par Enas Fayez Alharbi Il y a 3 mois
42
Plus de détails
em
- **Approach**:
- Notify users of lockout events.
- Lock account after 3-5 failed login attempts.
- **Best Practices**:
- Regenerate session IDs upon login and logout.
- Set short expiration times for session cookies.
- Use Secure and HttpOnly flags.
- **Methods**:
- Something you are (biometric verification).
- Something you have (smartphone, hardware token).
- Something you know (password).
- **Requirements**:
- Inclusion of uppercase, lowercase, numbers, and symbols.
- Minimum length (e.g., 8-12 characters).
- Misuse of stolen credentials for malicious purposes.
- Exposure of sensitive information.
- Attackers can impersonate legitimate users.
- **Impact**: Easy for attackers to gain access.
- **Examples**: "123456", "password", "qwerty".
- **Description**: Users often choose weak passwords.
- **Example**: Using simple sequences or predictable IDs.
- **Consequences**: Attackers can forge session cookies.
- **Description**: Cookies with predictable values.
- **Tools Used**: Password cracking tools (e.g., Hydra, Burp Suite).
- **Description**: Automated attempts to guess passwords.
- Used to maintain state in stateless HTTP communication.
- Stored in the user's browser.
- Created upon successful authentication.
- OAuth (third-party login)
- Biometric (e.g., fingerprint, facial recognition)
- Username and Password
- Exposed debugging features can be exploited by attackers.
- **Example: Patreon Hack (2015)**
- Open debug interface allowed arbitrary code execution.
- Addressing insecure design often requires a substantial redesign of the application, which can be complex and time-consuming compared to fixing a simple coding error.
1. **Implementing SSDLC:**
- A Secure Software Development Lifecycle (SSDLC) integrates security at each phase of development, ensuring that vulnerabilities are considered throughout the process.
1. **Threat Modeling:**
- Conduct thorough threat assessments during the design phase to identify potential vulnerabilities early.
- **Brute-Forcing Process:**
- With 4000 IPs, an attacker could theoretically test all codes, making the attack feasible using cloud services.
- Rate limiting applies per IP address. An attacker could use multiple IP addresses to bypass the limit.
- Attackers can try different 6-digit codes (1,000,000 possible combinations).
- **Rate Limiting:** To prevent brute-forcing (guessing the code), Instagram implemented a rate limit—blocking further attempts after 250 failed tries from a single IP address.
- **Password Reset Mechanism:** Users can reset forgotten passwords by entering a 6-digit code sent via SMS.
- Attackers gain control over the server, allowing file listing, system reconnaissance, and more.
- Example payloads:
- `$(ps -ef)`
- `$(uname -a)`
- `$(ifconfig)`
- `$(id)`
- `$(whoami)`
- Use bash inline commands: `$(your_command_here)`.
- Allows injection of additional commands.
- User input directly used in command execution (`$cow` and `$mooing`).
- Code snippet is vulnerable to command injection:
```
?>
}
if (isset($_GET["mooing"])) {
passthru("perl /usr/bin/cowsay -f $cow $mooing");
if(isset($_GET["cow"]))
$cow = $_GET["cow"];
$cow = 'default';
$mooing = $_GET["mooing"];
```php
- MooCorp’s web app uses the `cowsay` command for ASCII art.
- **How It Works**
- Attackers manipulate these calls to run unauthorized commands.
- Server-side code (e.g., PHP) calls console functions directly.
- A vulnerability allowing attackers to execute arbitrary OS commands on a server via user input.
- Remove dangerous characters from user input
- Reject unsafe inputs with an error
- Compare input against a list of safe inputs
- Allows execution of arbitrary commands on servers
- User input passed to system commands
- Risk of stealing sensitive data
- Potential to access, modify, or delete database information
- User input affects SQL queries
- Passwords not in the wordlist cannot be cracked
4. Click "Crack Hashes"
3. Solve Captcha
2. Paste the hash (e.g., `5f4dcc3b5aa765d61d8327deb882cf99`)
1. Navigate to Crackstation
- **Crackstation**
- Utilizes a massive wordlist
- Online password cracking tool
- Weak MD5 hashes
- Recover plaintext passwords from hashes
- This represents a customer’s ID, name, credit card number, and a hashed version of their password.
- `0|Joy Paulson|4916 9012 2231 7905|5f4dcc3b5aa765d61d8327deb882cf99`
- Run `PRAGMA table_info(customers);` to see the columns, which might include:
- password (hashed password)
- creditCard (credit card number)
- custName (customer name)
- custID (customer ID)
- Run `.tables` to check for tables (e.g., `customers`).
- Run `sqlite3 example.db` to open it.
- Use commands like:
- `SELECT * FROM table_name;` to view all data in a table.
- `PRAGMA table_info(table_name);` to understand the structure (columns) of a table.
- `.tables` to see the available tables.
- Use the command `sqlite3
- If a flat-file database is stored in a publicly accessible location (like the root directory of a website), unauthorized users can download it. This poses a serious risk because the database may contain sensitive information (e.g., user names, passwords, credit card details).
- Often used in **small web applications** where simplicity is key. They allow for quick data storage and retrieval without needing a full database server.
- **Flat-file databases** are simple databases stored as a single file on a computer. Unlike traditional databases that run on servers (like MySQL), they don’t require complex setups.
- Exploiting weak encryption or lack of encryption
- Intercepting data through compromised connections
- Technical data (usernames, passwords)
- Personal data (names, dates of birth, financial info)
- **Data at Rest**
- Encryption of stored emails to prevent unauthorized access by providers
- **Data in Transit**
- Prevents eavesdropping on network traffic
- Encryption of communications between client and server
- Problem lies in lack of validation on ownership of the referenced object.
![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/6ce9d646-badd-4b4f-a33f-a00f5b10af94/75bfd7f4-ab60-4d47-86ba-2149dd8ee49a/image.png)
- Accessing other users' bank information
- Changing ID parameter (e.g., `id=222222`)
![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/6ce9d646-badd-4b4f-a33f-a00f5b10af94/954b03da-6849-4417-b68c-9be2ea8480ed/image.png)
-
- User accesses own bank details
- URL structure: `https://bank.thm/account?id=111111`
- Exposure of Direct Object References (e.g., user IDs, account numbers)
- Access control vulnerability allowing unauthorized resource access
- Reconstructed the video despite privacy settings
- Attacker accessed private video frames