1 Top 10 Volunerabilities

1 Top 10 Volunerabilities

exploit a pentetest framework

XSS - Cross Site Scripting

  • put js to form
  • Beef framework

CSRF

  • protect endpoints

XXE - Xml EXternal Entity

Mitigations

  • disable DTD

File Injection

charles a request monitoring tool and modification

demo a cshtml example
if website keep the file name at the same time, like Views/Upload/Cat.jpg
with /images/Views/Upload/x.cshtml

Mitigation

  • do not persist user supplied name
  • do not serve directly
  • do serve off alternate domain / s3 bucket / usercontent.xxx.com

SQLi SQL Injection

  • no sqldoes not mean no SQLi
  • tool sqlmap

Mitigation

  • ORM
  • direct SQL, parameterize