Skip to content

Instantly share code, notes, and snippets.

@avicoder

avicoder/Owasp_Notes.md

Created March 21, 2016 03:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save avicoder/2f62b9f6e3138bab8d06 to your computer and use it in GitHub Desktop.
Save avicoder/2f62b9f6e3138bab8d06 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Owasp_Notes.md

####Injection

  • Injection could be anything, It could be Sql, LADAP , XAPth, Mail Based injection or any other database.

  • Malicious request to modified query is an injection

  • Data exfiltration

  • Defences:

    • Sanitize input/whitlist untrusted data, real_esacape_string() {some encoding difference can make this un reliable fix} {UTF-8 default_charset standard}
    • Parameterized SQL Statments(prepared statements), Separate Query from input Data, Type Cast each Parameter.
      • Pass ID as a parameter into the statement with that variable name, that keeps it seperate from the query.
    • Fine Tune DB permissions, Segment account from public and admin, Apply the principle of least privilege.
    • Sony attack example.

####Broken Authentication and Session management.

Session fixation aka session hijacking

  • An attacker is able to to log on to the system and impersonate the victim

    • Hijack the user session
    • Now attacker can send impersonated request
    • Auth Cookie theft
      • Exploit an XSS risk
      • Retrive it from victim PC
      • Sniff it over the Network
    • Session ID Theft
      • Share
      • Logs
    • Account Management attack
      • Login, Registeration , password reset.

  • Defenses

    • Protect the cookies
      • HTTPonly flag
      • Secure Flag
    • Decrease Window of risk.
      • Expire sessions quickly
      • Rechallenge the user on key actions like , password reset , account delete.
    • Hardening the account management.
      • Allow or encourage strong password.
      • Implement login rate limit and lockouts
      • Exponentially

  • Apple Hack, imessages, wifi

####XSS

  • Reflective : only to Webserver

    • <Script>alet(document.cookies)</Script>

  • Stored : deep into Database

  • Defenses:

    • Sanitize the input

    • Encode the use input

      • &lt; is called escape sequence

    • User Innertext or textContent instead of InnerHTML, (AngularJS does InnerHTML)

  • Example : Samy Myspace script.

####Insecure Direct object reference (IDOR)

Direct reference to account id

  • Pulling records from the website that that never have access to.
  • Change the ID in the URL

Mitigation

  • Implement access controls: Be explicit about the who can access the resources
  • Avoid Predictable keys
    • Incremental numbers are enumerable
    • Natural keys are guessable

Example : Citigroup Bank , username enumeration.

####Security Misconfiguration

  • Exposure of gateway risk
  • Software is out out date , anything like code libraries, OS, webapp DBMS etc
  • Enabled unnecessary features eg. ports, services, pages, accounts, privileges
  • Default accounts and their passwords still enables and unchanged
  • error handling reveals information like code .

Defenses:

  • Turn off features which are not required
  • apply principle of least privileges
  • getting all the packages up to date, Update software and libraries.

Example: - Use google dork - inurl:elmah.axd "error log for"

####Sensitive data Exposure

  • If website is using HTTP, MITM is possible.
  • Insufficient use of SSL
    • Login not send over HTTPS
    • Cookies not send securely
    • Mixed MOde "CSS/js in http"
  • Bad Crypto
    • Insecure password storage (no hashing, use of symmetric encryption)
    • Weak Algorithms (Prism case)
    • poor protection of keys
  • Other exposure keys
    • Browser Auto complete
    • Leaked via logs
    • Disclosure via URL (GET requests)

Defences:

  • Minimize sensitive data collection
    • You can't lose something you dont have
    • Reduce the window of storage
  • Apply HTTPS everywhere
  • Use Strong Algorithms Bcrypt
  • Be very careful with Key Management

Example:

  • Tunisia Gov. mass theft of gmail, yahoo and facebook logins - 2011
    • Gov. Injecting password stealing javascript code into the login page via Internet agency that controls the entire country's internet gateway

####Missing functional level access control

  • Does the UI shows navigation to unauthorized functions?
  • Server side authentication and authorization checks missing.
    • turn off jS to circumvent
  • System logs are available without authorization

Defences:

  • define a clear authorization modal
    • use roles and membership
  • Check for forced browsing
  • Always test unprivileged roles

####Cross site request forgery

Defences:

  • Employ anti-forgery tokens
  • Validate the referer
  • CORS- Cross origin resource origin
  • Fraud detection techniques, Banks

Using Component with known vulnerabilities

  • Exploitation of vulnerable component,

    • Lib
    • LFI

  • Defences:

    • Identify vesions and components
    • keep them updated.

  • Example :

    • Wordpress , brute force.
    • No bruteforce protection

Unvalidated redirects and forwards

  • Could be used to spread malware.

Defences:

  • Use whiltelisted approach
  • Use Indirect references, use id or natural names to map the urls.
  • check for referer.

##Notes: CVE : Common vulnerabilities and exposures.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment