SPARK Training Program
Date: 21/09/2022
Session: Day 1
Topic: Web Applications Security and OWASP TOP 10
Marisoft - III, Marigold Premises, Marigold complex, Kalyani Nagar, Pune,
Maharashtra 411014 Varutra Consulting Private
Limited
ASSIGNMENT
Questions:
1. List out OWASP Top 10 Vulnerabilities and Explain them in detail
with examples.
2. What is Information Gathering?
3. Perform the information gathering on the following
http://vulnweb.com/ and add the screen shots as well.
Solutions:
1. List out OWASP Top 10 Vulnerabilities and Explain them in detail
with examples.
OWASP Top 10 vulnerabilities for year 2021 are as follows:
A01:2021-Broken Access Control
A02:2021-Cryptographic Failures
A03:2021-Injection
A04:2021-Insecure Design
A05:2021-Security Misconfiguration
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery
Below is the explanation of these in detail
A01:2021-Broken Access Control
Broken access control vulnerabilities are such that that an attacker
can access information or perform actions not intended for them.
Access control can be divided into two categories
1. Vertical access control
Vertical access controls are mechanisms that restrict access to
sensitive functionality that is not available to other low privilege
users.
With vertical access controls, different types of users have access to
different application functions an administrator might be able to
modify or delete any user's account, while an ordinary user has no
access to these actions.
But if a normal user is able to carry out actions that only admin user
or higher privileged user is able to carry out then this vulnerability is
known as privilege escalation.
2.Horizontal access control
Horizontal privilege escalation arises when a user is able to gain
access to resources belonging to another user, instead of their own
resources of that type. For example, if an employee should only be
able to access their own bank records, but can also access the
records of other employees, then this is known as horizontal
privilege escalation.
Eg of this consider a URL
https://vulnwebsite.com/myaccount?Id=590 in this case an a user
can simply change the value of his ID=590 to ID=591 or some other
integer and if the application loads the account details of user
ID=591 than application does not validate whether the user has
permission to access the requested object. This is called as Insecure
direct object references (IDOR) are a subcategory of access control
vulnerabilities. IDOR arises when an application uses user-supplied
input to access objects directly and an attacker can modify the input
to obtain unauthorized access.
A02:2021-Cryptographic Failures
This category refers to the failures related to cryptography.
Cryptography focuses on the processes of encryption and decryption of
data. Encryption scrambles cleartext into ciphertext, which should be
gibberish to anyone who does not have the secret key to decrypt it.
Encryption ensures that no one can read the data without knowing the
secret key. Decryption converts the ciphertext back into the original
cleartext using the secret key. Example of cryptographic failures
include:
Sending sensitive data in clear text, for example, using HTTP instead of
HTTPS. HTTP is the protocol used to access the web, while HTTPS is
the secure version of HTTP. Others can read everything you send over
HTTP, but not HTTPS.
Relying on a weak cryptographic algorithm.
Using default or weak keys for cryptographic functions. It won’t be
challenging to break the encryption that uses easily guessable
passwords as the secret key Id=1234 or Id=123456.
Sensitive Data Exposure vulnerabilities can occur when a web
application does not adequately protect sensitive information from
being disclosed to attackers. This can include information such as credit
card data, personal information, business secrets, health records,
session tokens, or other authentication credentials.
The most common flaw is failing to encrypt data. Example of this
vulnerability is the cleartext submission of a password instead of
hashing the data.
Lot of vulnerabilities expose sensitive data in numerous ways like SQL
Injection attacks, Broken access control Attacks, Ransomware attacks,
phishing attacks & insider threats
A03:2021-Injection
An injection attack refers to a vulnerability in the web application
where the user can insert malicious code as part of their input. One
cause of this vulnerability is the lack of proper validation and
sanitization of the user’s input. Example of Injection vulnerabilities
include SQL Injection ,Template Injection ,Command Injection and
XSS (Cross site scripting).
SQL Injection is a web security vulnerability where attacker execute it's
query that an application make to the database. It allows an attacker to
view data which are not able to retrieve by any user. This data might
include information of other user or any other data which application
itself able to access it ,
Template Injection : When an attacker is able to inject a malicious
payload into a template, which then executed at server-side and leads to
Server-side template injection
Command Injection : It is a type of attack in which attacker executes
arbitrary command on operating system (OS) where application is
hosted. Command injection attack occurs when application executed
unwanted user supplied data through forms, input fields, URL, HTTP
headers, etc .A successful Command Injection attack may lead to gain
complete control over an vulnerable website and the server.
XSS: XSS or cross site scripting is an attack in which it allows attacker
to executes its malicious script on victim browser. It occurs whenever
an application includes untrusted data in a web page without proper
validation or escaping with user supplied data. XSS vulnerabilities are
divided into Four types Stored XSS , Reflected XSS and DOM XSS &
Blind XSS.
A04:2021-Insecure Design
This vulnerability Exists due to lack of security implementation at the
time of development of an application
Sensitive Data Exposure vulnerabilities can occur when a web
application does not adequately protect sensitive information from
being disclosed to attackers. This can include information such as
credit card data, personal information, business secrets, health records,
session tokens, or other authentication credentials disclosed in the
Application code , JS files.
Example of Insecure design include:
Web developer during the development of application left sensitive
data in the source code, which can be confidential data, any attacker or
malicious user can make public.
A05:2021-Security Misconfiguration
Security misconfigurations are vulnerabilities when application
components are vulnerable to attacks as a result of insecure
configuration option in software subsystems or components
Examples of security Misconfiguration include:
Error in handling stack traces, which reveal some information about
the design of the software, which may be helpful to the attacker in
revealing database versions, table names, code filenames, and so on.
A06:2021-Vulnerable and Outdated Components
This Includes vulnerabilities resulting from unsupported or outdated
software. Anyone who builds or uses an application without knowing
its internal components, their versions, and whether they are updated, is
exposed to this category of vulnerabilities.
Example of this vulnerability Since web developers use open source
components for its codebase rather than proprietary code, often these
components are not sufficiently checked before use and can be
vulnerable to such kind of security issues.
A07:2021-Identification & Authentication failures
Identification and authentication failures can occur when functions
related to a user's Identity, authentication, or session management are
not implemented correctly or not adequately protected by an
application. Attackers may be able to exploit this by compromising
passwords, keys, session tokens, or exploit other implementation flaws
to assume other user’s identity, either temporarily or permanently.
Attacker can carry out multiple attacks like Brute force , session
hijacking , session fixation and Cross site request Forgery (CSRF).
Examples include: poor credential management User credentials can be
hijacked to gain access to the system this can be due to Weak password
‘Test123’ or ‘qwerty@123’ which can be easily cracked by Brute
Force attacks and other tools.
Using weak cryptography: Using weak Encryption techniques like
base64 and weak hashing algorithms like SHA1 and MD5 make
credentials vulnerable. Which is why they must be stored using strong
hashing algorithms that make password cracking challenging.
Poor session management: Application issues session ID when user
logs in an application and uses this session ID to communication and
respond to the requests.
If hacker is able to steal this session Id they can hijack the user session
and gain access to system forging session data, such as cookies, and
stealing login credentials impact identity theft, Sending fraud calls or
emails, Selling illegal items on the dark web.
A08:2021-Software and Data Integrity Failures
Software and data integrity failures frequently occur when the code
implementation and the underlying infrastructure lack the ability to
protect the code against all integrity violations. This happens when the
code is obtained from some untrusted source or repositories use of
plugins and modules. The attackers take advantage of this code and
sneak into the system through unauthorized access. As a result, the
system becomes vulnerable to the following attacks:
Man in the middle attack (MITM) to inject malicious code into the
pipeline during update process This results in corrupted payloads being
deployed and executed outright on application installations
Deserialization of untrusted data : Deserialization converts a sequence
of byte streams to their original form (objects). Suppose the application
does not appropriately verify the validity of the original object data
during deserialization in this case attacker can tamper attackers can
tamper with the input payload object to force the application to execute
malicious codes. Insecure deserialization can also lead to attacks such
as malicious Code injection to alter the application logic or execute
arbitrary commands with escalated privileges.
A09:2021-Security Logging and Monitoring Failures
There is no direct vulnerability that can arise due to these issues but in
general, logging and monitoring are quite critical and their absence or
failures can directly impact visibility, incident alerting, and forensics.
Thus, it’s quite important to have a functional logging and monitoring
system to collect logs and also give alerts if any malfunctions or errors
happen, else these can go unnoticed for a long time and cause a lot more
damage
Example of this vulnerability includes:
Login and failed attempts not being logged
Monitoring systems not able to detect suspicious activity or not
able to raise alerts in (near) real time
Missing monitoring and alerting systems
improper logs that do not provide any valuable information or
insights.
A10:2021-Server-Side Request Forgery
Server side request forgery let’s an attacker send crafted requests from
the back-end server of a vulnerable application. Hackers usually use
SSRF attacks to target internal systems that are behind firewalls and are
not accessible from the external network. An attacker may also
leverage SSRF to access services available through the loopback
interface (127.0.0.1) of the exploited server.
SSRF vulnerabilities occur when an attacker has full or partial control
of the request sent by the web application. A common example is when
an attacker can control the third-party service URL to which the web
application makes a request.
Impact of SSRF include:
hacker can retrieve the content of arbitrary files on the system, which
leads to sensitive information exposure such as passwords, source code,
confidential data.
They flood the internal servers with large amounts of traffic to take up
their bandwidth, which results in an internal DOS Attack
2. What is Information Gathering?
Information gathering is act of collecting data about a target, find
system pages or portals intended for staff usage, older versions of the
website, backup files, configuration files, administration panels.
Information gathering is crucial because it gives the user more
knowledge about target systems and networks in order to make an
informed decision on how they want to proceed with their attack
vector
Information gathering can be further classified into two:
Passive recon & Active recon
Passive recon :We rely on publicly available knowledge. It is the
knowledge that can be accessed from publicly available resources
without directly engaging with the target. Looking up DNS records of a
domain from a public DNS server, Using Services like shodan.io to get
more information about the target network.
Active Recon : Active reconnaissance requires User to make some kind
of contact with the target. This contact can be a phone call or a visit to
the target company under some pretense to gather more information,
usually as part of social engineering. it can also be a direct connection
to the target system, whether visiting their website or checking if their
firewall has an SSH port open.
This can be carried out by using tool or extensions such as Wappalyzer
and browsing the target website which will give details about the
technologies, web servers, operating systems , CDNs and databases
about the target. Using NMAP Scans check for open ports, Ping scans,
Traceroutes.
3.Perform the information gathering on the following
http://vulnweb.com/ and add the screen shots as well.
To carry out information gathering there are various open source tools
and websites that can be used like wappalyzer, shodan.io, dnsdumpster
, Nmap scans & Google Dorks.
Extension used: wappalyzer
In this snap we can see that the web server being used is nginx
version 1.19.0 , using this version we can further gather more
information about the vulnerabilities in this particular version.
Browsing other subdomain of http://testhtml5.vulweb.com
We can see above more technologies have been discovered for other
subdomains.
Using version number to exploit.
As we can see this particular version was vulnerable to Security
restriction bypass and Remote code execution.
Using nslookup we can get the Ip address of the target Server on
network http://vulnweb.com/
Using other tools like Nmap we can run other commands to find the
open ports , Os detection etc.
Using Nmap we find that only Port 80 http open.
Using Nmap command for OS Scan on other subdomain, we got the
OS as Microsoft Window 2012, and server as Window server 2012
R2.
We can also use Google Dorks to gather more information about the
target
With the Information gathered from above steps , Attacker has more
knowledge about target systems and networks on how to proceed with
their attack vector during Penetration testing phase.