This course will be retired on June 1, 2025.

Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

OWASP Top 10 Vulnerabilities

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

Next Steps

2:04 with Jared Smith

Over the last three stages, we’ve covered all top 10 of OWASP’s most common web security vulnerabilities, including how to mitigate them in practice in JavaScript and Node.js applications. From here, the options for learning are limitless. Many online and offline tools are available to practice web security, from exploiting vulnerable apps setup in VMs to online “war” games, this video will explore many of those options.

Further Reading:

Vulnerable web applications (and software applications)

  • WebDojo - Has an array of different vulnerable websites built in that you can follow along tutorials while exploiting them.
  • Gruyere A VM and web application that shows how web application vulnerabilities can be exploited and how to defend against these attacks. You get to do real penetration testing, actually exploiting a real application
  • OWASP Broken Web Apps Project - A VM for exploring many broken web apps and learning about web security along the way.
  • Protostar - Introduces in a friendly way, network programming, byte ordering, handling sockets, stack overflows, format strings, and heap overflows.
  • Nebula - Takes the participant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux, including permissions, $PATH weaknesses, race conditions, SUID files, and more.

Online security challenges
OverTheWire - Has several very focused wargames, including:

  • Bandit - A fun intro to the command line
  • Natas - Website exploitation
  • Krypton - Intro to Cryptography
  • Semtex - Programming and networking challenges
  • EnigmaGroup - Has a wide selection of wargames. Notable are the multi-stage “realistic scenarios”.
  • HackThisSite - Another wide selection. The ‘Basic’ and ‘ExtBasic’ challenges are good introductory material.
  • SmashTheStack - Binary exploitation, buffer overflows, disassembly and more fun
  • MicroCorruption - Embedded security, assembly, and binary exploitation
  • MicroCorruption - Embedded security, assembly, and binary exploitation
  • CryptoPals - Introduction to breaking cryptography
  • Pwnable - More reverse engineering challenges
  • W3Challs - Wide range of challenges and learing: "Hacking, "Cracking, Wargame, Forensic, Cryptography, Steganography and Programming"
  • IO NetGarage - More reverse engineering challenges, harder than others

Beyond Web Application Security
Network Security:

Cryptography:

Reverse Engineering and Malware Analysis:

Digital Forensics and Incident Response:

Related Discussions

Have questions about this video? Start a discussion with the community and Treehouse staff.

Sign up

    Related Discussions

    Have questions about this video? Start a discussion with the community and Treehouse staff.

    Sign up

    That's a wrap. 0:00
    You've made it through the OWASP Top Ten, and now you should have 0:01
    a clear understanding of the most common vulnerabilities in web applications. 0:03
    We've explored each vulnerability at a high level, and 0:08
    the specifics of how each vulnerability occurs. 0:10
    Then we've looked at how we can prevent each issue. 0:13
    Finally, we explored how each occurs in a real Node.js and JavaScript application. 0:16
    From here, the world of web application security is yours for the taking. 0:20
    With a solid foundation in basic application security fundamentals, 0:24
    you should begin diving into the more complex subject areas. 0:28
    However, as you go in your security journey, you should always be practicing. 0:31
    Practice, practice, practice. 0:35
    Just like you can't learn how to do complex mathematics without working out 0:37
    math problems or proofs, the same is true of learning about security. 0:40
    On that note, the teacher's notes for 0:44
    this final video list many avenues to honing your security skills, 0:46
    including online security competitions, security challenges, and 0:50
    other vulnerable applications like the one here for you to exploit and learn from. 0:53
    Among the resources listed, vulnerable applications such as Google Gruyere and 0:58
    Web Dojo are great resources. 1:02
    These are virtual machines that you can download and install, which explore many 1:04
    of the same issues here more in-depth and in a simple form for practice. 1:08
    Other sites contain many of the security challenges we've discussed in small, 1:11
    manageable challenge problems which may ask you to reverse some web application, 1:15
    break some simple cryptographic algorithm, or crack hash passwords. 1:20
    When you're tired from practicing, 1:24
    start learning about other web application areas of security. 1:26
    Web application security is supported by dozens of other fields of security, 1:29
    including cryptography, which lets us have things like SSL, and network security, 1:33
    which lets the web exist securely in the first place. 1:37
    All of these areas are extremely useful to know for 1:40
    careers in software engineering, web development, computer science, and beyond. 1:42
    Before I forget, it was 55. 1:46
    55 times I said vulnerability or vulnerabilities. 1:48
    If you don't realize that security is important by now, well, maybe watch 1:52
    the course again and don't pay so much attention to when I say vulnerability. 1:56
    I hope you enjoy this course in web application security, and 1:59
    I really can't wait to see you again soon. 2:02

    You need to sign up for Treehouse in order to download course files.

    Sign up

      You need to sign up for Treehouse in order to set up Workspace

      Sign up