This section sorts the entries into the three high-level categories that were used in the 2009 Top 25:     Insecure Interaction Between Components     Risky Resource Management     Porous Defenses The Top 25 Vulnerability  are listed below in three categories: Software Vulnerability  Category: Insecure Interaction Between Components (6 errors) Software Vulnerability  Category: Risky Resource Management […]

DESCRIPTION: OS command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to […]

DESCRIPTION: The software imports require or include executable functionality (such as a library) from a source that is outside of the intended control sphere. When including third-party functionality, such as a web widget, library, or another source of functionality, the software must effectively trust that functionality. Without sufficient protection mechanisms, the functionality could be malicious […]

DESCRIPTION: The program invokes a potentially dangerous function that could introduce vulnerability if it is used incorrectly, but the function can also be used safely. Certain functions can be dangerous if used incorrectly. Thread .stop() is such a function. Thread .stop() causes the thread to die immediately, which means it will not be able to […]

DESCRIPTION: The programs do not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow. Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries […]

DESCRIPTION: Unrestricted File Upload vulnerability is the ability to upload any type of file through an upload form into a website. This is a very high-security risk because a hacker can upload script/executable files (like .php, .exe etc.), which can then execute remotely and perform various actions, such as explore the file structure, retrieve sensitive […]

DESCRIPTION : This attack  a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control. The integer variable is often used as an offset […]

  DESCRIPTION: Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content. The malicious content […]

  DESCRIPTION: Cross-site request forgery (CSRF) is a weakness within a web application which is caused by insufficient or absent verification of the HTTP request origin. Web servers are usually designed to accept all requests and respond to them. If a client sends several HTTP requests within one or several sessions, it is impossible for […]

DESCRIPTION: Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications. Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious content. The malicious content sent […]

  Introduction Injection flaw occur when untrusted data is sent to an interpreter as part of a command or query. To explain in detail Injection flaw occurs when web application sends user-supplied data to other apps such as: Database, Operating System, LDAP, and Web Services, attacker “inject” their malicious code to run instead of actual […]

SQL injection is an attack when an attacker tries to “inject” his harmful/malicious SQL code into someone else’s database, and force that database to run his SQL. This could potentially ruin their database tables and even extract valuable or private information from their database tables. We will see how we can identify SQL injection using […]

A1 – Injection Injection vulnerabilities—such as to SQL, OS, or LDAP injection—occurs when a malicious hacker takes advantage of insecure web application by injecting commands into forms such as a input fields and then gain access to sensitive data which is stored in the web application’s backend database. A2 – Broken Authentication and Session Management […]

What is Encoding? Encoding is the process of converting data into a format required for a number of information processing needs. Web applications employ several different encoding schemes for their data. We will discuss few encoding schema as follows: URL Encoding Unicode Encoding HTML Encoding Base64 Encoding HEX Encoding URL Encoding When you pass information […]

In this blog, we will take a look at the headers recommended by the Open Web Application Security Project (OWASP). These headers can be utilized to actively increase the security of the web application. This blog tries to shed a light on both headers that actively increase security as well as headers that might have […]

What is HTTP? HTTP is an application layer protocol The default port for HTTP is 80 World Wide Web Consortium and the Internet Engineering Task Force, both coordinates in the standardization of the HTTP protocol The resources that can be requested by using HTTP protocol is made available with the help of a type of […]

Introduction: HTTP stands for “Hypertext Transfer Protocol“. The entire World Wide Web uses this protocol. It was established in the early 1990’s. Almost everything you see in your browser is transmitted to your computer over HTTP.  HTTP/1.1 is the version of HTTP in common use. HTTP is based on the client-server architecture model and a […]

What is DNS? DNS stands for domain name system, The Domain Name System (DNS) translates Internet domain and host names to IP addresses and vice versa. DNS automatically converts between the names we type in our Web browser address bar to the IP addresses of Web servers hosting those sites. Why is DNS important? When we […]

Google hacking is the use of a search engine, such as Google, to locate a security vulnerability on the Internet. There are generally two types of vulnerabilities to be found on the Web: software vulnerabilities and misconfigurations. Google hacking involves using advanced operators in the Google search engine to locate specific strings of text within […]

Every process has its own standards that need to follow to get better outcomes or results. Similarly, penetration testing has its own standards to follow. These standards defines the Methodology and measures that need to be taken before conducting the test What is penetration testing standards? Penetration testing standards are techniques generally set forth in […]

Penetration Testing is a method of testing the security of your organization’s infrastructure and architecture. If you are unfamiliar please view what is penetration testing? By analyzing the attacks in an organization there might be either internal threats or might be External one which may be different methods of Penetration testing What is External Penetration […]

Information technology is growing very fast since a decade simultaneously data breach, theft, information leaking has increased thus Information security was prioritized in every organization to secure their information. Information security has certain standards that need to be followed regularly among which SANS is one of the major contributors. SANS is information security standards that […]

OWASP is one of the standards that are followed by various security testing which includes Web Application, database, mobile etc. We have discussed various standards in our blogs if you need to know. OWASP has been a one among the standards that enhanced the security measures and methodology throughout the global organization.  WHY OWASP STANDARDS? […]

Penetration Testing is one of the main method or tests for creating a secured data and information in an organization You may be familiar with Penetration Testing. If not then please can go through what is Penetration testing? Penetration testing which is categorized as follows BLACK BOX TESTING GREY BOX TESTING WHITE BOX TESTING   […]

Penetration testing is one of the key tests for the security of the organization data and Information. Thus penetration testing is necessary You can look for what is Penetration testing?if you are not familiar with this Penetration Testing can be     Within 7 steps Preparation/pre-engagement interaction 1. Preparation / Pre-Engagement Interaction: Set an objective […]

Penetration Testing is a security testing which is used to test attacks and exploit the vulnerabilities to create safe and secure operations for information and data storage. We suggest reading on what is penetration testing? The main classification of penetration testing is • web application • mobile application • network • infrastructure There are different […]

In this blog, we will discuss some basics of SQL queries which will help us to understand how actually The database works based on the user input at the back end. Database Hierarchy Model: A users can have access to multiple databases, a database can have multiple tables and a table can have multiple records (i.e Columns) and […]

SQL INJECTION SQL injection, also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details. Fig1.1: SQL injection Type of […]