OWASP Top 10

https://tryhackme.com/room/owasptop10

[Severity 1] Injection

Occurs when user controlled input is interpreted as actual commands or parameters by the application. Examples include (1) SQL Injection and (2) Command Injection as well as many more. Leads to being able to access, modify, and delete information in a database when the input is passed into database queries and execute arbitrary system commands on a server that would allow access to a user's system.

Mediation:

• Using an allow list to make sure input is safe

• Stripping input to remove dangerous characters

[Severity 2] Broken Authentication

Some common flaws in authentication include:

• Brute force attacks

• Use of weak credentials

• Weal session cookies

These can be mitigated by (1) a strong password policy, (2) automatic lockouts if there is a large number of authentication attempts, (3) multi-factor authentication.

[Severity 3] Sensitive Data Exposure

Sensitive data such as personal information, usernames and passwords, and computer access keys can be exposed during "man in the middle attacks", where an attacker would force user connections through a device which they control to take advantage of weak encryption to gain access to intercepted information.

Sense and Sensitivity (Example Box)

Navigating to the IP, we can type http://$BOX_IP/ to find the homepage for a site called "Sense and Sensitivity":

Continuing to the login page, basic credentials don't seem to work, so taking a peak at the source shows a little hint:

Navigating to the listed directory at /assets shows a database stored under the website root directory:

Multiple ways to access the data in a database, easiest is to use tools like sqlite3 or sqlitebrowser if you prefer the gui version. Enter the command sqlite3 webapp.db to browse the data:

Looking on a website like https://www.tunnelsup.com/hash-analyzer/ shows that these are most likely MD5 hashes. These can be cracked either online or using tools like hashcat using the command hashcat -a 0 -m 0 $CREDSFILE rockyou.txt to show cracked passwords:

Username: admin

Password: qwertyuiop

At this point, the credentials can be used to gain full control of the web app and get the flag.

[Severity 4] XML External Entity

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers and data. It gives interaction with backend or external systems allowing an attacker to conduct file reads, DoS attacks, SSRF, port scanning, and RCE.

1. In-band XXE > Immediate response to payload

2. Out-of-band XXE (blind) > No immediate response

Every XML document begins with an XML Prolog:

<?xml version="1.0" encoding="UTF-8"?>

"Document Type Definition: or DTD defines the structure and the legal elements and attributes of an XML document. An example for a mail XML message is as follows:

<!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)> <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]>

An XML file that conforms to the rules of this DTD would look like:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE note SYSTEM "note.dtd">
<note>
    <to>falcon</to>
    <from>feast</from>
    <heading>hacking</heading>
    <body>XXE attack</body>
</note>

XXE payloads can be defined using the !ENTITY keyword and assigning it values like <!DOCTYPE sign [!ENTITY name "myname"> ]> where an entity called name is being assigned the value "myname". XXE Payloads can even be used to read some file from the system by defining an ENTITY and having it use the SYSTEM keyword:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

Methods like this can be used to read critical files like a users SSH private key or the /etc/passwd file.

[Severity 5] Broken Access Control

Broken access control happens when normal users can access protected pages without proper verification leading to (1) being able to view sensitive information and (2) accessing unauthorized functionality.

IDOR, or "Insecure Direct Object Reference", is the act of exploiting a misconfiguration in the way user input is handled, to access resources you wouldn't ordinarily be able to access. This often occurs because a value on a page for a GET or PUT request is able to be modified without proper identification like the below URL:

http://$IP/document.php?value=1

[Severity 6] Security Misconfiguration

Security misconfigurations include:

• Poorly configured permissions on cloud services, like S3 buckets

• Having unnecessary features enabled, like services, pages, accounts or privileges

• Default accounts with unchanged passwords

• Error messages that are overly detailed and allow an attacker to find out more about the system

• Not using HTTP security headers, or revealing too much detail in the Server: HTTP header

[Severity 7] Cross-Site Scripting

Cross-site scripting, also known as XSS, is a security vulnerability found in web applications. It allows an attacker to execute malicious scripts on a victim's machine. XSS is possible in Javascript, VBScript, Flash, and CSS. There are three main types of XSS:

1. Stored XSS: The most dangerous type of XSS where a malicious string originates from the website's database.

2. Reflected XSS: The malicious payload is part of the victims request to the website. An attacker needs to trick a victim into clicking a URL to execute their malicious payload.

3. DOM-Based XSS: DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content.

Examples

Create a popup saying "Hello":

<script>alert("Hello")</script>

Create a popup printing the host IP address:

<script>alert(window.location.hostname)</script>

Create a popup printing the document cookies:

<script>alert(document.cookie)</script>

Changes the content of an element titled "thm-title":

document.getElementById("thm-title").innerText="I am a hacker";

[Severity 8] Insecure Deserialization

Insecure deserialization is replacing data processed by an application with malicious code, allowing DoS and RCE to be used. It leverages the legitimate serialization and deserialization process used in modern web applications.

Cookies are an essential tool for modern websites that feature serialization of user-specific behaviors like items in a shopping cart or session IDs. Cookies can sometimes be modified to access privileged information and services.

[Severity 9] Components with Known Vulnerabilities

This happens when an organization is using a known vulnerable service or application. Most of the work has been done and it is likely that there is a proof of concept (PoC) for it.

[Severity 10] Insufficient Logging and Monitoring

Logging allows the monitoring of actions on an application that could also capture attack vectors. Lack of proper monitoring could lead to averse effects which include:

• Regulatory Damage > if personally identifiable user information is stolen and there is no record of it, the owners of the affected application may be subject to fines or more severe actions

• Risk of Further Attacks > Presence of an attacker would be masked leading to further attacks by stealing credentials, attacking infrastructure, and more

Logs should be secured with multiple with multiple copies stored at different locations. It is often more important after a breach or incident has occurred. Common examples of suspicious activity include:

• Multiple unauthorized attempts for a particular action

• Requests from anomalous IP addresses or locations

• Use of automated tools

• Common payloads