E: [email protected] W: www.appcheck-ng.com T: 0113 887 8380

AppCheck vs OWASP Top Ten Based on a broad consensus, the OWASP Top Ten defines the current most critical web application security flaws.

The following table outlines how AppCheck identifies these vulnerabilities and helps to mitigate risk.

Category Description AppCheck Coverage

A1:2017-Injection Injection attacks are the most AppCheck performs comprehensive checks for a wide common type of fault found in web range of injection vulnerabilities including: applications, they are usually the • SQL Injection result of unfiltered user input being • NoSQL Injection directly included into command • XPath Injection executions or database queries. • Code Injection • Command Injection • LDAP Injection • Expression Language Injection

The AppCheck Vulnerability Analysis Engine provides detailed rationale behind each finding including a custom narrative to explain the detection methodology, verbose technical detail and proof of concept evidence through safe exploitation.

A2:2017-Broken Sometimes authentication can While crawling an application, AppCheck analyses be implemented incorrectly or session tokens to identify security flaws such as Authentication an application can contain routes insufficient entropy and other common session to sensitive data that haven’t management flaws that could permit session token been correctly protected by an prediction. authentication barrier. In other cases, AppCheck also includes configurable password it can be the session token that is guessing modules to identify weak account credentials vulnerable either to enumeration or within systems such as: not expiring, this can allow an attacker • HTML Form Authentication to guess the session token of another • Outlook Web Access (OWA) user (e.g. an administrator) and take • Content Management Systems (e.g. WordPress) control of their session to steal data. • NTLM/Basic Authentication • Management systems and SSL VPN gateways E: [email protected] W: www.appcheck-ng.com T: 0113 887 8380

AppCheck vs OWASP Top Ten

Category Description AppCheck Coverage

A3:2017-Sensitive This is usually the accidental AppCheck includes multiple plug-ins exposure of files or folders that to identify sensitive data disclosure Data Exposure should not be publicly accessible, vulnerabilities including: for instance a hidden folder • Insufficiently protected administrative called invoices provided for the interfaces convenience of remote workers • Publicly accessible source code or a hidden “.git” directory repositories such as GIT and SVN accidentally served up from the • Publicly accessible archives and files root directory of the web server containing sensitive information which contains all the source • Verbose error and Stack Trace output code for the application. containing sensitive information • Source code disclosure • Hidden folders and files (forced browsing) • Backup and temporary files detection

A4:2017-XML External Many older or poorly configured AppCheck includes a comprehensive XXE XML processors evaluate external module that identifies all forms of XXE Entities (XXE) entity references within XML and related XML injection vulnerabilities. documents. External entities A variety of techniques are employed such can be used to disclose internal as Out-of-Band detection using DNS side files using the file URI handler, channels and Signature based detection. internal file shares, internal port scanning, remote code execution, and denial of service attacks.

A5:2017-Broken Similar to “Broken Authentication Access control mechanisms are validated and Session Management” this by attempting to access components that Access Control is where routes / views within should be restricted or should require the application are not properly prior authentication but fail to protect the protected. For example it’s not resource. uncommon to see that admin Insecure or superficial access control controls are just hidden from the systems that simply hide components but do application menu and that the not properly secure them are also identified. function is not actually restricted from an average user, the application is just relying on it not being visible. E: [email protected] W: www.appcheck-ng.com T: 0113 887 8380

AppCheck vs OWASP Top Ten

Category Description AppCheck Coverage

A6:2017-Security This is often out of date or AppCheck maintains a database of common un-patched frameworks or the configuration faults and out of date or un- Misconfiguration stack on which the framework patched frameworks and will flag these if sits, often it can be a case of detected. changing the settings within the If configured to do so, AppCheck will perform stack to harden the security of the a comprehensive infrastructure assessment setup. For instance many default against all IP addresses and web applications web server SSL setups make defined within the scope. ciphers available with known vulnerabilities.

A7:2017-Cross-Site Cross site scripting is a type AppCheck includes unparalleled XSS detection of injection attack where by capabilities that have been credited by Google, Scripting (XSS) an attacker is able to inject and eBay (among others) via their bug JavaScript content into an bounty programs. Our detection methodology application that runs in a user’s emulates the actions of a skilled consultant browser. Often thought of as by building from suspected case to a fully an attack against the users of exploitable vulnerability whilst avoiding common an application rather than the input filters that cause other scanners to fail. application itself, some more All XSS variants are covered including; complicated XSS attacks target • Reflected & Stored XSS the administration and backend • DOM Based XSS systems of an application (2nd • HTML5 postMessage XSS order attacks). • Adobe Flash XSS • Second order / Delayed Execution XSS

A8:2017-Insecure Insecure deserialization often AppCheck will identify and safely exploit leads to remote code execution. both generic and specific deserialization Deserialization Even if deserialization flaws vulnerabilities across a wide variety of do not result in remote code frameworks and libraries. execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. E: [email protected] W: www.appcheck-ng.com T: 0113 887 8380

AppCheck vs OWASP Top Ten

Category Description AppCheck Coverage

A9:2017-Using With the rise of the huge number AppCheck includes a regularly updated database of 3rd party components freely containing thousands of known vulnerabilities Components with Known available on the internet for within content management systems, application Vulnerabilities inclusion in applications, it’s not frameworks, server and client-side components. uncommon for a developer to The following dedicated assessment components find a component or library and are also provided by AppCheck: include it in an application to solve • CMS Build review for; , WordPress, a problem or provide a widget. , Magento, and DNN However vulnerabilities are often • Web Server & Proxy vulnerability checks for discovered in these components nginx, Apache, IIS, Tomcat, Struts, F5 Load and either newer versions are balancers plus many more released or they have been • Scanning for known server-side script abandoned. vulnerabilities • Client-Side JavaScript library checks to identify vulnerable and unsupported components

A10:2017-Insufficient Insufficient logging and Through creating a realistic attack scenario, monitoring, coupled with missing AppCheck helps to flex monitoring and Logging & Monitoring or ineffective integration with logging solutions and so can highlight incident response, allows weaknesses and omissions in current attackers to further attack processes, for which our security team systems, maintain persistence, are always on hand to offer advice on best pivot to more systems, and practice. tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

E: [email protected] W: www.appcheck-ng.com T: 0113 887 8380