1 Top 10 Volunerabilities

Auckland, Conference, OWASP

1 Top 10 Volunerabilities

exploit a pentetest framework

XSS - Cross Site Scripting

put js to form
Beef framework

CSRF

protect endpoints

XXE - Xml EXternal Entity

Mitigations

disable DTD

File Injection

charles a request monitoring tool and modification

demo a cshtml example
if website keep the file name at the same time, like Views/Upload/Cat.jpg
with /images/Views/Upload/x.cshtml

Mitigation

do not persist user supplied name
do not serve directly
do serve off alternate domain / s3 bucket / usercontent.xxx.com

SQLi SQL Injection

no sqldoes not mean no SQLi
tool sqlmap

Mitigation

ORM
direct SQL, parameterize