𝗲 𝗦𝗔𝗦𝗧 𝗹𝗼𝗰𝗮𝗹 𝗱𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁 Have you ever dealt with a SAST tool but had no idea about how was actually deployed or configured? Then, our weekly post on SonarQube SAST local deployment may be interesting for you. We went exactly after those details: 🟢 Initial deployment and installation 🟢 Project creation and configuration 🟢 Analysis execution 🟢 Fixing the issues 🟢 Understanding documentation and exploring further possibilities If you want to have more control over your SAST tools and begin walking your first steps towards knowing the inner mechanisms, then you can surely take something out from it. Article: https://lnkd.in/eFkZ9CTu Repository: https://lnkd.in/eQKF67NQ #appsec #owasp #cybersecurity #owasptop10 #insecuredesign #sonarqube #sast #securitytesting #wtm10