Web App Hacking Fall 2020
For the final two weeks in September, we discussed web application hacking.
OWASP Top 10
The Open Web Application Security Project (OWASP) Top 10 is a list of common web application vulnerabilities and is designed to help developers properly secure their applications. A summary of each of these vulnerabilities is below.
Injection is a very dangerous and powerful vulnerability. One of the most common injection techniques is SQL injection, which involves inputting SQL code into an input field. This can then trick the server into executing that code and allowing the attacker to execute unintended commands or obtain access to a database. The reason this vulnerability in particular is very dangerous is obtaining access to a database can reveal very sensitive data.
This type of vulnerability is present when application functions related to authentication or session management are not implemented correctly. This leaves logins vulnerable to a variety of attacks such as brute force attacks. Also, this vulnerability typically indicates that passwords are left as default values or are stored insecurely (such as being stored in plaintext).
Sensitive Data Exposure
There is much information one would wish to keep secure on a web application such as personal identifying information (PII), healthcare, or financial information. If this information is stored insecurely, there are many problems that can arise including HIPPA violations among other things. Additionally, if this information is transferred in plaintext, it is easy for a threat actor to steal the information.
XML External Entities
This vulnerability manifests when a web application allows someone to upload XML files. Using external XML entities can be used to expose other internal files.
Broken Access Control
Sometimes the proper permissions are not set up for authenticated users and this is what the broken access control vulnerability is. Attackers can exploit this vulnerability and gain access to unauthorized functionality, such as being able to perform administrative tasks without an admin account.
This is an extremely common vulnerability, especially with under resourced IT teams. This vulnerability is when unneeded services are installed, or when default accounts are left in the system. Also, old legacy applications or simply old, insecure versions of current applications can contribute to this vulnerability. It is one that is usually not too difficult to fix, but it can also typically be exploited fairly easily.
Cross Site Scripting
Cross site scripting (XSS) happens whenever a web application includes data in a new web page without any proper validation. XSS can allow attackers to execute scripts in a user’s browser which allows them to hijack their session or redirect the user to a different, malicious site. There are three main types of XSS, stored XSS, reflected XSS, and DOM XSS.
This type of vulnerability is usually very difficult for an attacker to exploit. This is because typically off the shelf tools or exploits typically do not work on them without some level of modification or tweaking. However when they are exploited, they typically lead to some form of remote code execution.
Using Components with Known Vulnerabilities
This vulnerability is commonly found alongside security misconfiguration, as one of the aspects of that vulnerability is using insecure services. This is usually a fairly easy vulnerability to spot, as well-known components with significant vulnerabilities typically have them well published.
Insufficient Logging and Monitoring
This vulnerability is not typically one that grants attackers access to a system, but it becomes more relevant once an attacker has obtained access. If a defensive security team is not doing proper logging of suspicious activity, attackers might be able to maintain a persistent backdoor without the defensive team knowing about it.