Codechef4u is a community for computer professionals,by computer professionals,just like you; who loves sharing and helping each others,Join them
Share your post

OWASP Top 10 Security Risks-2017

I written around 7 web security and cyber security related articles, in this article i will summarize latest version OWSAP top 10 critical security risks.

What is OWASP?

The Open Web Application Security Project (OWASP), an online community, produces freely-available articles, methodologies, documentation, tools, and technologies in the field of Web application security.

How OWASP decides top 10 risks?

The OWASP Top 10 focuses on identifying the most serious web application

security vulnerabilities and risks for a different types companies and organizations.

For those risks OWASP team provides generic information about likelihood and technical impact using simple rating scheme, based in OWASP Risk RatingMethodology

The final version of the 2017 OWASP Top 10 was released on November 21, 2017 according to OWASP team following are the ten most critical web application security risks presently.

OWASP Top 10 year 2017

 A1: Injection
 A2: Broken Authentication
 A3: Sensitive Data Exposure
 A4: XML External Entities (XXE) [NEW]
 A5: Broken Access Control [Merged]
 A6: Security Misconfiguration
 A7: Cross-Site Scripting (XSS)
 A8: Insecure Deserialization [NEW]
 A9: Using Components with Known Vulnerabilities
 A10: Insufficient Logging & Monitoring [NEW]

OWASP team introduced three new critical security risks in 2017 version release I will explain those in short.

A4: XML External Entities (XXE)

Many older or poorly configured XML processors evaluate external entity references within XML documents.
External entities can be used to disclose internal files using the file URI handler,
internal file shares, internal port scanning, remote code execution, and denial of service attacks.


a. In must require case only use complex data formats such as JSON and serialization and deserialization else avoid it.

b. Upgrade XML dll, libraries those used like XML processors Update SOAP to latest version.

c. User server side while list approach for input validation, data sanitization, for xml document, headers and xml nodes.

d. Validate all external XML/XSL files.

e. Use tools like SAST to detect XXE and perform manual code review

d. According to OWASP the safest way to prevent XXE is always to disable DTDs (External Entities) completely.

For more details use OWASP prevention cheat sheet

A8: Insecure Deserialization

What is serialization and deserialization

To store and use for communication convert data into stream of bytes, deserialization is reverse process.

Insecure Deserialization

Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.


a. Safest way is to avoid serialized data from untrusted users and untrusted sources.

b. Implement integral check such as digital signature

c. use strict type constraint when deserialization and serialization, for example allow only defined classes

d. code that prevents deserialization and serialization in low privileges environment

e. Log deserialization and serialization failures, exceptions and monitoring incoming and outgoing connectivity from containers and servers that deserialize and monitoring deserialization.

f. There are some language specific Guidelines and proper coding techniques for developers that prevent from this attack, I suggest developers and programmers to refer following cheat sheet documents from OWASP.

A10: Insufficient Logging & Monitoring

Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.


a.  Log all login, access, validation failures with sufficient details, that details you can use to track identify suspicious or malicious accounts.

To maintain logs, use standard centralized log management system.

b.  Implement effective monitoring and alerting such that suspicious activities are detected and responded in timely fashion.

c. Requires audit and monitoring on high value transaction.

d. Adopt incident/failure plan and recovery plan for system.

e. Use proper notification and alerts for suspicious activities.

References: //


धन्यवाद मित्रो !! 

Thanks Friends


Preventive guidelines to stay safe from Wannacry Ransomware or any other cyber-attack

Preventive guidelines from Wannacry Ransomware or any other cyber-attack

Previously I shared around seven post on computer and web security, toady I am sharing this post on latest hot topic Wannacry Ransomware attack and prevention. You can use these guidelines as preventive steps for any other cyber-attacks. Before sharing all steps, I will explain some security terms related to cyberattack.  

What is malware?

This is type of virus(software) which is specifically designed to disrupt, damage, or gain authorized access to a computer system.

What is Ransomware?

This is a malicious software designed to block access to a computer system until a sum of money is paid, Software uses cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it.

What is cryptovirology:

Cryptovirology is a field that studies how to use cryptography to design powerful malicious software.

What is Wanna Cry Ransomware?

A type of virus that infect computers, and then prevent the user from accessing the operating system, or encrypts all the data stored on the computer,
The user asks the ransom to pay a fixed amount of money, as opposed to decrypting files or allowing access again to the operating system.

Top 10 Preventive Measures from Wannacry malware or any other cyber-attack,

    1.  Keep your computers updated

Most cyberattacks targets out-of-date systems frequently, best example is WannaCrypt ransomware worm.

a.      Best preventive measure is keep your computer updated.

b.      Keep all security software’s updated, if you are using any third-party security software/tool keep that updated. 

c.       Keep all your important software’s updated.

Almost all infected computers from Wannacry Ransomware are not updated with Microsoft latest security update or using old XP,2003 operating systems.

Microsoft guidelines to prevent Wannacry are,

To prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.

For those using Windows Defender, please use following update

 2.  Create an internal policy

a.      Create data and internet use policy for your employees.

d.      Cerate policy for employees to avoid clicking spam and harmful links/fraudulent messages in email or using a poor password.

e.      Avoid using untrusted videos and attachments from emails and websites.

f.        Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, check regularly for the integrity of the information stored in the databases.

g.      Restrict users install and run unwanted and not trusted software applications.

h.      Make policy for remote connections and least privileged users.


  3.  Regular important data and files backup

 Keep your files backed up regularly and periodically, that includes important database,  software, files/documents backup.

  4.  Security software and required security tools

Its recommended to use Firewalls, network security tools and anti-virus software’s.

  5.  Safe web browsing and external data policy

a.      Block harmful and not trusted website in your network or computer.

b.      Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.

c.       Deploy web and email filters on the network, Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.

d.      Implement strict External Device (USB drive) usage policy.

  6.  Employee awareness, education and knowledge sharing about information and data  security

a.       Be aware of fraudulent and fake advertise/spam e-mail messages that use names like popular services such as PayePal like PayPal,google like gogle or use popular service names without commas or excessive characters.

b.      Educate employee about data security and security flaws.

c.       Educate people how to use your business system and company data.

d.      Restrict execution of not trusted powershell /WSCRIPT, executable code and Disable macros in MS Office products.

  7.  Hire security experts

a.      There is not a single software\tool available in market with 100% secure, invest in security experts that helps to prevent your business from security risks.

b.      One of the best ways for you to discover if there are any holes or security risks present in your infrastructure is to hire a security consultant.


  8.  Create strong passwords and change them frequently

a.      Change your password frequently never use the same password for all your accounts, if you are doing that then you are inviting for attack.

b.      Try to create complex and unique passwords that combine numbers, symbols and other factors to ensure it is safe and secure.

  9.  Security review on your applications

a.      Review your web/mobile application security frequently.

b.      Penetration and full security testing is must for your web and mobile applications.

  10.  Ensure and confirm external links and messages

a.      Never click on a link that you do not trust on a web page and websites, never click links from social media that you do not trust.

b.      If you receive a message from your friend with a link, ask him before opening the link to confirm, (infected machines send random messages with links).



HTML Encode and Decode in web application

WebUtility.HtmlEncode and WebUtility.HtmlDecode


Previously I shared around six articles on security , in this article I am going to explain what is html encoding and how It prevent from xss attacks in web application and also I a am going to explain html decoding with sample example.


WebUtility.HtmlEncode Method converts a string to an HTML-encoded string.

The HTMLEncode method applies HTML encoding to a specified string. This is useful as a quick method of encoding form data and other client request data before using it in your Web application.

WebUtility.HtmlEncode converts characters as follows,

=> The apostrophe character (‘) is converted to '
=> The less-than character (<) is converted to &lt;.
=> The greater-than character (>) is converted to &gt;.
=> The ampersand character (&) is converted to &amp;.
=> The double-quote character (") is converted to &quot;.

Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#<number>, where is the ASCII character value.

HTML encode and Cross Site Scripting

What is XSS?

Cross Site Scripting (often abbreviated as XSS) when attacker uses web application send or injects malicious code like browser script, to different user. This malicious script executes and access user resources, trusted website data, website critical information. More info…

HTML encode used to prevent possible XSS attack?

Encoding data converts potentially unsafe characters to their HTML-encoded equivalent.

It prevents XSS (cross site scripting) attacks, means that if you are going to save some data In database that allow following script and you used WebUtility.HtmlEncode method to encode string in that case following actual string special characters (i.e “< “is converted to “&lt”) converted into safe plain string.

  In web environment this script will be rendered safely rather than actually executing script.

Actual Script:

<script type="text/javascript">
    function FetchSomeCriticlInfo() { /* some dangerous script code */ }

In this case, Server.HTMLEncode would encode the <, >, and " characters leaving this:

Encoded Script:

&lt;script type=&quot;text/javascript&quot;&gt;
    function FetchSomeCriticlInfo() { /* some dangerous script code*/ }



This script, if rendered in the browser will look like this


<script type="text/javascript"> function FetchSomeCriticlInfo() { /* some dangerous script code */ }



HTML Decode


WebUtility.HtmlDecode(String) Method converts a string that has been HTML-encoded for HTTP transmission into a decoded string.


HtmlDecode(String, TextWriter) overloaded method converts a string that has been HTML-encoded into a decoded string, and sends the decoded string to a TextWriter output stream.



Follwing address is encoded using WebUtility.HtmlEncode Method

Encoded Address:

Bill Address
Nagnath Kendre
Kendre&apos;s Villa,Kendrewadi


If I want to use this address into email or display to user I require to decode this &apos; string to actual character.


Following Address is Decoded using WebUtility.HtmlDecode Method

Decoded Address:

Bill Address
Nagnath Kendre
Kendres Villa,Kendrewadi


धन्यवाद मित्रानो !! Thanks  friends !!