Name : Muhammad Naveed
Sap I’d : 70132747
Section : “ T ”
Subject : Information Security
Assignment : 4
Topic : Cisco packet Tracer with extended ACL
Submitted to : Sir Habib Ur Rehman
Q1 : Implementing the ACL ?
Here is the implementation of ACL with 3 routers connected to the 2 WAN and 1
Lan each.
Ping request from First Pc of Router 1 to First Pc of Router 2
Ping request from First Pc of Router 2 to first Pc of Router 1
Ping request from First Pc of Router 3 to First Pc of Router 2
Q2 :: Understanding OWASP Top 10
The OWASP Top 10 is a widely recognized list of the most critical security risks to web applications,
serving as a guideline for developers and security professionals to improve application security. Its
significance lies in raising awareness and providing a framework for addressing common vulnerabilities.
Latest OWASP Top 10 Vulnerabilities ( 2021 Edition)
1. Broken Access Control: This vulnerability allows attackers to bypass authorization and gain access
to restricted resources. It is the most common vulnerability, with 61% of breaches involving broken
access control.
2. Cryptographic Failures: This category focuses on failures related to cryptography, which can lead
to sensitive data exposure or system compromise.
3. Injection: This occurs when untrusted data is sent to an interpreter as part of a command or query,
allowing attackers to execute arbitrary commands.
4. Insecure Design: This refers to security flaws introduced during the design phase of software
development, leading to various vulnerabilities.
5. Security Misconfiguration: This broad category includes issues arising from incorrect
configurations, leaving systems vulnerable to attacks.
6. Vulnerable and Outdated Components: This vulnerability arises from using components with
known security flaws or outdated versions that lack security patches.
7. Identification and Authentication Failures: This occurs when systems fail to correctly identify
and authenticate users, often due to weak password policies or lack of multi-factor authentication.
8. Software and Data Integrity Failures: This focuses on assumptions made about software updates
and critical data without verifying their integrity.
9. Security Logging and Monitoring Failures: This vulnerability involves insufficient logging and
monitoring, which can allow attackers to operate undetected.
10. Server-Side Request Forgery (SSRF): This attack tricks a server into making requests on behalf
of the attacker, potentially accessing internal systems.
Detailed Analysis of Two Vulnerabilities
1. Broken Access Control
• Explanation: Broken access control occurs when an application does not properly enforce access
restrictions, allowing unauthorized users to access sensitive data or perform actions they should
not be able to.
• Example: An attacker might manipulate a URL to access an admin panel by changing the user ID
in the request, gaining access to sensitive administrative functions.
• Detection and Mitigation Tools:
• OWASP ZAP: A dynamic application security testing tool that can help identify access control
issues.
• Burp Suite: A web vulnerability scanner that can test for broken access control.
Real-life Incident: In 2019, a major social media platform experienced a data breach due to broken
access control, allowing attackers to access private user data. The incident highlighted the importance of
proper access control measures, leading to significant reputational damage and financial loss.
2. Injection
• Explanation: Injection vulnerabilities occur when an application sends untrusted data to an
interpreter, allowing attackers to execute arbitrary commands or queries.
• Example: SQL injection is a common type of injection attack where an attacker can manipulate
SQL queries by injecting malicious SQL code through input fields, potentially gaining access to
the database.
Detection and Mitigation Tools:
• SQLMap: An open-source penetration testing tool that automates the process of detecting and
exploiting SQL injection vulnerabilities.
• OWASP Dependency Check: A tool that can help identify vulnerable components that may be
susceptible to injection attacks.
Real-life Incident: In 2017, a well-known credit reporting agency suffered a massive data breach due
to an SQL injection vulnerability, exposing sensitive information of millions of users. The breach resulted
in significant financial penalties and loss of consumer trust.