1 00:00:00,460 --> 00:00:05,080 Across the wide world of web security, the OWASP Top 10 is the trusted resource for 2 00:00:05,080 --> 00:00:08,530 the most common vulnerabilities plaguing modern web apps. 3 00:00:08,530 --> 00:00:13,840 Started in 2003, the OWASP Top 10 has been updated most recently in 2017. 4 00:00:13,840 --> 00:00:17,460 The list of vulnerabilities is determined through community agreement 5 00:00:17,460 --> 00:00:18,468 with a comment period for 6 00:00:18,468 --> 00:00:23,150 software release candidates before publishing a final accepted version. 7 00:00:23,150 --> 00:00:27,180 The vulnerabilities are determined using a combination of four risk factors, 8 00:00:27,180 --> 00:00:28,500 including prevalence, 9 00:00:28,500 --> 00:00:31,620 which is the likelihood of an application having the vulnerability. 10 00:00:31,620 --> 00:00:36,050 Detectability, which is the likelihood of an attacker discovering the vulnerability. 11 00:00:36,050 --> 00:00:39,470 Exploitability, which is the likelihood of an attacker successfully 12 00:00:39,470 --> 00:00:41,250 exploiting the vulnerability. 13 00:00:41,250 --> 00:00:42,270 And finally, impact, 14 00:00:42,270 --> 00:00:46,800 which is a typical technical impact if the vulnerability is exploited. 15 00:00:46,800 --> 00:00:50,940 When evaluating each vulnerability, a number of trusted data sources are used, 16 00:00:50,940 --> 00:00:54,850 including HP security, vericode and White Hat security. 17 00:00:54,850 --> 00:00:58,290 After each version is published, the top ten framework is then used for 18 00:00:58,290 --> 00:01:02,110 training across the world at companies of all kinds, from Google and 19 00:01:02,110 --> 00:01:04,460 Mozilla to small start ups. 20 00:01:04,460 --> 00:01:08,162 In this course we will look at the OWASP Top 10 with specific applications and 21 00:01:08,162 --> 00:01:11,560 node.js as the back end, and JavaScript is the front end. 22 00:01:11,560 --> 00:01:15,643 However, the vulnerabilities apply to nearly any language on both the server, 23 00:01:15,643 --> 00:01:16,439 and frontend. 24 00:01:16,439 --> 00:01:21,520 Everything we will discuss from command injection to security misconfiguration 25 00:01:21,520 --> 00:01:25,810 can bring down even the most well reviewed apps at the largest of companies, 26 00:01:25,810 --> 00:01:27,970 no matter the language it was written in. 27 00:01:27,970 --> 00:01:30,200 In the teacher's notes, we've linked to other resources for 28 00:01:30,200 --> 00:01:34,550 the top ten in other languages, though we will cover the general vulnerabilities 29 00:01:34,550 --> 00:01:37,780 in enough detail here that you can apply elsewhere. 30 00:01:37,780 --> 00:01:42,800 Finally, since the OWASP Top 10 2017 version is currently being revised, 31 00:01:42,800 --> 00:01:46,730 we've decided to cover some of the new editions while leaving out others. 32 00:01:46,730 --> 00:01:50,280 Now, how many times do you think I will say vulnerability or 33 00:01:50,280 --> 00:01:52,190 vulnerabilities in this course? 34 00:01:52,190 --> 00:01:55,590 Well, start making your guesses and place your bets. 35 00:01:55,590 --> 00:01:57,880 Because if you make it through this journey with me, and 36 00:01:57,880 --> 00:02:01,590 you come out on the other side as a web security expert-in-training, 37 00:02:01,590 --> 00:02:03,330 I'll tell you in the final video. 38 00:02:03,330 --> 00:02:04,330 Without further ado, 39 00:02:04,330 --> 00:02:08,880 we will dive into three of the top ten major vulnerabilities in stage two, 40 00:02:08,880 --> 00:02:12,340 which will all cover injection based attacks against applications. 41 00:02:12,340 --> 00:02:17,044 Including command injection, cross-site scripting, and cross-site request forgery.