OWASP TOP 10

OWASP TOP 10

1. Injection SQL Injection: user controlled input is passed to SQL quieries used by attacker to manipulate outcome of queries Command Injection: user input passed to system commands, used by attacker to execute arbitary system commands on application servers

possibilites: attacker can access, modify and delete information. attacker can steal sensetive information

defence: allow list: input is compared to list of safe input or characters stripping input: characters are removed before being processed

Active Command Injection: returns a response Blind Command Injection: doesn’t return a response

commands to try: Linux: whoami, id, ifconfig/ip addr, uname -a, ps -ef Windows: whoami, ver, ipconfig, tasklist, netstat -an

user’s shell: getent passwd user version of ubuntu running: lsb_release -a print out MOTD (message of the day): cat /etc/update-motd.d/00-header

2. Broken Authentication Authentication and session management -allow users to gain access to web apps by varifying their identities -most common is user and pass mechanism -if correct, server provides the user with a session cookie -A session cookie: web servers use HTTP(s) to communicate which is stateless. Server knows who is sending what data. Server keeps track of users actions -attacker can find flaw in authentication mechanism and gain access to other users’ accounts Brute force attacks: use brute force to guess user and pass Weak credentials: can be accessed without brute forcing and without multiple attempts Weak session cookies: How server keeps track of users, predictable values allows attacker to set their own session cookies and access users’ accounts

Mitigations: -Enforce strong password policy -Ensure app enforces automatic lockout to prevent brute forcing -Implement multi factor auth

3. Sensitive Data Exposure
4. XML External Entitiy -attacker abuses feauters of XML parsers or data -attacker interacts with backend or external systems, allow attacker to read files on the system -DOS, SSRF I. in-band: attacker can receive an immediate response to XXE Payload II. out-of-band: no immediate response from the web application and attacker has to reflect the output of their XXE payload to some other file or their own folder XML: eXtensible Markup Language - defines set rules for encoding documents in a format both human and machine readable XML uses -platform-independent and programming language independent -data can be changed at any point without affecting data presentation -allows validation using DTD and Schema - ensures doc free from any syntax error -simplifies data sharing between systems XML syntax: -Prolog: -root element

falcon feast About XXE Teach about XXE - is the root element -,,, - children elements -xml is case sensitive -attribute and attribute value: Here is a message category = attribute name message = attribute value DTD: -Document type definition -defines the structure and legal elements and attributes of an xml doc !DOCTYPE note: defines a root element !ELEMENT note: defines the root contain these elements !ELEMENT to: defines the 'to' element !ELEMENT from: defines the 'from' element !ELEMENT heading: defines the heading element !ELEMENT body: defines the body #PCDATA: parseable character data

XML External Entity

]> bob jones ]>

&read;

/home/falcon/.ssh/id_rsa

5. Broken Access Control -regular visitor being able to access protected pages -non admin visitor accessing admin pages -IDOR (Insecure Direct Reference) act of exploiting a misconfiguration in the way user input is handled to access resource that an attacker is not able to access

6. Security Misconfiguration -Poorly configured permissions on cloud services(S3 buckets) -unnecessary features enabled -default accounts with unchanged passwords -Error messages that are overly detailed that allow attacker to gain information about the system -not using HTTP security headers

7. XSS Cross-site scripting -injection that can allow an attacker to execute malicious scripts and have it execute on a victim’s machine Stored XSS - malicious string originates from the website’s database (unsanitised user input) Reflected XSS - malicious payload is part of vicitms request to the website (attacker tricks victim into clicking a url) DOM-Based XSS - Programs can change the document structure of DOM XSS Payloads: popups: () write: (document.write) keylogger: log keystrokes of a user port scanner: local port scanner htt

8. Insecure Deserialization -untrusted dat is used to abuse the logic of an application -replacing data processed by an application with malicious code -can result in DOS to RCE -low exploitability: no reliable tool/framework -as dangerous as the attacker’s skill permits -apps that fetch or store data are vulnerable: E-commerce sites, Forums, APIs, Application Runtimes(Tomcat, Jenkins, Jboss..)

9. Components with known vulnerabilities -using tools with known vulns -easy to exploit -could be due to missed update -use https://www.exploit-db.com/ to research exploits

10. Insufficient Logging and MOnitoring -every action performed by user should be logged -logging is important bc of incident tracking -Regulatory damage: attacker gained access to PII without record -risk of futher attacks: presence of attacker may be undetected Information: HTTP status codes, Time stamps, Usernames, API endpoints and IP addresses -logs stored securely -useful after breach or incident -track suspicious activity: Multiple unauthorized attempts for certain action, anomalous IP, use of automated tools, use of common payloads