Addressing the OWASP Top 10 Application Security Risks with Web Application Isolation: #10 Server Side Request Forgery

Author Avatar

by

Posted on August 1, 2022

The fictional Juice Shop that I set up to demonstrate OWASP Top 10 risks just keeps getting hit. The Juice Shop app, which I created on the HyperQube test platform, is designed to be super vulnerable – with “as many holes as Swiss cheese” – to illustrate the risks.

Server Side Request Forgery, #10 in the OWASP Top 10 app security risks, occurs when a web app fetches a remote resource without validating a user-supplied URL, enabling a criminal to force the app to send an effective request to a destination that would otherwise not comply. To illustrate I scan for open ports on the Juice Shop app, a step typically used for reconnaissance to plan an attack and find vulnerable targets.

Ericom Web Application Isolation (WAI), an innovative cloud-delivered security solution that isolates web/cloud applications and their APIs from cyber-threats, operates as a much-improved, perimeter-less “next-gen” WAF solution. To protect against Server Side Request Forgery risks, WAI cloaks apps, making ports and protocols go dark to the web in accordance with the Zero Trust principle of deny by default.

Check out the quick demo right here:

 


Share this on:

Author Avatar

About Dr. Chase Cunningham

Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.

Recent Posts

Don’t Gamble with Your Cybersecurity

Recent cyberattacks combined stolen credentials, social engineering, MFA resets and SSO manipulation in what’s been described as the Ocean’s 11 of the cyber age.

“Operation Duck Hunt” Shuts Down QakBot Botnet

The FBI-led takedown of Qakbot was an operation that involved seven countries. Malware was removed from 700,000 computers. But don’t think all that makes you safe.

How GenAI is Supercharging Zero-Day Cyberattacks

Generative AI empowers its users to work fast, better and more efficiently. Alas, this includes cybercriminals, who are using malicious GenAI platforms to accelerate zero-day exploit creation.