OWASP part 1 Flashcards
What are 3 topics of OWASP?
Information gathering
Injection attacks
Session management attacks
What does an attacker want to achieve with information gathering?
Find attack vectors (ways to enter a system or network)
Low hanging fruits
Improve efficiency of attack
What does a developer want to achieve with information gathering?
test scope
coverage
prioritization
test efficiency
What application information is gathered during the information gather fase (4)?
Application structure: All pages and subdomains you have found in the application.
Any external links.
Trust zones, what needs authentication/authorization and what is open.
Data flow within the application. What parameters and values are used. What GET and POST requests are sent, and what are the respones.
What infrastructure/platform information is gathered during the information gather fase (5)?
Information about web server. Version that is running, the type.
Applications running on the server. If any of this have known vulnerabilities, known attack strategies can be exploited to gain access. We can also check if any of the applications are misconfigured.
Application entry points. Finding the applications attack surface. HTTP-requests, parameters.
Execution path through application. This means finding out about the structure and layout of the application.
Fingerprint Web Application Framework: Find out what frameworks an application implements. The well known frameworks will have known headers, cookies, and directory structures, making it easier to identify the application.
Why is web debugging proxies useful?
They can capture and examine requests and responses.
They can be used to manipulate payloads.
Can be used in attacks.
Name a Website copier tool used for information gathering
HTTtrack
VisualWget
Name a Web debugging proxy server used for information gathering
Firefox developer tool
Fiddler
Name a Tool set used for information gathering
Kali linux
Burp suite
OWASP Zap
What are the main features of Owasp ZAP (6)?
Intercepting proxy
Active and passive scanners
Spider
Report generation
Brute force
Fuzzing
What does the spider tool do in OWASP Zap?
To automatically descover new resources(URLs) on a particular site.
What is Fiddler?
It is a web-debugging tool that monitors, inspects, edits, and logs all HTTPS traffic, issues requests between your computer and the Internet, and fiddles with incoming and outgoing data
When testing for vulnerabilities, should one always use only automated tools?
No, these tools are limited. Some information cannot be found using automated scanners.
Additional manual testing is always recommended.
What is Google dorking?
A technique that uses Google advanced search operations to find security holes in configs and computer code that websites are using.
The information found through dorking may not be readily available through standard search queries.
Name 3 injection attacks
SQLi
Blind SQLi
XPath injection
Name a possible SQLi query to delete a user table from a username input
username_input ’ OR 1=1); Drop TABLE Users; –
What can an adversary achieve using SQLi (4)?
Bypass authentication
Privilege escalation
Stealing information
Modification/destruction
What is blind SQLi?
Occurs when an application is vulnerable to SQLi, but its HTTP responses do not contain the result of the relevant SQL query or the details of any DB errors.
A type of SQLi attacks where the attacker asks the database true or false questions, and determines the answer based on the application response. For example can an attacker try to inject a query that returns ‘false’ and afterwards a query that return ‘true’. If the contents of the webpage change for these queries, the attacker is able to distinguish when the executed query return true or false.
When an attacker exploits SQL injection, sometimes the web application displays error messages from the database complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible. .
What is XPath injection?
Occurs when a website uses user input to construct an XPath query for XML data.
Give an example of XPath injection
Normal:
string(//user[username/text()=’gandalf’ and
password/text()=’Abcd3’]/account/text())
Attack:
string(//user[username/text()=’’ or ‘1’ = ‘1’ and
password/text()=’’ or ‘1’ = ‘1’ ]/account/text())
What are 5 countermeasures agains SQLi?
Blacklisting
Whitelisting
Escaping
Prepared statement & bind variables
Mitigating impact
What is blacklisting when it comes to mitigating SQLi?
Filter away certain symbols such as quotes, semicolons, etc.
Why is blacklisting a bad mitigation technique (2)?
It’s difficult to know exactly every symbol or combination of symbols that might be dangerous. This way, some dangerous symbols could be missed in the blacklist.
Blacklisting can also conflict with functional requirements of an application.
What is whitelisting?
Only allow certain, well-defined safe inputs.
What can be used to define safe values in whitelisting, and what is a pitfall when using it?
RegExp
It is hard to define. RegExp that covers all safe values.
What is escaping?
Escape characters instead of blacklisting:
‘ -> ‘’
Has the same pitfall as blacklisting, could always miss a dangerous character.
What is the root cause of SQLis?
The input data gets interpreted as control
What is the idea behind prepared statements and bind variables?
Decouple query statement and data input
What is prepared statements?
Put placeholders in the queries where the input data is going to be.
Then we specify what data to be filled in for the placeholders.
How is prepared statements used in Java?
PreparedStatement stmt=con.prepareStatement(“update emp set name=?
where id=?”);
stmt.setString(1,“Gandalf”); //1 specifies the first parameter in the query
stmt.setInt(2,101);
int i=stmt.executeUpdate();
How can we mitigate impact of SQLis (5)?
Avoid information leakage by not displaying DB errors or stack traces to external users.
Only give users the privileges they need. For. example, only read access on the tables/views the user can query. Not allowing drop table privileges for a typical user.
Encrypt sensitive data
Key management precautions, don’t store decryption keys in the DB.
Hash passwords.
How many SQLi test cases does OWASP define?
6
What are the 6 SQLi test cases that OWASP defines?
Oracle Testing
MySQL Testing
SQL Server Testing
Testing PostgreSQL
MS Access Testing
Testing for NoSQL injection
What are 6 other injection test cases from OWASP?
Testing for LDAP Injection
Testing for XML Injection
Testing for SSI Injection
Testing for XPath Injection
IMAP/SMTP Injection
Testing for Code Injection
What is done during session management?
A user is authenticated once.
All subsequent requests are tied to the user
Why is session management necessary?
Because HTTP is stateless, meaning each request-reponse pair is independent of other web interactions. It is impossible to know if two requests are from the same client.
Without session management, users would have to constantly re-authenticate
What are session management attacks?
Attacks that has the goal of taking over the session of a user.
What is a web session?
A sequence of network HTTP requests and response transactions associated with the same user.
What are session tokens?
A unique string that identifies a specific session instance.
How can session tokens be communicated?
Request-params: ?sessionToken=1234
Hidden form field:
<input></input>
Browser cookie: setcookie: sessionToken=1234
What can the session management flow be when using cookies?
Browser: Sends user credentials
Server: Check credentials, if valid, index session with a cookie -> setcookie
Browser: Stores cookie
After this, the browser adds this cookie to subsequent requests, which are validated by the server on request-receipt.
Name 3 session management attacks
Session token theft
Session token prediction
Session fixation attack
How are cookies set by the server?
Server sets a cookie in the header of a HTTP response to the browser:
set-Cookie: token=1234; expire=Wed, 3-Aug-2022 08:00:00; path=/; domain=idi.ntnu.no
How are cookies sent from the browser?
In header of a HTTP request, when visiting the domain of the same scope as the cookie.
Cookie: token=1234
What is the cookie protocol problem?
Server only sees:
Cookie: NAME=VALUE
The server does not see which domain sends the cookie. This makes it vulnerable to session management attacks.
What is session token theft - sniff network?
An attacker sniffs a network to steal information that is revealed when visiting unencrypted sites over HTTP.
Flow:
- A logs in to a site over HTTP
- The server send a logged-in session token to A
- A then visits a non-encrypted site over HTTP
- The attacker waits for A to log in
- Then steals the logged-in session token (in HTTP)
- The attacker then impersonated A to issue a request
What is network sniffing?
A technique used to monitor data packets that goes through a network.
Attackers use sniffers to capture data packets carrying sensitive information.
What is the Logout problem, in regards to session token theft?
Unless a session token is deleted and invalidated (marked as expired), an attacker would be able to impersonate a user for a long time.
What should happen when a user logs out?
- Delete session token from client
- Mark session token as expired on the server
What are some solutions to session token theft?
- After user has logged in, all later communications must happen over an encrypted channel
- Remember to log out on all web servers
- Time-out session ID on all web servers
- Delete expired session ID on all web servers
- Bind session token to client IP or computer
What are session cookies?
Temporary cookies stored in the browser’s memory until the browser window is closed
What are persistent cookies?
Long-term cookies that are tagges by the issuer with an expiration-date.
Stored in the browser memory even after it has been closed.
Happens when clicking “Remember me”
What is the session token prediction attack?
When a server uses predictable tokens, such as counters (user001, user002, user00X)
What are non-predictable tokens?
If an attacker is seeing one or more tokens, they should not be able to predict other tokens.
What are the solution to session token predictions attacks?
Use token generators from frameworks (ASP, Tomcat, Rails, Django), do not invent your own algorithm
What are session fixation attacks?
This can occur when the server elevates the anonymous token to a logged-in token, without changing the value.
Steps:
- A visits a site using an anonymous token
- The attacker overwrites the anonymous token with the value of their own token
- The user logs in and gets the anonymous token with the attacker’s value elevated to logged-in token
- Attacker’s token is elevated to a logged-in token
How can session tokens be overwritten?
Network tampering:
- A user visits a website over HTTP
- The server injects into the response to overwrite the secure cookie:
Set-cookie: SSID=maliciousToken
XSS
How can session fixation be done?
Always issue a new session token, when elevating from anonymous token to logged-in token
What are the 7 session management tests?
Testing for Bypassing Session Management Schema
Testing for Cookies attributes (WSTG-SESS-02)
Testing for Session Fixation (WSTG-SESS-03)
Testing for Exposed Session Variables
Testing for logout functionality (WSTG-SESS-06)
Test Session Timeout (WSTG-SESS-07)
Testing for Session puzzling (WSTG-SESS-08)
