OWASP Top 10 Tutorial
OWASP has categorized the top 10 vulnerability for web application, website hacking is very common now a days so the security testing on a web application is very important because it seems to be very difficult to recover a data after a hacking attack. OWASP top 10 is a standard to conduct a penetration testing on a web server, we have discussed the first part of this article before and this article will discuss the remaining part.
Broken Authentication and Session Management
Authentication is the step to know about the visitor (user) of a web application after authentication process session management establish. But what if an attacker steals or hijacks the session of authentication process? If a web application authentication process is vulnerable then an external attacker or the legitimate users may try to steal the account information of other users. This attack may occur when the session ID is visible or when end-to-end encryption (SSL) is not used or cracked. The flaw can occur when the user forgets their password, changes their password, gets an account up-grade or during other related procedures.
The common type of attack on authentication is brute force or dictionary based attacks on web forms by using tool like THC Hydra. So the point to discuss is about creating a strong password because whether it is HTTP authentication or HTML authentication – they both can be cracked.
The risk factors involved are session ID hijacking, accounts may be compromised and the user information might be at risk.
Open Source Tools
- Add N Edit Cookies (Firefox add-ons,not available for latest Firefox)
- HackBar (Firefox add-ons)
- Nikto
Common Vulnerabilities
Insecure Direct Object References
It is a type of attack in which an authorized user changes a parameter of the system object to refer a page, database or any system object that they are not authorized for. The most common attack is directory traversal (or path traversal) and refers to a file or account by mishandling the URL.
The risk factor is bigger because if this vulnerability is compromised then all the information and data will be compromised.
Example:
http://target.com/bank?acct=#####
Open Source Tools
- Websucurify
- w3af
- Burp Suite
Common Vulnerabilities
Cross-Site Request Forgery (CSRF)
Cross-site request forgery is also known as a session riding attack. An attacker uses different techniques to execute or submit a request to a website by using authorized users (the victims). There is a difference between cross-site scripting and cross-site request forgery because the XSS exploit will break the trust of a user for an application while on CSRF it will break the trust of an application for the user (the victim in this case). In CSRF an attacker may send malicious code (HTML or Java) via email or by using the XSS flaw.
The risk factor on the victim side is very clear because an attacker can cause a victim to change the data and perform the desired function.
Open Source Tools
- Arachni
- OWASP ZAP
- Tamper data
- OWASP CSRFTester
Common Vulnerabilities
Security Misconfiguration
Security misconfiguration is a dangerous attack because it can lead to the whole system being compromised. Security misconfiguration may occur at the system level while the common security misconfiguration for web applications is default accounts, default pages, unpatched software and unprotected directories that contain relevant information. In security misconfiguration an attacker might be a third-person or an authorized user.
The threat level is very high, but by implementing some simple practices an administrator may be able to protect their application:
- Disable all unnecessary software
- Change all the default passwords
- Keep all software’ up-to-date, including the server and database software
Open Source Tools
- Nikto
- skipfish
Insecure Cryptographic Storage
As the title suggests, insecure cryptographic storage is about storage. Insecure cryptographic storage vulnerability occurs when an attacker gains access to a file that contains the confidential information in plain text. It means there is no encryption policy for the data that is meant to be encrypted. In insecure cryptographic storage the attacker does not break the encryption policy, but finds a way to get the desired information. For example, an application stores credit card information of their users in simple text (plain text) and then an attacker finds an SQL injection vulnerability to enter into the database so the attacker can easily get the credit card information of the users because all the information is available in plain text.
So the key point to fight against insecure cryptographic storage is to apply encryption to all backup data, use strong encryption algorithms, so in the event an attacker gets the file, he/she is not able to get the data.
Failure to Restrict URL Access
This might count under the authentication vulnerability because the failure to restrict URL access is a result of improper authentication. In simple words, it is a forced browsing where an authorized user or maybe a third-person tries to access a URL for which they are not supposed to.
http://victim.com/username_info A user supposed to use their URL
http://victim.com/admin_info What if a user try to access this URL
Path traversal is a good example of failure to restrict URL access.
http://victim.com/admin_info.php?pages=../../../../etc/passwd
The other possibilities of this vulnerability is to call some scripts from other website or simply use the redirection vulnerability.
http://victim.com/admin_info.php?pages=http://www.ehacking.net/malware
Open Source Tools
- w3af
- Websecurify
- Nikto
Common Vulnerabilities
Insufficient Transport Layer Protection
The risk of insufficient transport layer protection is high for your user because the user information might be monitored and sniffed. An attacker can use different sniffers for both wired and wireless networks on the user side to monitor and catch the confidential information of a user. Nowadays web applications use SSL/TSL in the process of authentication to protect the user information – but keep in mind SSL can be cracked. So the point is to use strong SSL for authentication and session cookies on all the important pages.
Open Source Tools
- SSLScan (An old tool)
- Calomel SSL Validation (Firefox add-ons)
- SSL Test (Bash script to find the weak cipher)
- Nikto
Unvalidated Redirects and Forwards
It is dangerous because it can lead a user to phishing and malware websites. An attacker can take the advantage of redirects and trick the victim to click on a link. The user will most likely click on it because the link seems to be valid.
http://website.com/cgi-bin/redirect.cgi?url=attack.com
http://website.com/login?url=website.com
Example:
If a web application is vulnerable then an attacker sends an email to the user like you have received an email to purchase something with a low rate and a URL like:
http://www.amazon.com/Application-Development-Graph-Cookbook/dp?url=http://www.phishing.com
So an attacker can easily use phishing technique to steal the confidential information of the user.
Common Vulnerabilities
Final Thoughts
Lastly, I just want to mention the wonderful option of w3af because it provides the ability to conduct web application based penetration testing on the OWASP Top 10 vulnerabilities.
OWASP has categorized the most dangerous vulnerabilities in web applications and it is a reference point for web developers and penetration testers to make sure that the application does not contain these top vulnerabilities. Besides the application level vulnerabilities we need to take care of the system software and the vulnerabilities that can cause all of the information to be compromised. The key tip is to remain up-to-date.
- Update all of the software, both at the system and the application level.
- Keep engaged with the online community to learn about new vulnerabilities and application weaknesses.
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.