OWASP part 1

Question 1

What are 3 topics of OWASP?

Answer 1

Information gathering

Injection attacks

Session management attacks

Question 2

What does an attacker want to achieve with information gathering?

Answer 2

Find attack vectors (ways to enter a system or network)

Low hanging fruits

Improve efficiency of attack

Question 3

What does a developer want to achieve with information gathering?

Answer 3

test scope
coverage
prioritization
test efficiency

Question 4

What application information is gathered during the information gather fase (4)?

Answer 4

Application structure: All pages and subdomains you have found in the application.

Any external links.

Trust zones, what needs authentication/authorization and what is open.

Data flow within the application. What parameters and values are used. What GET and POST requests are sent, and what are the respones.

Question 5

What infrastructure/platform information is gathered during the information gather fase (5)?

Answer 5

Information about web server. Version that is running, the type.

Applications running on the server. If any of this have known vulnerabilities, known attack strategies can be exploited to gain access. We can also check if any of the applications are misconfigured.

Application entry points. Finding the applications attack surface. HTTP-requests, parameters.

Execution path through application. This means finding out about the structure and layout of the application.

Fingerprint Web Application Framework: Find out what frameworks an application implements. The well known frameworks will have known headers, cookies, and directory structures, making it easier to identify the application.

Question 6

Why is web debugging proxies useful?

Answer 6

They can capture and examine requests and responses.

They can be used to manipulate payloads.

Can be used in attacks.

Question 7

Name a Website copier tool used for information gathering

Answer 7

HTTtrack
VisualWget

Question 8

Name a Web debugging proxy server used for information gathering

Answer 8

Firefox developer tool

Fiddler

Question 9

Name a Tool set used for information gathering

Answer 9

Kali linux

Burp suite

OWASP Zap

Question 10

What are the main features of Owasp ZAP (6)?

Answer 10

Intercepting proxy

Active and passive scanners

Spider

Report generation

Brute force

Fuzzing

Question 11

What does the spider tool do in OWASP Zap?

Answer 11

To automatically descover new resources(URLs) on a particular site.

Question 12

What is Fiddler?

Answer 12

It is a web-debugging tool that monitors, inspects, edits, and logs all HTTPS traffic, issues requests between your computer and the Internet, and fiddles with incoming and outgoing data

Question 13

When testing for vulnerabilities, should one always use only automated tools?

Answer 13

No, these tools are limited. Some information cannot be found using automated scanners.
Additional manual testing is always recommended.

Question 14

What is Google dorking?

Answer 14

A technique that uses Google advanced search operations to find security holes in configs and computer code that websites are using.
The information found through dorking may not be readily available through standard search queries.

Question 15

Name 3 injection attacks

Answer 15

SQLi
Blind SQLi
XPath injection

Question 16

Name a possible SQLi query to delete a user table from a username input

Answer 16

username_input ’ OR 1=1); Drop TABLE Users; –

Question 17

What can an adversary achieve using SQLi (4)?

Answer 17

Bypass authentication

Privilege escalation

Stealing information

Modification/destruction

Question 18

What is blind SQLi?

Answer 18

Occurs when an application is vulnerable to SQLi, but its HTTP responses do not contain the result of the relevant SQL query or the details of any DB errors.

A type of SQLi attacks where the attacker asks the database true or false questions, and determines the answer based on the application response. For example can an attacker try to inject a query that returns ‘false’ and afterwards a query that return ‘true’. If the contents of the webpage change for these queries, the attacker is able to distinguish when the executed query return true or false.

When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .

Question 19

What is XPath injection?

Answer 19

Occurs when a website uses user input to construct an XPath query for XML data.

Question 20

Give an example of XPath injection

Answer 20

Normal:
string(//user[username/text()=’gandalf’ and
password/text()=’Abcd3’]/account/text())

Attack:
string(//user[username/text()=’’ or ‘1’ = ‘1’ and
password/text()=’’ or ‘1’ = ‘1’ ]/account/text())

Question 21

What are 5 countermeasures agains SQLi?

Answer 21

Blacklisting
Whitelisting
Escaping
Prepared statement & bind variables
Mitigating impact

Question 22

What is blacklisting when it comes to mitigating SQLi?

Answer 22

Filter away certain symbols such as quotes, semicolons, etc.

Question 23

Why is blacklisting a bad mitigation technique (2)?

Answer 23

It’s difficult to know exactly every symbol or combination of symbols that might be dangerous. This way, some dangerous symbols could be missed in the blacklist.

Blacklisting can also conflict with functional requirements of an application.

Question 24

What is whitelisting?

Answer 24

Only allow certain, well-defined safe inputs.

Question 25

What can be used to define safe values in whitelisting, and what is a pitfall when using it?

Answer 25

RegExp

It is hard to define. RegExp that covers all safe values.

Question 26

What is escaping?

Answer 26

Escape characters instead of blacklisting:
‘ -> ‘’

Has the same pitfall as blacklisting, could always miss a dangerous character.

Question 27

What is the root cause of SQLis?

Answer 27

The input data gets interpreted as control

Question 28

What is the idea behind prepared statements and bind variables?

Answer 28

Decouple query statement and data input

Question 29

What is prepared statements?

Answer 29

Put placeholders in the queries where the input data is going to be.
Then we specify what data to be filled in for the placeholders.

Question 30

How is prepared statements used in Java?

Answer 30

PreparedStatement stmt=con.prepareStatement(“update emp set name=?
where id=?”);

stmt.setString(1,“Gandalf”); //1 specifies the first parameter in the query

stmt.setInt(2,101);
int i=stmt.executeUpdate();

Question 31

How can we mitigate impact of SQLis (5)?

Answer 31

Avoid information leakage by not displaying DB errors or stack traces to external users.

Only give users the privileges they need. For. example, only read access on the tables/views the user can query. Not allowing drop table privileges for a typical user.

Encrypt sensitive data

Key management precautions, don’t store decryption keys in the DB.

Hash passwords.

Question 32

How many SQLi test cases does OWASP define?

Answer 32

6

Question 33

What are the 6 SQLi test cases that OWASP defines?

Answer 33

Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
Testing for NoSQL injection

Question 34

What are 6 other injection test cases from OWASP?

Answer 34

Testing for LDAP Injection
Testing for XML Injection
Testing for SSI Injection
Testing for XPath Injection
IMAP/SMTP Injection
Testing for Code Injection

Question 35

What is done during session management?

Answer 35

A user is authenticated once.
All subsequent requests are tied to the user

Question 36

Why is session management necessary?

Answer 36

Because HTTP is stateless, meaning each request-reponse pair is independent of other web interactions. It is impossible to know if two requests are from the same client.
Without session management, users would have to constantly re-authenticate

Question 37

What are session management attacks?

Answer 37

Attacks that has the goal of taking over the session of a user.

Question 38

What is a web session?

Answer 38

A sequence of network HTTP requests and response transactions associated with the same user.

Question 39

What are session tokens?

Answer 39

A unique string that identifies a specific session instance.

Question 40

How can session tokens be communicated?

Answer 40

Request-params: ?sessionToken=1234

Hidden form field:
<input></input>

Browser cookie: setcookie: sessionToken=1234

Question 41

What can the session management flow be when using cookies?

Answer 41

Browser: Sends user credentials

Server: Check credentials, if valid, index session with a cookie -> setcookie

Browser: Stores cookie

After this, the browser adds this cookie to subsequent requests, which are validated by the server on request-receipt.

Question 42

Name 3 session management attacks

Answer 42

Session token theft

Session token prediction

Session fixation attack

Question 43

How are cookies set by the server?

Answer 43

Server sets a cookie in the header of a HTTP response to the browser:

set-Cookie: token=1234; expire=Wed, 3-Aug-2022 08:00:00; path=/; domain=idi.ntnu.no

Question 44

How are cookies sent from the browser?

Answer 44

In header of a HTTP request, when visiting the domain of the same scope as the cookie.

Cookie: token=1234

Question 45

What is the cookie protocol problem?

Answer 45

Server only sees:
Cookie: NAME=VALUE

The server does not see which domain sends the cookie. This makes it vulnerable to session management attacks.

Question 46

What is session token theft - sniff network?

Answer 46

An attacker sniffs a network to steal information that is revealed when visiting unencrypted sites over HTTP.

Flow:
- A logs in to a site over HTTP
- The server send a logged-in session token to A
- A then visits a non-encrypted site over HTTP

• The attacker waits for A to log in
• Then steals the logged-in session token (in HTTP)
• The attacker then impersonated A to issue a request

Question 47

What is network sniffing?

Answer 47

A technique used to monitor data packets that goes through a network.
Attackers use sniffers to capture data packets carrying sensitive information.

Question 48

What is the Logout problem, in regards to session token theft?

Answer 48

Unless a session token is deleted and invalidated (marked as expired), an attacker would be able to impersonate a user for a long time.

Question 49

What should happen when a user logs out?

Answer 49

1. Delete session token from client
2. Mark session token as expired on the server

Question 50

What are some solutions to session token theft?

Answer 50

1. After user has logged in, all later communications must happen over an encrypted channel
2. Remember to log out on all web servers
3. Time-out session ID on all web servers
4. Delete expired session ID on all web servers
5. Bind session token to client IP or computer

Question 51

What are session cookies?

Answer 51

Temporary cookies stored in the browser’s memory until the browser window is closed

Question 52

What are persistent cookies?

Answer 52

Long-term cookies that are tagges by the issuer with an expiration-date.

Stored in the browser memory even after it has been closed.

Happens when clicking “Remember me”

Question 53

What is the session token prediction attack?

Answer 53

When a server uses predictable tokens, such as counters (user001, user002, user00X)

Question 54

What are non-predictable tokens?

Answer 54

If an attacker is seeing one or more tokens, they should not be able to predict other tokens.

Question 55

What are the solution to session token predictions attacks?

Answer 55

Use token generators from frameworks (ASP, Tomcat, Rails, Django), do not invent your own algorithm

Question 56

What are session fixation attacks?

Answer 56

This can occur when the server elevates the anonymous token to a logged-in token, without changing the value.

Steps:
- A visits a site using an anonymous token
- The attacker overwrites the anonymous token with the value of their own token
- The user logs in and gets the anonymous token with the attacker’s value elevated to logged-in token
- Attacker’s token is elevated to a logged-in token

Question 57

How can session tokens be overwritten?

Answer 57

Network tampering:
- A user visits a website over HTTP
- The server injects into the response to overwrite the secure cookie:
Set-cookie: SSID=maliciousToken

XSS

Question 58

How can session fixation be done?

Answer 58

Always issue a new session token, when elevating from anonymous token to logged-in token

Question 59

What are the 7 session management tests?

Answer 59

Testing for Bypassing Session Management Schema

Testing for Cookies attributes (WSTG-SESS-02)

Testing for Session Fixation (WSTG-SESS-03)

Testing for Exposed Session Variables

Testing for logout functionality (WSTG-SESS-06)

Test Session Timeout (WSTG-SESS-07)

Testing for Session puzzling (WSTG-SESS-08)