OWASP TOP 10 (2021)
--
Hey amazing hackers,
Today, I will be talking about OWASP TOP 10 vulnerabilities in web security endpoint. Before covering this concept, i will inform you what kind of attacks may be shown in real web attacks.
I will use tryhackme’s OWASP room to illustrate the attack vectors. https://tryhackme.com/room/owasptop10
- command injection
- broken authentication
- sensitive data exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting
- Insecure Deserialization
- Using Components with Known Vulnerabilities
- Insufficient Logging & Monitoring
Hopefully, you will like this blog. I will be trying to explain this concept understandably.
Command Injection
With command injection, you can literally do everyting . This attack occurs when server-side like (PHP) in a web application makes a system call. An API endpoint generates bash commands, including a request from a client. Being able to use this attack the server should be potentially vulnerable, you can use linux or windows commands either .
Linux:
- whoami
- id
- ifconfig
- uname -a
- ps -ef
Windows:
- whoami
- ver
- ipconfig
- tasklist
- netstat -an
- checking if any command is set or not.
- if it is, then variable $command_string gets what was passed to the input field
- The program then goes into a try block to execute the function
passthru($command_string)
is a function in PHP for more detail you can read the docs “passthru()” on https://www.php.net/manual/en/function.passthru.php - if it is not succeed, you will be prompted with an error message
it is neccessary to code/template your own evil.php to be used properly.
Broken Authentication
This attack happens every single day. Most web mechanisms use authentication as username and as password to be accessed to the server. Many of the most common authentication vulnerabilities can be occurred when a threat actor is able to brute force usernames and passwords without any server drops. It is also possible when a normal user uses weak credentials. When we talk about this attack, it is important to use strong credentials to be not compromised at all.
Weak session cookies, this can be done that the server keeps track of users. If such cookies contain predictable value, a threat actor will be able to set their own session cookie and access users’s account.
if an attacker is able to find flaws in an authentication mechanism, they would then successfully gain access to other users’ accounts. This would allow the attacker to access sensitive data (depending on the purpose of the application).
Lets suppose a scenario, i was going to register a user account called “darren” however, i got a response from the server that “this user is already registered”. Now the goal is finding logic flaw withing the authentication mechanism.
This attack was quite simple. I was able to register a user called “darren” the trick is that registered as “space” and then “darren” because we know that, this server is vulnerable by authentication mechanism. I will be able to see the content present only in Darren’s account.:)
Sensitive Data Exposure
When a webapp accidentally divulges sensitive data, we called as “Sensitivie Data Exposure” because it will be linked to sensitive information of a user such as; password, creditcard-info, place, birthday, and more.. thus we refer as high critical vulnerability in OWASP. A threat actor would also be able to force user connections through a device which they control, and also take advantage to decrypt, weak encryption of any transmitted data (Man In The Middel).
SQL syntax will be used in this scenario. Please follow the steps.
- We just used NMAP to know which port is open. We directly see that port 80 is active. Lets take a look
2. Just a normal website however, we are able to use “gobuster” lets do that.
3. “/assets” seems interesting
4. As you can see “webapp.db” this looks vulnerable. I am going to download this .db file to my desktop
5. When I used “file” command, it says that this a SQLite 3.x database file. With help of “sqlite3” command you will be able to access to this database “strange ” does it not?
6. First of all, I used “PRAGMA” table_info(users); this means the definition of that.
The PRAGMA statement is an SQL extension specific to SQLite and used to modify the operation of the SQLite library or to query the SQLite library for internal (non-table) data. (https://www.sqlite.org/pragma.html)
7. Immediately, userId, password, admin are being popped up thus furthermore, syntax “select * from users;” will be superb to be used.
8. Now you are able to crack this hashes.
XML External Entities
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. The magic behind an XXE attack is that the XML specification includes a special annotation for importing external files.This special directive, called an “external entities”
In this scenario, we will be working with payload. It is useful to know HTML but it is not mandatory.
- This payload should be easy. We are going to be able to insert our payload in this markup language
- As we can see we are defining a
ENTITY
calledname
and assigning it a valuefeast
. Later we are using that ENTITY in our code.
3. In this payload, you should see that “!ENTITY read SYSTEM” this will be accessed to the main server which is high critical, “/etc/passwd” shall be read by attackers.
You may implement whatever you want. The main idea behind this scene is that its vulnerable (severity 4)
I am going to use this payload to the server. Just understand!!
As you can see, i have used the payload above. It will be superb when you intercept your proxy via Burp
send it to repeater and get your result.:)
Broken Access Control
This vulnerability can be given a huge problem to the admin of that server. Websites have pages that are protected from regular visitors thus that means, that regular users are not allowed to view sensitive information.
The application uses unverified data in SQL call, which can lead to access account information.
pstmt.setString(1, request.getParameter(“hack”));
ResultSet results = pstmt.executeQuery( );
An attacker simply being able to modify the ‘hack’ parameter in the browser to post whatever account number they want. If not properly verified, the attacker shall be able to access any user’s account which is hazardous.
example:
http://example.com/app/accountInfo?hack=notmyacct
In this scenario, we will be able to manipule the access control called “IDOR” (Insecure Direct Object Reference)
This attack will be configured to be mislead in the way user input is handled, which you normally would not be able to access.
For example, let’s say we’re logging into our bank account, and after correctly authenticating ourselves, we get taken to a URL like this https://example.com/bank?account_number=1234.
“account_number” will be interesting. You can just turn intercept on Burp suite and send it to intruder to brute force 4 digit numbers randomly.
I logged in as “noot” but as you can see “note ” is interesting one, i am going to send this request to intruder.
Awesome!! “note=0” as you can see the lenght of “?note=0” is 196 that means we got something.
Security Misconfiguration
This vulnerability is distinct from OWASP top 10, because it happens when security could have been configured but was not. The application might be vulnerable if the application is:
https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- For upgraded systems, the latest security features are disabled or not configured securely.
- Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages, accounts, or privileges).
It can also be occured, when users are using default password, which should be changed by privileged user.
In October 2016, Dyn (a DNS provider) was taken offline by one of the most memorable DDoS attacks of the past 10 years. The flood of traffic came mostly from Internet of Things and networking devices like routers and modems, infected by the Mirai malware.
From this perspective, malware has had list of 63 username/password pairs.
source: https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
- First step, try to investige for default credentials .
- Try to login
3. Boom!!
Cross-Site Scripting
Cross-site scripting, also known as XSS is a security vulnerability typically found in web applications. XSS attack functions by taking advantage of the fact that web applications execute script on users’s browser.
XSS can be categorized a number of ways, with the big three being:
- Stored XSS (the code is based on a database)
- Reflected XSS (the code is not stored in a database)
- DOM-based (the code is both stored and executed in the browser)
Being able to familiarize with XSS payloads you can check → https://github.com/swisskyrepo/PayloadsAllTheThings
Stored XSS
This attack is probably the most common type of XSS attack. This attack is very interesting because they are the easiest type of XSS to detect, but it can be one of the most dangerous type of XSS.
the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user.
Reflected XSS
Reflected XSS attacks, on the other hand, operate identically to stored XSS attacks but are not stored in a database as i mentioned. To trick the user, an attacker should be able to force a victim into clicking a URL to execute their malicious payload.
DOM-BASED XSS
OM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. Some browser might be vulnerable while others are not. These attacks are much more dificult to find and take advantage of being reflected or stored XSS.
Enough theory. Lets get started in the practical manner.
We will start off with “reflected XSS”
Easy like that.
“Popup’s (<script>alert(“Hello World”)</script>” you can also use XSS keylogger :)
Now, we are going to use “stored XSS”
- I was able to create an account called hacker
- I saw a comment section in this website, thus I was going to use “<p> I am the best hacker in the world.</p>”
- We are done :) You can also use advanced payloads however.
Insecure Deserialization
“Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application” (Acunetix., 2017)
This attack leads to DDOS or RCE when data is misconfigured. The attacker is able to replace malicious code into data processed application.
Attacker shall be able to do anything by that, such as DDOS attack and RCE(remote code execution), it depends by attackers’s skill permits, how exploit will be leveraged huge damage to the server to be compromised.
OWASP rank this vulnerability as 8 out of 10 because of the following reasons:
This vulnerability is a often case-by-case, there is no reliable, trustful tools for that. Attackers should have to have a good understanding of the inner-workings of the ToE.
Deserialization
Lets focus on this attack. For instance, you have a password “weakpassword” from a program that needs to be converted to binary of course, this password should be stored as “weakpassword” and not its binary notation. Once this reaches the database, it is converted or deserialised back into “password” so it can be stored.
for more info → https://crashtest-security.com/insecure-deserialization/
Using Components with Known Vulnerabilities
This attack vector might be very known by pentesters, because when a system has not been patched/updated, the possibility is that the system will be compromised because of known CVEs.
Hence, why OWASP has rated this a 3(meaning high) on the prevalence scale, it is incredibly easy for a company to miss an update for an application.
I will demonstrate you a lab on Tryhackme, which explains it very well
Please follow the steps…
- As you can see, it is important to scan the IP address for open ports(port 22, 80 are open)
2. “CSE bookstore” is being used. Lets research this, maybe we will be able to find some exploits…
3. We found a useful exploit
4. I always recommend you to view the code before attempting the exploit.
5. BOOM being exploited :)
Insufficient Logging & Monitoring
When you surf on Internet, web applications are set up to save everything in log files. Logging is important because in the event of an incident, the attackers actions can be traced. There is one problem about this event. Those logs save some sensitive information about users, thus it is important to ensure that such logs transfer securely and being saved multiple copies to store at different locations.
I will show an example. Stay bare with me.
As you can see above, we got a log file from untrusted network, but that is fine we do not know about them however, we do know what kind of users they have. We are seeing that, they have some users, IP, privileged users, and more…
They are forcing us to compromise their machine :)
Its most likely vulnerable for all companies in the world.
Summary
First of all, thanks for reading this blog about OWASP. For more information about OWASP, you can get more information on https://owasp.org/
If you are interested in such things, please follow me and subscribe… and share with your friends.
Ahmet Göker | Exploit researcher | malware Researcher| Cryptanalyst | CTF player | Reverse Engineering
You can follow me on:
Linkedin: https://www.linkedin.com/in/ahmetg%C3%B6ker/
Twitter: https://twitter.com/TurkishHoodie_
Youtube: https://www.youtube.com/c/TurkishHoodie