“VULNERABLE WORLD”

“OWASP TOP 10”

OWASP(Open Web Application Security Project)

The Open Web Application Security Project (OWASP) is a non-profit worldwide charitable organization. It's main goal is to improve the security of application software. Their main moto is to make application security visible to all, so that people and organizations can make true decisions about application security risks. Everyone is free to participate in OWASP and all of the materials are available under a free and open software license.

OWASP is not affiliated to any organization or technology and support the informed use of commercial security technology. OWASP produces many types of materials in a collaborative, open way. OWASP follow following principles :- )

Principles

Free & Open Governed by rough consensus & running code Abide by a code of ethics (see ethics) Not-for-profit Not driven by commercial interests Risk based approach

In year 2013 OWASP introduced Top 10 web application vulnerability which is an updated version of 2007. The primary goal of OWASP Top 10 is to educate the developers, designers, security engineers, managers and organization about the consequence of most important web-application security weakness and provide the guidelines to mitigate these security issue.

Here is the list of OWASP Top 10 vulnerability :-)

A1 - InjectionA2 - Broken Authentication and Session ManagementA3 - Cross-Site ScriptingA4 - Insecure Direct Object ReferencesA5 - Security MisconfigurationA6 - Sensitive Data ExposureA7 - Missing Function Level Access ControlA8 - Cross-site Request Forgery (CSRF)A9 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards

A1- INJECTION

SQL injection is one of the top most vulnerability in web application. In 2013 OWASP top ten vulnerability, SQL injection is at the top most position as it was in OWASP 2010 list. SQL injection is a application layer attack, by the SQL injection hacker steal whole data of organization. In this attack a attacker adds Structured Query Language code to a web application to gain access to resource or make change data.

There are many type of injection like LDAP injection, XML injection, XPath injection, OS command injection and HTML injection. The risk of SQL injection exploit is now high due to the availability of automated tools. In the past, exploit was carried out manually where the attacker had to type the SQL statement into the input box.

An example of SQL injection, here is HTML form with two input login and password.

<form method=”post” action=”http://www.example.com/login.asp”><input name=”Name” type=”text” id=”admin”><input name=”Pass” type=”password” id=”admin”></form>

At the back end the query look like

SELECT idFROM loginsWHERE username = ‘$username’AND password = ‘$password’

Here the $username and $password are requested from user's input, this can be easily compromised. Suppose user name is “admin” and 'anything' OR '0'='0 provided into the password box. The query look like

SELECT idFROM loginsWHERE username = ‘admin’AND password = ‘anything’ OR ‘0’='0

As the input of web application is not properly sanitized, the use of the single quotes has turned the WHERE SQL command into a two-component clause.

This will allow the attacker to bypass the login form without actually knowing a valid username and password.

Prevention From SQL Injection

SQL injection can be protected if the input from users is authenticated against a set rules, length, type and syntax. Ensure that the users has least privileges to access the database. If you allow single quote ( ' ) for validation, you should sanitize the input data. The means of sanitizing the input data is, to transform into “non-threating” data. For sanitizing the single quote you can use the HTML encoding and URL encoding. In HTML encoding ( ' ) become ( &quote; ) and in URL encoding it become (%27). Before sanitized the input data you should make sure that you decode the string before it is displayed to the user, because it is annoying for any one if the user name is “Shaun O'Corner” and its look like “Shaun O%27Corner” or “Shaun O&quoteCorner”.

References:- http://www.owasp.com, http://bretthard.in, http://www.codeproject.com, http://www.hosting.com, http://w3schools.com

. A2- Broken Authentication and Session Management

According to OWASP “Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.”

Authentication is the validation for user to access the desire webpage. The most common authentication are involves by the use of “userid”, “sid” etc and password. The authentication vulnerability occur when programmer fails to deploy proper authentication methods.

Session management vulnerability occur when programmer fail to secure the uers's sensitive information like “sessionid”, “userid”, “authentication_token” or “session_token” etc.

Example of broken authentication:-

In this example we have used mutillidae web application provided by OWASP.

Step 1- Create an account and logged in, it will give you a uid.

Here you can see we have logged in as “fred” and the uid = 17 as you see in red circle.

Step 2- Now create another account and log in.

As you see in the red circle, Sam is logged in with uid = 18

Step 3- Change the uid = 18 to 17 in the “sam's” account by using cookie manager,the firefox addon and refresh the page!

As you'll refresh the page you'll get log in into fred's account ...

Example of session management:-

Step 1:- Create an account in any website and log in.Step 2- Copy the cookie using “export cookie” extension when logged in and save the

cookie in notepad file and then logout.Step 3- After few hours import the same cookie using “import cookie” extension, if you log

in again it means that the cookie was not expired and the victim will loose his account.

Prevention From Broken Authentication and Session Management

To protect the cookie or session is very important, if the cookie is not secure the attacker can hijack the victim cookie and get access into the victim account. To prevent these type of vulnerabilities first you should ensure that SSL(Secure Socket Layer) is implemented and working properly and verify that user's credentials that is username, password, sessionid, userid are stored in hashed form.

References:- http://www.owasp.com, http://bretthard.in, https://hackerone.com/reports/284http://kb.entersoft.co.in/ and OWASP mutillidae web application.

A3- Cross Site Scripting(XSS)

XSS (Cross-Site-Scripting) is one of the most common and the most easy to be exploited vulnerability in a website! XSS is like cockroaches of the web always lurking at some corner of the website regardless of the size of the website, the popularity of the website or the sophisticated security team that has been working hard to secure it.

XSS is generally described as HTML injection! An XSS attack rewrites the source code of the website which generally happens when the website asks for a user input like the 'username' a user wants to have, the email-address of the user, payment details. Lets take an example of a search box in a website. An attacker can give some input to this search box and can get the desired result. This search can be related to their own interest say for instance a user may search for his favorite book,CD or movie.

Now if an attacker searches for the movie named Dhoom3, this search will go to various places to the HTML Source code.

Note: XSS vulnerability comes into picture when the user is allowed to use HTML characters as an input to the search query. So,what if we try changing out search query to some nasty one :P

Dhoom3<script>alert('Dhoom machale')</script>

This wont show up as Dhoom3<script>alert..... as an output but will rather give you a pop-up saying “dhoommachale”.

Prompts are very common example of XSS. There are a lot many things that an attacker can do if he finds a XSS bug by using a variety of payloads which can help him in:

1:- Stealing cookies letting him impersonate the victim 2:- Capture Keystrokes 3:- Deface a website 4:- Redirect to a malicious site

Prevention

A mechanism to protect your website from such attacks can be done simply by sanitizing the HTML special characters!

eg: & –> &amp; < –> &lt; > –> &gt; ” –> &quot; ‘ –> &#x27; / –> &#x2F;

For this, you can use the htmlspecialchars() function in PHP. It encodes all HTML tags and special characters.

References:- http://www.owasp.com, OWASP_Testing_Guide_v3

A4- Insecure Direct Object Reference

According to OWASP “A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.”

Insecure direct object reference represent the flaw when web application show an internal implementation object to the user like database key, file, directory or internal id in the url which the attacker can manipulate to gain access of the victim account. The most common vulnerability in insecure direct object reference is directory traversal.

Here is an example on a demo site: http://demo.testfire.net

http://demo.testfire.net/default.aspx?content=business_deposit.htm

Now remove the content “business_deposit.htm” and try something like:

http://demo.testfire.net/default.aspx?content=../../../../../../../../../../../../../../etc/passwd.txt

Above you can see in the red circle “ directory D” which becomes available for attacker.

References:- http://www.owasp.com, http://www.cyberintruder.com, http://stackoverflow.comhttp://www.blackstratus.com

A5- Security Misconfiguration

Security misconfiguration is one of the OWASP top ten vulnerability of web application that give an attacker an unauthorized access to system data or functionality. Security mis configuration can happen at any level of application including the platform, web server, application server, framework, and source code. Automated tools are very useful for detecting this vulnerability.

Above image describes about the server “Apache Tomcat/6.0.16.”

If an attacker finds any security vulnerability associated with Apache Tomcat/6.0.16, then by using metasploit he can easily exploit.

References:-http://www.owasp.com, http://www.davrohini.org/user/left.jsp, http://projects.webappsec.org

A6- Sensitive Data Exposure

A simple robots.txt file is used to stop certain web crawlers to index content, no matter if they are browsers or bots like google bot. This file is generally placed in the root folder.

To access the robots.txt just type

http://www.example.com/robots.txt

If accessed by everyone can let the attacker gain sensitive information, if stored in robots.txt. I am sure that many of you must still be thinking of what actually is stored in the file robots.txt. In simple words we can say that a robot.txt is a file that consists of path that cannot be crawled by bots or the web browsers. It tells the search engine that this directory is private and should not be crawled by them!

A very common error that we frequently see during surfing over internet is the HTTP 404 Notfound. This error can at times reveal alot of juicy information about the underlying web server,say for example :

Not Found

The requested Url was not found on this server. Apache/2.2.3 (unix) mod_ssl/2.2.3 openSSL?0.9.7g Server at localport 80

This error message can be generated by requesting some page which is not actually available on the server that means requesting a non-existing Url. As you can clearly see above, the normal error message and a lot of information about the web server version the OS is revealed!

Lets take Another example:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005) [DBNETLIB][ConnectionOpen(Connect())] - SQL server does not exist or access denied

Now here 8004005 is a generic IIS error code which indicates that the server cannot cannot cannot to the database. In many condition the error message will detail the type of database. Let's now test for IIS Error Handling or ASP.net

Fire up your browser and type a random page! http://www.random.com \anyrandomname.asp

if the server returns,page not found

HTTP 404 -File not found Internet Information services

This means that IIS custom errors are not configured properly! Now try http://www.random.com \anyrandomname.aspx

if the server returns Server Error in '/' Application The resource cannot be found

Custom Errors for .net are not configured!

A7- Missing Function Level Access Control

In function level access control an attacker can directly access resource or data from server or web-application by bypassing normal application flaw or bypassing any security access control. It is a logical flaw, it is the result of improper session management. Failure of function level access control can result in compromising a wide variety of data and resource.

All application should be verified by all the access level function before it is displayed to the user interface.

Exploiting this attack

Step1:- Login into the website. Step2:- Now I am intercepting the request using a tool Tamper data

Step3:- .If userlevel=user. I will get this page.

Step4:- Now I am changing userlevel=admin,

Now you are logged in as “admin”

Prevention

1- Every function should be consider as public and private.2- For authentication give some kind of check or validation.

References:- http://www.owasp.com, http://www.triadsquare.com, http://www.securingthehuman.org

A8- Cross Site Request Forgery(CSRF)

CSRF(Cross-site request forgery) also called as session riding or XSRF is an attack where in the attacker fools the victims browser into making a request that the user didn't intend to. This reminds me of a famous saying:

"We are what we pretend to be,so we must be careful about what we pretend to be."-Kurt Vonnegut,Mother Night.

For any website your browser is who you are. The website recognizes you on the base of IP address of its traffic,header,cookies and links it request.

The CSRF attacks holds the mix identity by manipulating the victims browser into making request against a website on the attacker's behalf. The attacker relation to the site is immaterial, infact the website never sees traffic from the attacker. Some people consider phishing attack as CSRF,although it can be a part of one. In a phishing attack we manipulate the user into initiating a request from the browser whereas in CSRF forces the browser into initiating a request. It's not that the attacker has gained access to the victims browser but yes he has made the browser do something that the user is unaware of.

So to summarize CSRF is an attack where the attacker crafts a link which when requested by the victim performs an action that is beneficial to the attacker!

Example:

The application allow's a user to submit a state changing request that does not include anything secret.

Http://example.com/app/transferfunds?amount=1500&destinationaccount=12345678

So, the attacker constructs the request that will transfer money from the victims account to the attacker's account and then embed this attack in an image request or iframe store on various sites under the attacker's control :

<imgsrc=”http://example.com/app/transferfundsamount=1500&destinationaccount=87654321

if the victim clicks on any such link while he's is logged in,the forged request will automatically tranfer funds to the accouunt 87654321

References:- http://www.owasp.com, http://www.w3schools.com,http://users.ece.cmu.edu/~dbrumley/courses/18487-f10/files/web-xss-csrf.pdf

A9 - Using Components with Known Vulnerabilities

Using Components with Known Vulnerabilities is considered as the most successful attack because in this type of attack the attacker exploit know vulnerabilities.

Almost every application has this issue because because most of the developers do not focus on ensuring if their components are up to date. There are times when the developers don't even know all the components that they are using becuase a large amount of the application is not actually developed in house.

Component vulnerabilities can lead to any type of risk. Components in an application always run with the full privilege of the application,so a minor flaw in the component can be serious.

There were few vulnerable components that were downloaded around 22 million times in 2011 which must have been used in a number of the application! Some of such vulnerable components are :)

Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission. (Apache CXF is a services framework, not to be confused with the Apache Application Server.

Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.

References:-http://www.sonatype.com/news/software-component-vulnerability-cited-as-latest-application-security-threat-in-owasp-top-ten-list-sonatype-first-to-provide-comprehensive-solution#.UtUBjlbj78M

A10- Unvalidated Redirection and Forwards

An unvalidated redirection and forwards is an open redirection vulnerability which takes application parameter and redirect victim to another website. Attackers exploit this vulnerability by modification of url, redirect victim toward phishing e-mails that cause victim to visit malicious sites inadvertently. Without proper validation an attacker is able to redirect victim to another malicious site or a phishing page which is made by the attacker.

The exploit occurs when the javascript “document.location” is under control of attacker. An attacker use this attack on a victim to send a malicious link, in which the URL looks like a trusted website. When the victim clicks the link, he is redirected to the malicious site inadvertently.

Php code for redirection

$redirect_url = $_GET ['url'];Header ("Location: “. $redirect_url);Example:2(.net code) Dangerous URL RedirectsString url =request.QueryString [“url”];Response. Redirect (url);

Here is the example :-

Attackers make a page with a redirect on it:

http:/ / www.mytrustedsite.com/Redirect.aspx?Url=http://troyhunt.com

http:/ / www.mytrustedsite.com/Redirect.aspx?Url=http://myuntrustedsite.com

On clicking the link provided by the attacker which have trusted host name site, victim is now redirected toward the attacker's phishing page.

Prevention

Avoid using redirects and forwards. If the destination parameter is unavoidable, ensure the parameter supplied is valid and verified by the

user. Applications can use ESAPI to override the sendRedirect() method to make sure all redirect

destinations are safe.

References:- http://www.owasp.com , http://www.w3schools.com, http://manojkumarponraj.blogspot.in , http://www.rapid7.com, http://cwe.mitre.org/data/definitions/601.html,

http://www.slideshare.net/RapPayne/a10-unvalidated-redirects-and-forwards

By,

Parichay Rai Jayvardhan Singh

“Web Security Researcher” Student (Cyber law & information security ) IIIT- AllahabadIntern – Lucideus Tech Pvt. Ltd.