Open Web Application Security Project (OWASP) produces methodologies, documentation, tools, and technologies in the area of web application security. It produces Top 10 vulnerabilities after every 3 years. We cover OWASP TOP 10 2017 latest one and report the vulnerabilities related to it.
ESDS VTMScan Detection Techniques
- SQL Injection: In SQL Injection we append various payloads such as 1’ for GET and POST request and check if we get any database error. We check for functional and error-based SQL Injection. We check for error based, Boolean and blind SQL Injection as well.
- XML External Entities (XXE): In XXE we append payloads to check vulnerability in web application. We check for Error-based XXE, Out-Of-Band XXE and XSLT-base.
- Cross-Site Scripting (XSS): In XSS we append and input various payloads such as ‘><script>alert(/XSS_Check/)</script> etc. in GET and POST request and check for the response and if we get a vulnerable response then we report it.
- Insecure Deserialization: We look for deserialization vulnerabilities in multiple java frameworks, platforms and applications like Jenkins, Seam Framework, RMI over HTTP, Remote, Java Server Faces and others. We also check such issues in Servlet, Apache Struts2, JBoss Application, Jmx-console, admin-console, web-console and JMXInvokerServlet.