Top 10 Web Application Vulnerabilties:

1. Insecure Direct Object Reference (IDOR): IDORs occur when a web application references an internal object, such as a file or a database record, by its name or key rather than by an authorization check. This lack of authorization can allow attackers to bypass the intended security controls and access data they should not be able to.
2. SQL Injection (SQLi): SQLi is a type of attack that takes advantage of an application’s vulnerability to maliciously insert code into the SQL statement used to query a database. This can allow an attacker to gain access to confidential data, alter data, or even execute commands on the server.
3. Cross-Site Scripting (XSS): XSS is a type of attack that injects malicious code into a web page. This code is executed by the browser and can be used to steal user data, access sensitive information. XSS has multiple different types, (stored, reflected, blind, DOM) for more information see this blog post which explains what XSS is and each different type.
4. Cross-Site Request Forgery (CSRF): CSRF is a type of attack that tricks a user into performing an action they did not intend. For example, a malicious website could forge a request to a vulnerable web application and have the user unknowingly execute a command on the server.
5. Broken Authentication and Session Management: This type of vulnerability occurs when a web application fails to properly protect user credentials and session tokens. Attackers can exploit this to gain access to user accounts or even hijack active sessions.
6. Insufficient Logging and Monitoring: Many web applications fail to properly monitor their systems for suspicious activity. Without proper logging and monitoring, attackers can exploit vulnerabilities without being detected.
7. Unvalidated Redirects and Forwards: Unvalidated redirects and forwards occur when a web application redirects a user to an untrusted site without validating the destination. This can allow attackers to redirect users to malicious websites and steal confidential data.
8. Security Misconfiguration: This type of vulnerability occurs when a web application is not properly secured. For example, a web application may be missing critical security patches or have unnecessary services running.
9. Insecure Deserialization: Insecure deserialization occurs when a web application deserializes untrusted data. Attackers can exploit this vulnerability to execute arbitrary code on the server.
10. Sensitive Data Exposure: Sensitive data exposure occurs when a web application fails to protect sensitive data, such as passwords, credit card numbers, or health records. Attackers can exploit this vulnerability to steal confidential information.

Cyber attacks are constantly evolving, and with it the threats to web applications. It is important to be aware of the top 10 web application vulnerabilities in 2022.

Note: These instructions are for version 2 of the Perspectives Server software, and are now out of date. We will be releasing an updated guide with the next release, version 3.2. For now please see the Perspectives Serve README for up-to-date instructions, or feel free to contact us on the mailing list.

The Good News: it’s now even easier to run a Perspectives Server and you don’t need to install or use the ‘psv-admin’ package. Simply running the server will automatically create a key pair and set up the database if required!

Amazon Web Services (AWS) let’s you easily create a server in the “cloud”.  In fact, they even let you run a “micro” instance for free, thanks to something call the “free usage tier”

This post will show you how you can get your own notary running in just 15 minutes using AWS.

First, read about the free usage tier and sign up for an AWS account: http://aws.amazon.com/free/

Then, access the AWS management console to create an instance: http://aws.amazon.com/console/

Click on the “EC2” tab near the top left of the screen, then click the “Launch Instance” button in the main window pane.

Choose an Ubuntu server AMI by clicking on the “Community AMIs” tab and finding a matching image.  Here are a couple things to keep in mind:

• Make sure the image is free tier eligible (denoted by a yellow star).
• I use an image with a “Root Store” of “ebs”, as this means that even if this particular instance dies, I can spin up a new instance and reattach the same disk.
• 64-bit image is suggested.
• I’ve done most of my testing on Ubuntu Maverick (10.10), but other recent Ubuntu platforms should work as well.  You can see the exact version for an image by reading the “Manifest” field.

In the “U.S East” region, an AMI that matches these criteria is: ami-cef405a7

Select your AMI, and keep the default “Micro” instance.

You will need amazon to create a SSH keypair, which will automatically be “injected” into the instance, allowing you to access the instance remote without a password.  Give this key a name (e.g., notary) and download it to you filesystem.

After downloading the key, make sure it is only accessible to your user:

Now you can access your machine remotely.  Click on “Instances” in the left panel and select your instance’s row in the main pane and view the details box at the bottom.  Note the “Public DNS” field, as this is how you will access the machine remotely.  For example, run:

Now your notary is up and running!  It will respond to notary requests on port 8080 . To see the public key the notary uses to sign all requests, run:

This is the public key that can be provided to a Perspectives client to authentic the notary response.  The server code comes with a simple client for you to test.  To query a website to monitor (called a “service-id” with Perspectives), specify it using the form ::2. For example for http://www.google.com, run:

The first time this you query the notary server, it will not know about a service and will return a 404 error, as the notary -server will launch an “on-demand” probe for that service.  Wait a couple seconds and run the same command again and it should succeed.

A new version of the Perspectives Firefox Client will soon be released that will let you use your own notary servers as well.

By default, this notary server will run a scan of all known service-ids twice a day, as configured using crontab. You can manually run a scan of all services at any point by running:

Firefox 32 is the first version where support for the MD5 hashing algorithm has been removed (see BugZilla). From a security point of view this is great news – the MD5 algorithm is known to be not completely secure, and software should be moving to better hashes. We also want Perspectives to move to using better hashes.

Unfortunately Perspectives needs some internal fixes before this upgrade can be completed. We are actively working on fixing this error and will update Perspectives ASAP. Thanks to everyone who has contacted us about this issue.

What is GDPR? GDPR means the General Data Protection Regulation, that was agreed by the European Parliament and Council in April 2016. These will substitute and replace the Data Protection Directive 95/46/ec in Spring 2022 as an original decree regulating how organizations and companies protect the citizen’s personal information. Intuitively companies have started implementing the decree, and they are in align with it, more so they are also supposed to be fully compliant with the new requirements of the bill before it becomes more active on May 25, 2022. Penalties have also been put in place this is for the companies that will not have complied with the commandment.

The GDPR is implied to each adherent state of the European Union as per the requirements, with an objective to create more and unswerving fortification of consumer and personal informational statistics athwart European Nations. Some of the building key solitude and data protection of the GDPR do include:

• Getting first the permission of the subjects for data processing.
• Hiding the origin of the data to protect privacy.
• Providing notifications and alerts whenever data breach has occurred.
• Carefully handling the movement of data across precincts to ensure its security.

Requirements of the GDPR

The GDPR bill contains 11 chapters and 91 articles. But some sections do have a more significant potential bearing on the safety maneuvers. Additionally some memeber states of the EU require a data protection officer is appointed if your company meets a certain number of employees, one example of this is Germany which requires an internal or externer datenschutzbeauftragter (external data protection officer) for firms over a specific size.

Some of the GDPR chapters and articles are:

• Article 17 and 18 – In this article data subjects do have more authority over personal information that is managed automatically. The results are that the owners may transfer their private information service providers more quickly.
• Article 23 and 30 – These articles do require the organizations to put in place substantive data protection mechanisms to protect data confidentiality against loss or exposure.
• Article 45 – It just extends data protection requirements on global companies that collect or possesses EU citizen’s personal information, injecting them to the same laws.

A number of companies working towards compliance have recommended the following GDPR checklist, which is simple and easy to check list style resources to help you on your GDPR compliance path.

The subject of GDPR

The drive of GDPR is to directly carry out uniformity to data security edict on all the European Member State, and this is done so that each member State finds no value in drafting her own data protection rules and furthermore they are the same in the entire EU members State. To add to the subject matter is that every company that markets its goods or its services to the people of EU regardless of its location is still a substance to the regulation. Thus the bill will provide an avenue where the data protection requirements will be globally implemented.

Enforcement and Penalties for non-compliance

GDPR sets standardized rules across EU. These make it more enforceable than the previous law. SAs hold inspective and curative powers that may question forewarnings for non-compliance, carry out audits, require an organization to make specified enhancements by agreed deadlines, order data to be cleared, and block the companies from moving data to other countries. Since GDPR has empowered SAs to do all of these and also issue substantial fines like 2% to 4% of the company’s global annual income or ten to twenty million pounds penalties, this is done as per there discretion

What is cyber security? It can be defined as the protection of systems that are connected to the Web from cyber attacks. Systems may include data, software and hardware. In the cyberspace, security normally consists of two components.

• Physical Security
• Cybersecurity

Both are vital to the safeguard of data, software, and hardware from criminals. Physical security prevents the bad guys from accessing these materials physically for ill purposes. It also makes it difficult for them to download data or software on-site so that they can use it for criminal purposes. A good example of physical security in the world of computing is a flash drive with sensitive data that is being protected from getting into the hands of criminals. Another perfect example is a server room, which is guarded so that no unauthorized party can gain access to the data or software inside that room.

Cybersecurity, on the other hand, is the protection of Internet-connected systems from online criminals. This form of security is different from physical security in that it protects data, software and even hardware online as opposed to onsite. One basic application of cybersecurity is the use of a password to prevent third parties from accessing your social media account. A password that is only you knows makes sure that nobody is able to get onto your Facebook, Twitter or Instagram account.

What Is the Significance of Cybersecurity In Our Daily Life?

The protection of data, software and hardware online is critical for everybody who uses the internet. Cybersecurity is not only crucial to big organizations as you may assume. Even you, who is at the grassroots level, do face a constant cyber threat from online criminals.

You probably have a social media account with personal details, which the bad guys can use to steal money from your bank account or locate your residence. After all many social media companies, if not all, require details such as your name, location, mobile number and date of birth to create an account. Without cybersecurity, those details can easily get into the hands of the bad guys who could use those at your disadvantage.

Final Thoughts

When it comes to cybersecurity, what comes into the mind of many people is banks and other big organizations, which are vulnerable to cyber attacks. They assume that this is an issue that only matters to organizations and not the ordinary man. But the truth is that we are all vulnerable to cyber attacks. Just like the banks and other organizations, we face constant cyber threats.

The best security companies offer security suites that coordinate an assortment of features. Some adhere to the basics, while others heap on huge amounts of valuable additional items, from online backup to committed ransomware protection. Most security companies offer no less than three levels of security products, an independent antivirus utility, an entry-level level security suite, and an advanced suite with extra highlights. Most entry-level suites incorporate antivirus, firewall, antispam, parental control, and some kind of extra security insurance, for example, assurance against phishing sites, those frauds that endeavor to steal your passwords. The new and advanced “mega-suite” commonly includes a backup part and some type of framework tune-up utility, and some additionally include secret password managers and other security additional items.

The best all-around security software is Norton Security Premium.

Norton has been a popular name in the security world for a long time now. Chances are you’ve utilized at least one of its products sooner or later for your PC, as Norton software is frequently packaged with new PCs. Before Norton software has endured objections about slowing down the performance of the computer and that has been adjusted in the recent years, immediately after the complaints started, making this an incredible suite for covering every one of your needs.

Other than protection for anti-virus, there’s an intelligent firewall which furnishes advanced protection without aggravating you with ceaseless pop-ups and warning. It’s exceedingly able and viable, without affecting your PC’s execution in any capacity.

For the concerned parent, there are parental controls that confine your child’s web time, the sites they can peruse, what they can scan for, and whether they’re permitted to get to any social media sites. Programmed backups can likewise be orchestrated by means of the suite, with 25 GB of secure cloud storage along with local solutions.
Different highlights incorporate a secret password manager to urge you to utilize more complicated passwords to keep secure, and a spam channel for subduing your inboxes. Likewise, security and hostile to burglary measures are accessible for your cell phones — whether Android or iOS based.

This change should only improve notary results and give you more accurate readings for servers that require SNI, but let us know if you run into issues.

Many thanks to Perspectives user Carl for reminding me of this feature and for helping with testing. Thanks!

Below are the TOP 10 Web Application Security Testing Extensions for Mozilla Firefox:

1. Firebug

This is among the most effective extensions currently because its able to incorporate a web development tool inside the browser which gives you the ability to edit and debug HTML, JavaScript, and CSS.

2. User-agent switcher

User-agent switcher extension adds a one-click user agent to the browser menu and toolbar button. Every time you want to use the browser button, which helps in bluffing the browser at the same time executing attacks.

3. FoxyProxy Standard

This is a progressive proxy management extension on this browser has upgraded features on the built-in proxy abilities. Despite having another similar kind of proxy management extension available, FoxyProxy has more features than all other available options. Depending on the URL patterns, it switches internet connection across a number of proxy servers.

4. CryptoFox

This is an encryption or decryption tool for Mozilla which aids a number of existingalgorithms to help you easily encrypt or decrypt data accessible encryption algorithms. CryptoFox has adictionary attack support for cracking MD5 passwords.

5. NoScript

This extension offers great security testing more than one can imagine because of it’s capacity to monitor each script running on a website which enables you to block any scripts and check what every script actually does. Because of its complexity, it’s not the best option for newbies but experts.

6. Grease Monkey

This extension the complete opposite of NoScript add-on. It is mainly used to run scripts after the NoScript has blocked it. In addition, It allows you to customize the display of a website using small bits of JavaScript.

7. Hackbar

This is a simple Mozilla extension which can be used by newbies and helps in testing simple SQL as well as XSS holes to easily test the existence of any form of vulnerabilities. Its an encryption and encoding tool which helps in testing XSS vulnerability and supporting keyboard shortcuts in performing various tasks. Since you can send post data to bypass client side validations, can effectively be used in determining POST XSS vulnerabilities.

8. Cookies manager

This add-on is among the best tools ever created for altering cookies. Using the Cookies Manager, you can create new cookies, view and edit available cookies since It displays all the information about the cookies.

9. Tamper data

Tamper data is great for viewing and modifying HTTP/HTTPS headers and also POST parameters. It can help you alter any requests going from your machine to destination host thus securing tests of web applications.

10. SQL Inject me

This extension is majorly used to find SQL injection issues in applications. Rather than exploiting vulnerabilities,instead displays their existence. The major setback of the said extension is the capacity to allow hackers to add and modify information in a database.