Категории: Все - software - vulnerabilities - updates - audits

по Enas Fayez Alharbi 2 месяца назад

33

%23%20**OWASP%20Top%2010%20-%202021**

The OWASP Top 10 for 2021 identifies key security risks, including vulnerable and outdated software components, security misconfigurations, and insecure design principles. To mitigate these issues, it is crucial to monitor for known software vulnerabilities and ensure all components are regularly updated with automated mechanisms.

%23%20**OWASP%20Top%2010%20-%202021**

Floating topic

em


# **OWASP Top 10 - 2021**

Identification and Authentication Failures

### 4. **Mitigation Strategies**
- **Implement Account Lockout Mechanisms**

- **Approach**:

- Notify users of lockout events.

- Lock account after 3-5 failed login attempts.

- **Secure Session Cookies**

- **Best Practices**:

- Regenerate session IDs upon login and logout.

- Set short expiration times for session cookies.

- Use Secure and HttpOnly flags.

- **Use Multi-Factor Authentication (MFA)**

- **Methods**:

- Something you are (biometric verification).

- Something you have (smartphone, hardware token).

- Something you know (password).

- **Enforce Strong Password Policies**

- **Requirements**:

- Inclusion of uppercase, lowercase, numbers, and symbols.

- Minimum length (e.g., 8-12 characters).

### 3. **Potential Risks**
- **Identity Theft**

- Misuse of stolen credentials for malicious purposes.

- **Data Breaches**

- Exposure of sensitive information.

- **Unauthorized Account Access**

- Attackers can impersonate legitimate users.

### 2. **Common Vulnerabilities**
- **Weak Credentials**

- **Impact**: Easy for attackers to gain access.

- **Examples**: "123456", "password", "qwerty".

- **Description**: Users often choose weak passwords.

- **Weak Session Cookies**

- **Example**: Using simple sequences or predictable IDs.

- **Consequences**: Attackers can forge session cookies.

- **Description**: Cookies with predictable values.

- **Brute Force Attacks**

- **Tools Used**: Password cracking tools (e.g., Hydra, Burp Suite).

- **Description**: Automated attempts to guess passwords.

- **Session Management**
- **Session Cookies**:

- Used to maintain state in stateless HTTP communication.

- Stored in the user's browser.

- Created upon successful authentication.

- **Definition**: Mechanism for tracking user sessions.
- **Authentication**
- **Common Methods**:

- OAuth (third-party login)

- Biometric (e.g., fingerprint, facial recognition)

- Username and Password

- **Definition**: Process of verifying user identities.

### Vulnerable and Outdated Components

- Monitor for known vulnerabilities in used software.
- Implement automated update mechanisms.
- Regularly update all software components.
- A single missed update can expose the system to multiple vulnerabilities.
- Attackers can exploit these vulnerabilities easily using existing exploits (e.g., from Exploit-DB).
- This version is known to have an unauthenticated remote code execution (RCE) vulnerability.
- A company uses an outdated version of WordPress (e.g., 4.6).
- Use of software with well-known vulnerabilities due to lack of updates.

### Security Misconfiguration

### Prevention
- Disable debugging features in production.
- Conduct regular audits.
- Use configuration management tools.
### Debugging Interfaces
- **Risk**

- Exposed debugging features can be exploited by attackers.

- **Example: Patreon Hack (2015)**

- Open debug interface allowed arbitrary code execution.

- Can lead to further vulnerabilities, like unauthorized access and command injection.
- **Common Examples**
- Missing HTTP security headers.
- Detailed error messages exposing system info.
- Default accounts with unchanged passwords.
- Enabled unnecessary features.
- Poorly configured cloud permissions (e.g., S3 buckets).
- Vulnerabilities from improper security configurations, even in updated software.

### Insecure Design

2. **Causes**
- **Difficulty of Fixing Insecure Design:**

- Addressing insecure design often requires a substantial redesign of the application, which can be complex and time-consuming compared to fixing a simple coding error.

### Prevention Strategies

1. **Implementing SSDLC:**

- A Secure Software Development Lifecycle (SSDLC) integrates security at each phase of development, ensuring that vulnerabilities are considered throughout the process.

1. **Threat Modeling:**

- Conduct thorough threat assessments during the design phase to identify potential vulnerabilities early.

2. **Vulnerability Exploitation**

- **Brute-Forcing Process:**

- With 4000 IPs, an attacker could theoretically test all codes, making the attack feasible using cloud services.

- Rate limiting applies per IP address. An attacker could use multiple IP addresses to bypass the limit.

- Attackers can try different 6-digit codes (1,000,000 possible combinations).

1. **Instagram Case Study**

- **Rate Limiting:** To prevent brute-forcing (guessing the code), Instagram implemented a rate limit—blocking further attempts after 250 failed tries from a single IP address.

- **Password Reset Mechanism:** Users can reset forgotten passwords by entering a 6-digit code sent via SMS.

- **Developer Shortcuts:** Sometimes, developers might disable security features (e.g., one-time passwords) to simplify testing. If these shortcuts are not re-enabled in production, it creates vulnerabilities.
- **Improper Threat Modeling:** Failing to adequately assess potential threats and risks during the planning stages can lead to insecure design.
### Example: Insecure Password Resets
- Insecure design refers to vulnerabilities that arise from the fundamental architecture or concept of an application. Unlike implementation flaws (like coding errors), these vulnerabilities are rooted in poor planning or flawed ideas during the design phase.

Main topic

### Injection

### Command Injection

- Attackers gain control over the server, allowing file listing, system reconnaissance, and more.

- **Exploiting the Vulnerability**

- Example payloads:

- `$(ps -ef)`

- `$(uname -a)`

- `$(ifconfig)`

- `$(id)`

- `$(whoami)`

- Use bash inline commands: `$(your_command_here)`.

- **Vulnerability Details**

- Allows injection of additional commands.

- User input directly used in command execution (`$cow` and `$mooing`).

- Code snippet is vulnerable to command injection:

```

?>

}

if (isset($_GET["mooing"])) {

passthru("perl /usr/bin/cowsay -f $cow $mooing");

if(isset($_GET["cow"]))

$cow = $_GET["cow"];

$cow = 'default';

$mooing = $_GET["mooing"];

```php

- MooCorp’s web app uses the `cowsay` command for ASCII art.

- **How It Works**

- Attackers manipulate these calls to run unauthorized commands.

- Server-side code (e.g., PHP) calls console functions directly.

- A vulnerability allowing attackers to execute arbitrary OS commands on a server via user input.

- **Libraries and Tools**
- Utilize libraries that automate input validation and sanitization
- **Main Defense Strategies**
- **Stripping Input**

- Remove dangerous characters from user input

- **Allow List**

- Reject unsafe inputs with an error

- Compare input against a list of safe inputs

- **Common Types**
- **Command Injection**

- Allows execution of arbitrary commands on servers

- User input passed to system commands

- **SQL Injection**

- Risk of stealing sensitive data

- Potential to access, modify, or delete database information

- User input affects SQL queries

- Flaws where user input is interpreted as commands or parameters

### SQLite Example

4. **Example Data**
- **Limitations**

- Passwords not in the wordlist cannot be cracked

- Successfully recover password (e.g., "password")
- **Process**

4. Click "Crack Hashes"

3. Solve Captcha

2. Paste the hash (e.g., `5f4dcc3b5aa765d61d8327deb882cf99`)

1. Navigate to Crackstation

- **Tool Used**

- **Crackstation**

- Utilizes a massive wordlist

- Online password cracking tool

- **Hash Type**

- Weak MD5 hashes

- **Objective**

- Recover plaintext passwords from hashes

### Cracking Password Hashes
- The output might show data like:

- This represents a customer’s ID, name, credit card number, and a hashed version of their password.

- `0|Joy Paulson|4916 9012 2231 7905|5f4dcc3b5aa765d61d8327deb882cf99`

3. **Sample Commands**
- If you have a file named `example.db`, you would:

- Run `PRAGMA table_info(customers);` to see the columns, which might include:

- password (hashed password)

- creditCard (credit card number)

- custName (customer name)

- custID (customer ID)

- Run `.tables` to check for tables (e.g., `customers`).

- Run `sqlite3 example.db` to open it.

2. **Interacting with SQLite**
- To interact with an SQLite database:

- Use commands like:

- `SELECT * FROM table_name;` to view all data in a table.

- `PRAGMA table_info(table_name);` to understand the structure (columns) of a table.

- `.tables` to see the available tables.

- Use the command `sqlite3 ` to open the database.

1. **SQLite Database**
- SQLite is a popular format for flat-file databases. It’s lightweight and can be accessed through various programming languages.

### Cryptographic Failures

### Flat-File Databases
3. **Vulnerability: Sensitive Data Exposure**

- If a flat-file database is stored in a publicly accessible location (like the root directory of a website), unauthorized users can download it. This poses a serious risk because the database may contain sensitive information (e.g., user names, passwords, credit card details).

2. **Common Use**

- Often used in **small web applications** where simplicity is key. They allow for quick data storage and retrieval without needing a full database server.

1. **Definition**

- **Flat-file databases** are simple databases stored as a single file on a computer. Unlike traditional databases that run on servers (like MySQL), they don’t require complex setups.

- **Common Vulnerabilities**
- Sensitive data sometimes found directly on web servers
- Simpler vulnerabilities that can be exploited without advanced knowledge
- **Attack Techniques**
- **Man-in-the-Middle Attacks**

- Exploiting weak encryption or lack of encryption

- Intercepting data through compromised connections

Subtopic
- **Consequences of Failures**
- Accidental disclosure of sensitive data

- Technical data (usernames, passwords)

- Personal data (names, dates of birth, financial info)

- **Importance of Cryptography**
- **Data Protection**

- **Data at Rest**

- Encryption of stored emails to prevent unauthorized access by providers

- **Data in Transit**

- Prevents eavesdropping on network traffic

- Encryption of communications between client and server

- Provides confidentiality at multiple levels in web applications
- Vulnerabilities from misuse or lack of cryptographic algorithms

1. Broken Access Control

- **Key Takeaway**
- **Key Insight**

- Problem lies in lack of validation on ownership of the referenced object.

- **Vulnerability**

![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/6ce9d646-badd-4b4f-a33f-a00f5b10af94/75bfd7f4-ab60-4d47-86ba-2149dd8ee49a/image.png)

- Accessing other users' bank information

- Changing ID parameter (e.g., `id=222222`)

- **Example Scenario**

![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/6ce9d646-badd-4b4f-a33f-a00f5b10af94/954b03da-6849-4417-b68c-9be2ea8480ed/image.png)

-

- User accesses own bank details

- URL structure: `https://bank.thm/account?id=111111`

- **Mechanism**

- Exposure of Direct Object References (e.g., user IDs, account numbers)

- Access control vulnerability allowing unauthorized resource access

### Insecure Direct Object Reference (IDOR)
- Broken access control compromises data security and user trust.
- **Example Case**
- 2019 vulnerability in YouTube

- Reconstructed the video despite privacy settings

- Attacker accessed private video frames

- **Consequences**
- Access unauthorized functionality
- View sensitive information
- **Definition**
- Failure in access controls allowing unauthorized access