OWASP Top 10 Vulnerabilities Explained – 10 minute mail

OWASP is a non-profit organization with the goal of improving the security of software and internet. They have put together a list of the ten most common vulnerabilities to spread awareness about web security.  In this post, we have gathered all our articles related to OWASP and their Top 10 list. If you’d like to learn more about web security, this is a great place to start! 

Our OWASP TOP 10 posts offer an insight into each of the 10 vulnerability types on OWASP’s list. We describe the vulnerabilities, the impact they can have, and highlight well-known examples of events involving them. Of course, we also explain how to discover these vulnerabilities, providing code examples and helpful remediation tips.

OWASP TOP 10: Injection

Injection is a category that includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.
Read full article »

OWASP TOP 10: Broken Authentication

Broken Authentication involves all kinds of flaws that are caused by error in implementations of authentication and/or session management. The category includes everything from login lacking timeout, meaning that users who forget to logout on a public computer can get hijacked, to more technical vulnerabilities such as session fixation.
Read full article »

OWASP TOP 10: Sensitive Data Exposure

Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.
Read full article »

OWASP TOP 10: XXE (XML External Entities)

XXE allows attackers to abuse external entities when an XML document is parsed. If this happens, the attacker can read local files on the server, force the parser to make network requests within the local network, or use recursive linking to perform a DoS attack.
Read full article »

OWASP TOP 10: Broken Access Control

Broken Access Control is vulnerability category that covers all access control issues that can make your website vulnerable and can often be found in web applications that have gradually grown in size without proper schemes regulating access. The category is the result of merging Insecure Direct Object References and Missing Function Level Access Control from the OWASP Top 10 2013 list.
Read full article »

OWASP TOP 10: Security Misconfiguration

Security misconfiguration is a very common vulnerability category that occurs when a component is susceptible to attack due to an insecure configuration. At worst, exploiting a security misconfiguration can lead to a full takeover.
Read full article »

OWASP TOP 10: Cross-site Scripting (XSS)

Cross-site Scripting is a type of attack that can be carried out to compromise users of a website. The exploitation of an XSS flaw enables the attacker to inject client-side scripts into web pages viewed by users. It is often assumed XSS only occurs in JavaScript, but it could also include e.g. VBScript.
Read full article »

OWASP TOP 10: Insecure Deserialization

Insecure Deserialization allows attackers to transfer a payload using serialized objects. This happens when integrity checks are not in place and deserialized data is not sanitized or validated.
Read full article »

OWASP TOP 10: Using Components with Known Vulnerabilities

It is very common for web services to include a component with a known security vulnerability. The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins, making this a very frequent finding.
Read full article »

OWASP TOP 10: Insufficient Logging and Monitoring

Insufficient Logging and Monitoring covers the lack of best practices that should be in place to prevent or damage control security breaches. The category includes everything from unlogged events, logs that are not stored properly and warnings where no action is taken within reasonable time.
Read full article »

 

OWASP TOP 10 on Disposable mail Labs

Want more advanced tech content about OWASP Top 10 vulnerabilities? Check out these posts on Disposable mail Labs:

The Ultimate SQL Injection Payload
Finding an XSS in an HTML-based Android application
5 contexts where the XSS Auditor won’t help you
How to: Exploit an XSS
Frans Rosén’s Bugcrowd Guest Blog: Using a Braun Shaver to Bypass XSS Audit and WAF
How Patreon got hacked: Publicly exposed Werkzeug Debugger

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Insecure Direct Object Reference – 10 minute mail

Insecure Direct Object Reference allows attackers to manipulate references to gain access to unauthorized data. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. OWASP Top 10 2017 was released in November 2017, bringing some changes to the list from 2013. We are working on updating our content, but in the meantime, please take a look at our article about OWASP Top 10 2017.

Description

The fourth one on the list is Insecure Direct Object Reference, also called IDOR. It refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.

Prevalence

There are no good numbers to base the estimation on and OWASP’s formulation on the subject is also very vague. However, by looking at well-known events as well as public bug bounty-reports it can be confirmed that it is a very common vulnerability. This is also what we have discovered during our own security research.

Potential impact of Insecure Direct Object Reference

It is impossible to say what the potential impact of IDOR is, as it varies alot depending on what kind of data or file the attacker may get hold of. It could be anything from innocent information to bank statements, and much more.

Exploitability

Due to it being so easy for an attacker to exploit, IDOR is very likely to be abused. This of course varies as well, as it may not always be obvious how to enumerate the links for the files.

Well-known events

Back in 2010 when iPad was the coolest gadget for early adopters, AT&T suffered by an Insecure Direct Object Reference that exposed the details of at least over 100.000 owners. It exposed the email address of the owners, as well as the ICC-IDs (the ID of the SIM-card). As Apple provided the data to AT&T, they often receive the blame for this vulnerability.

By sending a request to AT&T together with an ICC-ID, the server would respond with the corresponding email address. As the ICC-IDs can be enumerated by looking at just a few IDs, this attack could be fully automatised allowing a considerable data leak.

How to discover Insecure Direct Object Reference

Code analysis is suitable for this kind of vulnerability. Every place that presents restricted data needs to be investigated, to make sure that there are checks in place ensuring that the user is authorized for the requested information.

This can of course be automated to some extent without access to the source code of the site, but having it is a great advantage. With the source in hand, a vulnerability like this is often quite easy to discover.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of vulnerable application

When a user accesses the dashboard on the user’s bank’s website, the user gets redirected to the following url:
https://bank/balance?acc=123

In this case, 123 is the ID of the user’s account, and the user will therefore see that balance. If the user wanted to abuse this, it would be possible to just change the URL-parameter to someone else’s ID and instead get access to that ID’s account.

Remediation

The only real solution to this issue is to implement an access control. The user needs to be authorized for the requested information before the server provides it.

It is also often recommended to use something less obvious that is harder to enumerate as a reference. Eg., a random string instead of an incrementing integer. This can be a good idea for multiple reasons, but should absolutely not be trusted as the only prevention against such an attack.

IDOR Proof of Concept video:

Read more

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)

Interesting public bug bounty-reports:
https://hackerone.com/reports/42587
https://hackerone.com/reports/53858

Other:
https://www.troyhunt.com/owasp-top-10-for-net-developers-part-4/

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[PoC Video] jQuery-File-Upload: A tale of three vulnerabilities – 10 minute mail

TL;DR Three vulnerabilities in the second most starred Javascript repository on Github which two of them are remote code execution and the third makes it possible to permanently delete any uploaded file made by jQuery-File-Upload. The latter is intended behaviour however our research suggests that user privacy is not respected as content can easily be viewed by external actors.

Disposable mail Crowdsource has been working with three vulnerabilities in jQuery-File-Upload submitted by our security researcher community, and now we’ve implemented these security tests in the Disposable mail tool. Our research found out that jQuery-File-Upload is included in several different platforms and not properly configured. The following Proof of Concept is of CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability and the remote code execution due to ImageTragick. Explanations of all three vulnerabilities follow.

CVE-2018-9206: Unauthenticated arbitrary file upload vulnerability

This first vulnerability has been known for a few years, since 2015. But in 2018 a CVE was finally assigned and the vulnerability was brought to public attention as Thousands of Applications were vulnerable to RCE via jQuery File Upload. The open-source file upload widget, jQuery-File-Upload, is the second most starred Javascript repository on Github, after jQuery JavaScript Library itself. The core of CVE-2018-9206 is a vulnerability within the server configuration and PHP components of the technology and not Javascript. While a RCE in Javascript would be surprising, it’s not as surprising in PHP.

The vulnerability is due to the code relying on Apache’s .htaccess support. This is a way to restrict files being uploaded or executed on an Apache web server.

# The following directives prevent the execution of script files
# in the context of the website.
# They also force the content-type application/octet-stream and
# force browsers to display a download dialog for non-image files.
SetHandler default-handler
ForceType application/octet-stream
Header set Content-Disposition attachment

# The following unsets the forced type and Content-Disposition headers
# for known image files:

ForceType none
Header unset Content-Disposition


<...>

The above .htaccess is included in jQuery-File-Upload and prior to version 9.22.0 it was the only protection against arbitrary file upload. The .htaccess files makes the browser download files with MIME application/octet-stream (for example PHP-files) instead of executing them in the context of the web server. This means that jQuery-File-Upload allowed any files to be uploaded, but not executed on the server, as they trusted the web server to make the check. After the patch, later versions have been changed so that the code checks the type of file being uploaded.

However, the problem is that Apache stopped to enable .htaccess support by default in version 2.3.9, making the only protection useless if not explicitly enabled. If another web server is in use (for example Nginx), there is no protection at all as .htaccess only works in Apache web server.

An attacker can simply upload any file and it will be handled by the web server. This leads to remote code execution as an attacker can upload PHP-files and execute them.

Remote code execution due to ImageTragick

The second jQuery-File-Upload vulnerability was also known within the hacking community for some years and was not publicly known until the technology started to get attention due to CVE-2018-9206, as more people started looking into jQuery-File-Upload’s code base. As the code makes use of ImageMagic, it may be possible to obtain remote code execution with GhostScript (CVE-2016-3714 AKA ImageTragick). This is demonstrated in the video.

An attacker can upload the following GhostScript saved with the whitelisted extensions; PNG, GIF or JPG.

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%ping example.com) currentdevice putdeviceprops

The server will then execute the command ping example.com. Note that GhostScript will look a little bit different depending on the operating system and the ping command works in most environments, making our automatic tests very accurate to detect this vulnerability.

Note that this is a vulnerability in a library that jQuery-File-Upload uses, and not in the code itself.

An intentional but vulnerable feature

The third and last vulnerability found was an insecure direct object reference or IDOR vulnerability. One website owner responded that the issue was actually “intentional behaviour” but many users of jQuery-File-Upload may not know of the behaviour, making it risky to use.

Here’s why: The endpoint where files are uploaded to can be requested with GET and the server will respond with a JSON object containing all the previous uploaded files. This exposes the file names, upload path, thumbnail and whether it is possible to delete the file permanently from the server. The response will look something like:

{"files":[{"name":image.jpg","size":68549,"url":"http://example.com/image.jpg","thumbnailUrl":"http://example.com/thumbnail/image.jpg","deleteUrl":"http://example.com/server/php?file=image.jpg","deleteType":"DELETE"}

With this, a user can now view all the previous uploaded files by requesting the value in the url key. It is also possible to delete any file by sending the DELETE HTTP-method to the value in the deleteUrl key. This can easily be done with cURL:

curl -X DELETE http://example.com/server/php?file=image.jpg

When looking for websites using jQuery-File-Upload I came across a few cases where this “intentional behaviour” probably shouldn’t be “intentional”. One case was a dating site where users naturally uploaded images of themselves. By sending this request, I was able to view the whole user base of uploaded photos. In another case I was able to access all uploaded photos on a website which requires users to verify their identity by uploading a photo of their government ID or passport. I have reached out to Sebastian Tschan (the maintainer of jQuery-File-Upload) and all these websites which I found the vulnerability on.

Remediation

The first two issues have been fixed in the latest version of jQuery-file-upload, and we recommend to update the code to latest version as soon as possible. To remediate the the last vulnerability, you would restrict access to the endpoint where files are uploaded (usually server/php/index.php) if it is important that all the uploaded files should not be publicly viewable.

Do you use jQuery-File-Upload on your web applications and you’re not sure if you have secured the code? You can check the code with Disposable mail now. Just log in here. Not a customer yet? No problem! You can sign up for your account and free trial today.


 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Lerhan: Bypassing IDOR protection with URL shorteners – 10 minute mail

Xavier Blasco (a.k.a Lerhan) is a 23-year old security researcher on the Disposable mail Crowdsource Platform. He’s passionate about security and found a way in through bug bounty programs. As an ethical hacker, he is naturally curious in security testing vendors which he is buying from and this time it led to bypassing IDOR protection using URL shorteners. In the following guest blog, he describes this security flaw that led him to access new client contracts on Jazztel’s platform.

Guest blog from Disposable mail Crowdsource researcher Lerhan

Introduction

After contracting Jazztel (Orange sub-brand) as my Internet provider I got an SMS that had a link to my new contract, but something looked weird…

What is URL shortening

In modern web applications we often come across large URLs that become hard to remember or are not convenient to share due to character limitation. Uniform Resource Locator (URL) shortening is a technique that can make URLs much shorter and still direct the user to the same page. An example could be to shorten the URL https://labs.detectify.com/category/writeups/ to https://dtfy.com/5rp93. URL shortening is also used to beautify links, track clicks and other statistics.

Jazztel shortened URL workflow 

Jazztel has a web page for new clients to view their new contract. Upon setting up the contract, they sent the new client an SMS that had a link like the following: https://redacted.com/P5dFa to view their new contract and the link expired after 4 days. This link was a shortened URL and would redirect the user to another page that had a much larger URL due to security reasons, and was operated by a third party application.

The final URL was similar to https://api.example.com/pub/JAZZTEL/da4271c24b5cbtc88756b9f42fbd2475c0ba97da/5c8fe3e8c8f89/, which as you can see, had random alphanumeric characters to prevent Insecure Direct Object Reference (IDOR).

When shortened URLs become an issue

Although shortened URLs can be good for a lot of things, it also can introduce security flaws in some cases. Most of the times shortened URLs link to static pages that should be accessible by any user, but this was not the case in the above scenario. 

The link given by Jazztel should only be accessible by the user that received the SMS. After seeing the shortened URL, and given that Jazztel is pretty big and has lots of clients, I quickly thought: “That link looks too short for the amount of clients this company has”. 

Passing it through Gobuster

The URL path had 5 alphanumeric characters (https://redacted.com/P5dFa), so I created a list of possible combinations of 5 alphanumeric characters (ex. Yt41L, Hu2iT) and passed it through Gobuster.

The results were quite surprising. After brute forcing 10000 links, I got 30 working URLs that linked to other people contracts, some of them disclosing client name, phone number, national identity number, installation address and the price of the services that the client was contracting.

Asciinema:

Data breakdown

Out of the 30 working shortened links I got 5 expired links, 22 redirects to notifications for users disclosing just names and where the last 3 linked to new clients contracts disclosing client names, phone numbers, national identity numbers, installation addresses and the price of the services for each user.

image: screenshot from Jazztel showing client info. Jazztel was quick to resolve this issue.

image: Contract disclosing clients personal data due to the security flaw. Jazztel has resolved this issue.

 

Doing the math

Each character position can be a lowercase letter, an uppercase letter or a digit from 0-9. There are 26 possible letters and 10 possible digits for each position, therefore there are 62 possible characters per position (26+26+10). The path is 5 characters long, so the total amount of possible combinations is 916 132 832 (62⁵).

As you have seen before, Gobuster brute forced 10.000 links in about 34 seconds, which means that going through 916 132 832 requests would take around 36 days. Since links expire every 4 days, it would’ve been impossible to get all active links before expiration.

However, assuming that we get 2-4 contracts every 10 000 requests (34 seconds), it means that it would’ve been possible to get around 31 000 contracts that have full details before expiration.

Conclusion and mitigation

When implementing URL shortening it is important to think about what are you going to use it for. If you’re going to create links for static pages that are accessible for every user, it doesn’t matter if the path has 5 or less characters. 

On the other hand, if you are trying to create shortened URLs to access sensitive data that should only be accessible by one user, you should implement at least one of the following:

  • Authentication: The page that contains sensitive data should only be accessible through authentication, allowing only the authenticated user to access the data.
  • High entropy strings: The path string should be large enough so that is impossible to brute force.

Another layer of security could be implementing rate-limiting for requests, making this even harder to brute force.

In this case, Orange changed the path to a 10 characters alphanumeric string, which makes it not feasible to brute force anymore. If you’re wondering, it would take around 91 million years to brute force every combination.

Also if you come across a URL shortener, try to understand what it is used for, you might get lucky and find this same issue elsewhere.

Report timeline

05/17/2019 – Report sent to Orange CERT

05/20/2019 – Orange CERT starts to review the report

05/22/2019 – Vulnerability fixed by increasing path length to 10 alphanumeric characters and preventing the URLs to be indexed by the search engines.

Finally, I would like to congratulate Orange CERT for their fast response and for allowing me to write this post. It’s been a great experience overall, thanks!

 

Written by:

Xavier Blasco (a.k.a Lerhan)
Twitter: @0xlerhan
Github: https://github.com/Lerhan


Disposable mail collaborates with 150 handpicked white hat hackers like Lerhan to Crowdsource vulnerability research for our automated web application scanner. Check the security status of your applications using our test bed of 1000+ known vulnerabilities. Sign up for Disposable mail and start your free 14-day trial today!


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.