OWASP Top Ten Part 1
Today we will be looking at the first 5 web vulnerabilities as defined by the OWASP top 10 list. OWASP maintains a document for web application developers to provide them with knowledge of the most common web vulnerabilities and best practices. Developers can then use this knowledge to ensure they do not inadvertently create vulnerable code.
To demonstrate these vulnerabilities we will be using TryHackMe which hosts a OWASP top 10 2021 room which provides a brief explanation of each vulnerability along with a challenge to showcase exploitation of the vulnerability.
Table of Contents
- A01 Broken Access Control
∘ Real world example
∘ TryHackMe Challenge - A02 Cryptographic Failure
∘ Real world example
∘ TryHackMe Challenge - A03 Injection
∘ Real world example
∘ TryHackMe Challenge - A04 Insecure Design
∘ Real world example
∘ TryHackMe Challenge - A05 Security Misconfiguration
∘ Real world example
∘ TryHackMe Challenge
A01 Broken Access Control
Web applications typically control access to sensitive areas or information. This makes sense, most users do not require access to make configuration changes, allowing them to do so would likely result in broken pages and misconfigurations. Consider the page we are on now, you are reading a post on my blog but do not have access to post or edit any of my blog posts.
As an example consider that you login to check your passport details at the following URL:
https://example.com/index.php?passport=9999
what would happen if we were to edit the URL to be the following:
https://example.com/index.php?passport=5624
Let’s assume the user is then given access to another users passport information. This is essentially what broken access control looks like. This is more specifically known as Insecure Direct Object Reference (IDOR). This vulnerability occurs when an attacker is able to manipulate references to objects, these objects can be files in a database, user records and more. Attackers typically exploit this vulnerability to gain access to sensitive information and to sometimes perform unauthorized actions on a web application.
Real world example
There are many examples of A01 being exploited in the wild. A popular example of this is the Snapchat vulnerability discovered in 2014 exploited the “Find My Friends” feature. The feature allowed users to look up their friends username by uploading phone numbers from their address book. You can probably see where this is going at this point, researchers were able to generate phone numbers and use the Snapchat API data harvest a ton of user accounts. Luckily the researchers reported the vulnerability allowing Snapchat to fix it before it was used maliciously.
TryHackMe Challenge
To explore the A01 THM has us login to the example web application.
We are presented with the following page
The URL http://10.10.17.180/note.php?note_id=1 has the note_id parameter which we should fuzz to see if we can find the flag
First lets create a range of numbers to use for fuzzing
for i in {0..10}; do echo $i >> fuzz.txt; donenow lets use ffuf to quickly iterate through our range, searching for the string “flag” in the response text
ffuf -w fuzz.txt -b PHPSESSID=rjeil6fvr6v5pjvo0rd3fb9ro7 -u 'http://10.10.17.180/note.php?note_id=FUZZ' -mr "flag"On note_id=0 we find a match!
Lets use curl to get the flag:
curl --cookie "PHPSESSID=rjeil6fvr6v5pjvo0rd3fb9ro7" http://10.10.17.180/note.php?note_id=0boom we get the flag:
A02 Cryptographic Failure
The OWASP category of Cryptographic Failure refers to a vulnerability that is a result of the use of weak or no cryptographic algorithms. Consider your daily use of the internet for example. When you use a browser to login to a website you typically use HTTPS over TLS to transport your credentials. If TLS is not used like in HTTP transmissions, you are transporting this in plain text, meaning any one eavesdropping on the communication will be able to easily access your credentials. Cryptographic failure however is not only limited to the use of weak protocols, it can also refer to the use (or lack) of weak hashing algorithms for password storage, forcing a server to downgrade its use of encryption to a weaker algorithm and more.
Real world example
In 2013 150 million Adobe users had their passwords leaked. Attackers were able to infiltrate Adobe’s network and managed to ex-filtrate a 10gb database consisting of user passwords. When passwords are properly stored using strong hashing with salts the passwords are mostly protected. In Adobe’s case however, they instead used Electronic Code Book (ECB) mode encryption. Encryption is typically not used in password storage for one important reason, it is reversible, hashing on the other hand is not. This means if an attacker can find the key used to encrypt this data then they gain access to all the data encrypted with said key. In addition to this ECB is weak and has a known problem, identical plain-text produces identical cipher-text. This made it significantly easier and less time consuming for attackers to break.
TryHackMe Challenge
Looking around the A02 challenge we are presented with a simple page with a link to login. Looking at the source we can see an assets/ directory. In this directory there is a webapp.db file. Let’s download this file.
wget http://10.10.62.160:81/assets/webapp.dbUsing the file command reveals that this file is a SQLite database
SQLite are self-contained serverless database stored in a file denoted with the .sqlite extension. To further explore the database we will use the sqlite3 client.
Let’s enumerate the tables and dump the records
open db:
sqlite3 webapp.dblist tables:
.tables;dump user table:
SELECT * FROM users;
It is unclear what the data actually represents without the column names. We can use the following command to display the column names:
PRAGMA table_info(users);Alternatively we can open the file in dbeaver to get a graphical view of the data
It appears that we have 3 users and the corresponding password hash. We should attempt to crack these and login to the web application impersonating the user. To crack the hashes, we first need to identify the type of hash used, luckily there is a tool made specifically for this task.
Now we can crack the hash with hashcat:
.\hashcat.exe -m 0 -a 0 hash.txt rockyou.txt
We get the password for the admin user: admin:qwertyuiop
Now we can login to get the flag.
A03 Injection
Injection vulnerabilities occur when an application takes user input and uses it in some way. A very common attack of this type is known as SQL injection. This occurs when an application takes input from a user and then uses it in an SQL query. If that user input is not sanitized, it is often possible to break out of the SQL query to inject your own values, allowing attackers to read, write and even delete entire database tables. I have a past blog post showcasing this vulnerability using a blind time based SQL injection.
Real world example
In 2011 Sony suffered a massive data breach from the threat group known as lulzsec. This organization was able to steal tons of information including names addresses and potentially payment information of upwards of 70 million users. The attack was reportedly carried out by a simple SQL injection. SQL injections are still incredibly common and one massive one has been reported as recently as October 4th 2023 (CVE-2023–34362) in the MOVEit transfer application.
TryHackMe Challenge
For the A03 challenge we are presented with a simple page that allows us to insert some text, which is reflected in ASCII art of a cow.
A03 homepage:
Let’s try to fuzz these parameters to see if we can any of they are injectable. We can find a command injection fuzz list here:
Let’s send this request to BurpSuite’s Intruder and fuzz with the command injection list.
It looks like we can insert the `;` character, and then run subsequent bash commands.
Looking at the challenge information we can see why this injection works:
<?php
if (isset($_GET["mooing"])) {
$mooing = $_GET["mooing"];
$cow = 'default';
if(isset($_GET["cow"]))
$cow = $_GET["cow"];
passthru("perl /usr/bin/cowsay -f $cow $mooing");
}
?>User input is inserted into the perl command and is not sanitized as it is sent through the passthru function. This means we can use a variety of injection techniques to break out of the original command and insert our own. The semi colon character in bash allows users to run multilple command sequentially we could for example get our user id and read the /etc/passwd file with the following:
id; cat /etc/passwdThere are plenty of injection techniques that can be used including using && or even use command substitution with $(). Additional payloads for command injection can be found here:
https://book.hacktricks.xyz/pentesting-web/command-injection
The rest of the challenge simply has us enumerate some information from the server which can be achieved using the following commands:
hello; cat /etc/passwd
hello; id
hello; cat /etc/alpine-releaseA04 Insecure Design
OWASP A04 refers to vulnerabilities which exist in the nature of the web application. In some cases these vulnerabilities exist because developers needed the functionality to create or deploy the app, but forgot to remove the functionality later in the lifecycle. An example of this may be an intentional backdoor with weak authentication and authorization in application used by the developer to update/upgrade the application. The nature of the way updates are managed is insecure and it is unfortunately it is baked in to the way the application update lifecycle is handled. This is why cybersecurity experts stress the importance of security by design, where security is considered at each stage of the development lifecycle, as it becomes costly and sometimes impossible to tack on security after the fact.
Real world example
A common example of Insecure Design that plagues many CMS’s is the lack of rate-limiting on login attempts. WordPress for example by default permits an unlimited number of login attempts. Users of WordPress can install third party plugins that limit login attempts such as the “Reloaded Plugin” however these WordPress plugins are often the target of attacks and can introduce new vulnerabilities. This weakness in CMS’s has likely been the culprit (along with weak passwords) behind many data breaches throughout their lifetime.
TryHackMe Challenge
In the challenge for A04 we are challenged with gaining access to the user joseph’s account. We only have their username and the ability to reset a password for a given user. There is one problem though, we need to correctly answer a security question to gain access to the account. There are three security questions:
What’s your mother’s sister’s son’s nephew’s neighbor’s friend name?
What’s your first pet’s current address?
What’s your favorite color?
Obviously the favorite color question would be the easiest to brute force so let’s form an attack.
We can find a list of colors to fuzz with here.
We then capture the request with BurpSuite, send the request to intruder and set the color as the position for a sniper attack.
We get a hit with the color green and are given the password reset! We can now login as joseph to get the flag.
A05 Security Misconfiguration
At a first glance, A04 and A05 may appear to be the same thing, however they are slightly different. A05 refers to vulnerabilities that arise due to an improper configuration change. For example there is an intern network technician trouble shooting several users failing to reach an internal webserver hosting important financial information. The server has weak authentication protocols so it is protected behind a firewall to prevent public traffic from reaching it. In their frustration the intern adds a firewall rule to allow traffic from any source to any destination, this fixes the problem the users are experiencing but also allows attackers to reach a potentially vulnerable webserver. This is in essence what A05 is addressing, the firewall in its default state was protecting the webserver, but a misconfiguration exposed it to risk.
Real world example
In 2019 Capital One Financial suffered a data compromise involving the data of over 100 million people. In some cases the attacker was able to gain access to critical information such as Social Security numbers, credit cards and more. The hacker Paige Thompson created a tool to search for exposed misconfigured AWS services online. She managed to compromise 30 servers which included that of Capital One. She was later sentenced to five years of probation under the Computer Fraud and Abuse Act.
TryHackMe Challenge
The challenge starts off by asking us to visit:
http://10.10.162.246:86/console.
This misconfiguration appears to be that a python debugging console has been left exposed. This means we will be able to run python commands in an interactive console.
The TryHackMe example makes this easy by showcasing the importing of the OS module to run operating system commands as shown below:
import os; print(os.popen("ls -l").read())I wanted to do it differently, so we can achieve the same result using the subproccess module with the following command:
import subprocess; result = subprocess.run(["ls", "-l"], stdout=subprocess.PIPE, text=True).stdout; print(result)The challenge has us read the contents of app.py in the current directory to find the flag:
import subprocess; result = subprocess.run(["cat", "app.py"], stdout=subprocess.PIPE, text=True).stdout; print(result)
And just like that we get the flag.
