How We Use the OWASP Top 10
To ensure consistency in our approach to application penetration services, Bridewell Consulting use the OWASP Top Ten framework, along with carefully-selected industry sources, for our penetration tests.
Below is a full breakdown of the OWASP Top Ten regarding application testing.
1. Injection Flaws (Such as an SQL Injection)
When untrusted data is sent to interpreters via queries or commands.
2. Broken Authentication
Session management and authentication functions can be implemented incorrectly.
3. Data Exposure
Some applications and APIs can’t adequately protect sensitive data (for example, financial information), which attackers can steal or modify to use fraudulently.
4. XML External Entities (XXE)
XML processors evaluate external entities, which can be used to disclose internal files.
5. Broken Access Control
It’s important to enforce correct restrictions on what authenticated users can do, as these flaws can be easily exploited by attackers.
6. Security Misconfiguration
This is the result of insecure default configurations, open cloud storage or misconfigured HTTP headers.
7. Cross-Site Scripting XSS
These flaws happen whenever apps include invalidated information in new web pages. Or when apps update existing pages with user-supplied data using browser APIs.
8. Insecure Deserialisation
This often leads to remote code execution or other potential attacks thanks to deserialisation flaws.
9. Component Vulnerabilities
Mobile app components (e.g. libraries and frameworks) run with the same privileges as the app; any vulnerable components that are exploited can result in device or server takeovers.
4.Insufficient Monitoring and Logging
This speaks for itself, which, along with ineffective or missing integration with incident response, can open up systems to further attacks.