OWASP TOP 10 VULNERABILITES Ashutosh Kumar Bharti Student of Lucideus training institute. Batch : 5PM-7PM.
LUCIDEUS SECURING CYBER SPACE NSIC Campus, Software Technology Park Extn, Okhla Phase III, New Delhi - 110020 Call us +91 11 2632-2632 /33 Info@lucideustech.com 7/4/2016
[OWASP TOP 10 VULNERABILITES] July 4, 2016
INDEX 1.OWASP TOP 10. 2.SQL injection. 3.Broken authentication and session management. 4.Cross site scripting. 5.Insecure direct object references. 6.Security Misconfiguration. 7.Sensitive data exposure. 8.Missing functions level access. 9.Cross site request forgery. 10.Using components with known vulnerabilities. 11. Invalidated redirects and forwards.
2
[OWASP TOP 10 VULNERABILITES] July 4, 2016
ďƒ˜ OWASP TOP 10 The OWASP TOP 10 is a list of 10 most dangerous current web application security flaws, along with the effective methods of dealing with those flaws. OWASP (Open Web Application Security Project) is an organisation that provides unbiased and practical, cost-effective information about internet applications. Project members include a variety of security experts from around the world who share their knowledge of vulnerabilities, attacks and countermeasures. Logs of all the hackers, security experts’ attempts to crash down/unauthenticated access/exploit database of a website, were recorded and it was found that the following enlisted top 10 attacks were used. 1. SQL injection. 2. Broken authentication and session management. 3. Cross site scripting. 4. Insecure direct object references. 5. Security Misconfiguration. 6. Sensitive data exposure. 7. Missing functions level access. 8. Cross site request forgery. 9. Using components with known vulnerabilities. 10. Invalidated redirects and forwards 3
[OWASP TOP 10 VULNERABILITES] July 4, 2016
SQL Injection Injection is a type of web vulnerability in which a malicious input is sent to the server side application for processing. This malicious input is created in such a manner that the backend application can be manipulated. A SQL Injection (SQLi) attacks consists of insertion or “injection” a SQL query via the input data from the client to the application. A successful SQLi exploit can read sensitive data (Insert/ delete / update), execute administration operations on the database (such as shutdown the DBMS), recover the contents of a given file present on the database file system and in some cases issue commands to the operating system. SQLi attacks allows the attacker to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it unavailable, and become administrators of the database. SQLi is very common with PHP and ASP applications. It occurs when an unsecured data is sent to the interpreter as a command query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
4
[OWASP TOP 10 VULNERABILITES] July 4, 2016
ďƒ˜ Types of SQLi : 1. Error Based injection : Error-based SQLi is an in-band SQL injection technique that relies on error messages thrown by the database server to obtain information about the structure of the database. In some cases, error-based SQL injection alone is enough for an attacker to enumerate an entire database. While errors are very useful during the development phase of a web application, they should be disabled on a live site, or logged to a file with restricted access instead. It works on the asp and aspx technology. Its differs from Union Based injection in this way, i.e. in this , we have to dump each table/column one at a time till we obtain our desired data from database.
5
[OWASP TOP 10 VULNERABILITES] July 4, 2016
2. Union based injection : UNION-based attacks allow the tester to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query. To do this, a valid table name must be known but it is also necessary to determine the number of columns in the first query and their data type. To simplify learning, this article explains how it can be done when error reporting is enabled. However, the same principle would apply if it was not the case. For more information refer to the last section of the article. In this method we can directly jump to the desired table/column without dumping them one by one at a time. Following is the example of Union based injection applied on DVWA.
6
[OWASP TOP 10 VULNERABILITES] July 4, 2016
3. Stacked Query injection : Stacked queries provide a lot of control to the attacker. By terminating the original query and adding a new one, it will be possible to modify data and call stored procedures. This technique is massively used in SQL injection attacks and understanding its principle is essential to a sound understanding of this security issue.
SQLi using SQLMAP on the website http://testphp.vulnweb.com
7
[OWASP TOP 10 VULNERABILITES] July 4, 2016
ďƒ˜ Broken Authentication and Session Management Authentication and session management includes all aspects of handling user authentication and managing active sessions. While authentication itself is critical aspect to secure, even solid authentication mechanisms can be undermined by flawed credential management functions, including password change, "forgot my password", "remember my password", account update, and other related functions. Because "walk by" attacks are likely for many web applications, all account management functions should require re-authentication even if the user has a valid session id, in case an attacker has discovered a session where the original user has failed to log out. User authentication on the web typically involves the use of a userid and password. Stronger methods of authentication are commercially available such as software and hardware based cryptographic tokens or biometrics, but such mechanisms are cost prohibitive for most web applications. A wide array of account and session management flaws can result in the compromise of user or system administration accounts. Development teams frequently underestimate the complexity of designing an authentication and session management scheme that adequately protects credentials in all aspects of the site.
8
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Web applications must establish sessions to keep track of the stream of requests from each user. HTTP does not provide this capability, so web applications must create it themselves. Frequently, the web application environment provides a session capability, but many developers prefer to create their own session tokens. In either case, if the session tokens are not properly protected, an attacker can hijack an active session and assume the identity of a user. Creating a scheme to create strong session tokens and protect them throughout their lifecycle has proven elusive for many developers.
(“47/editprofile� belongs to some user RAKESH)
9
[OWASP TOP 10 VULNERABILITES] July 4, 2016
(Then he changed to “35/editprofile” which gives him the access to some other used named RITESH)
Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send 10
[OWASP TOP 10 VULNERABILITES] July 4, 2016
malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. For more details on the different types of XSS flaws, see: Types of Cross-Site Scripting.
11
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Insecure Direct Object Reference Insecure Direct Object References is a type of prevalent vulnerability that allows requests to be made to specific objects through pages or services without the proper verification of requester’s right to the content. It is mostly found in Web applications or Mobile applications. As OWASP’s description, Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. By exploiting Insecure Direct Object References, attackers can bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object ( i.e. by modifying the user account ID in a URL string to access the information of other users) . The potentially accessed resources can be database entries belong to other users, files in the system, and more. The references pointing to these resources, which may be exploited by attackers, can be a database key or a directory of a file. If the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks, this vulnerability is enabled.
12
[OWASP TOP 10 VULNERABILITES] July 4, 2016
(Insecure Direct Object Reference explained graphically)
13
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Security Misconfiguration Security Misconfiguration arises when Security settings are defined, implemented, and maintained as defaults. Good security requires a secure configuration defined and deployed for the application, web server, database server, and platform. It is equally important to have the software up to date. All we need to find the URL of config file and we all know developers follow kind of naming convention for config files. It can be anything that is listed below. It is usually done by BRUTE force technique.
web.config config appname.config conf Attacker accesses default accounts, unused pages, unpatched flaws, unprotected files and directories, etc. to gain unauthorized access to or knowledge of the system. Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, and custom code. Developers and system administrators need to work together to ensure that the entire stack is configured properly. Automated scanners are useful for detecting missing patches, misconfigurations, use of default accounts, unnecessary services, etc.
14
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Sensitive Data Exposure As the online application keep flooding in day by day, not all applications are secured. Many web applications do not properly protect sensitive user data such as credit cards information/Bank account info/authentication. 15
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Hackers might end up stealing those weakly protected data to conduct credit card fraud, identity theft, or other crimes. Attackers typically don’t break crypto directly. They break something else, such as steal keys, do man-in-the-middle attacks, or steal clear text data off the server, while in transit, or from the user’s browser. The most common flaw is simply not encrypting sensitive data. When crypto is employed, weak key generation and management, and weak algorithm usage is common, particularly weak password hashing techniques. Browser weaknesses are very common and easy to detect, but hard to exploit on a large scale. External attackers have difficulty detecting server side flaws due to limited access and they are also usually hard to exploi
16
[OWASP TOP 10 VULNERABILITES] July 4, 2016
Missing function level access Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Anonymous users could access private functions that aren’t protected. Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget. Detecting such flaws is easy. The hardest part is identifying which pages (URLs) or functions exist to attack. A user of a web application can directly browse to a resource that provides access to functionality they shouldn’t see. For example, adding a different User ID number to a URL to gain access to a colleague’s settings page, or changing it to be an admin user ID and getting access to privileged admin functions. It is different from Unsecured Direct Object Reference. The IDOR type of vulnerability provides direct unauthorised access to data and information. Whereas a Missing Function Level Access Control vulnerability provides unauthorised access to functionality in a web application. Note the subtle difference between these. In most situations the outcome will be the same. Both will provide unauthorised access to data or information that shouldn’t be shown. Often leading to the same consequences such as identity theft of users whose information is exposed, financial loss to both users and the organisation. Also, the organisation that failed to protect the information can experience 17
[OWASP TOP 10 VULNERABILITES] July 4, 2016
reputational damage, financial penalties, contractual disadvantages and a loss of trust in their brand and messaging.
ďƒ˜ Cross site request forgery Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. An attacker may forge a request to log the victim into a target website using the attacker's credentials; this is known as login CSRF. Login CSRF makes various novel attacks possible; for instance, an attacker can later log into the site with his legitimate credentials and view private information like activity history that has been saved in the account. 18
[OWASP TOP 10 VULNERABILITES] July 4, 2016
(CSRF illustration)
ďƒ˜ Using components with known vulnerabilities This kind of threat occurs when the Components such as libraries, frameworks used within the app almost always executes with full privileges. If a vulnerable component is exploited it makes hackers job 19
[OWASP TOP 10 VULNERABILITES] July 4, 2016
easier to cause a serious data loss or server takeover. Attacker identifies a weak component through scanning or manual analysis. He customizes the exploit as needed and executes the attack. It gets more difficult if the used component is deep in the application. Virtually every application has these issues because most development teams don’t focus on ensuring their components/libraries are up to date. In many cases, the developers don’t even know all the components they are using, never mind their versions. Component dependencies make things even worse.
Invalidated redirects and forwards. Most Web applications on net frequently redirect and forward users to other pages or other external websites, however, without validating the credibility of those pages, hackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. Invalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the 20
[OWASP TOP 10 VULNERABILITES] July 4, 2016
modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Invalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
Sources Content: http://www.acunetix.com/websitesecurity/sql-injection2/ http://www.upenn.edu/computing/security/swat/SWAT_Top_Ten_ A3.php https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) http://www.tutorialspoint.com/security_testing/testing_security_m isconfiguration.htm http://www.cs.tufts.edu/comp/116/archive/fall2014/hwang.pdf https://www.owasp.org/index.php/Top_10_2013-A5Security_Misconfiguration https://www.owasp.org/index.php/Top_10_2013-A7Missing_Function_Level_Access_Control http://www.tutorialspoint.com/security_testing/missing_function_l evel_access_control.htm 21
[OWASP TOP 10 VULNERABILITES] July 4, 2016
http://kemptechnologies.com/blog/owasp-top-ten-series-missingfunction-level-access-control/ https://www.owasp.org/index.php/CrossSite_Request_Forgery_(CSRF) https://en.wikipedia.org/wiki/Cross-site_request_forgery http://www.tutorialspoint.com/security_testing/components_with_ vulnerabilities.htm https://www.owasp.org/index.php/Top_10_2013-A9Using_Components_with_Known_Vulnerabilities http://www.tutorialspoint.com/security_testing/components_with_ vulnerabilities.html https://www.owasp.org/index.php/Unvalidated_Redirects_and_Fo rwards_Cheat_Sheet http://www.tutorialspoint.com/security_testing/unvalidated_redire cts_and_forwards.htm
Images : https://www.youtube.com/watch?v=R0MIrJiNzh8 https://www.google.co.in/search?q=insecure+direct+object+refere nces+&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiN-Wtlt3NAhWFt48KHX17CNIQ_AUICSgC&biw=1366&bih=599#imgrc =_4xVy40zDBIqZM%3A 22
[OWASP TOP 10 VULNERABILITES] July 4, 2016
https://www.google.co.in/search?q=security+misconfiguration&so urce=lnms&tbm=isch&sa=X&ved=0ahUKEwjqgtDlkt7NAhXIKpQKHS TPBWIQ_AUICSgC#imgrc=zX1z-m-5bSK9HM%3A https://www.google.co.in/search?q=sensitive+data+exposure&sou rce=lnms&tbm=isch&sa=X&ved=0ahUKEwiqvqPlmN7NAhWHHpQK HfpvCqQQ_AUICCgB&biw=1366&bih=599#imgrc=4iDtV5wONWinE M%3A https://www.google.co.in/search?q=Cross+site+request+forgery&b iw=1366&bih=599&source=lnms&tbm=isch&sa=X&ved=0ahUKEwj c-OzapN7NAhVFl5QKHW4QBlQQ_AUICSgC#imgrc=026VFW97HjRfM%3A
23