OWASP Top 10 Flashcards
Injection
Threat Agents / Attack Vectors
Almost any source of data can be an injection vector:
- environment variables
- parameters
- external and internal web services
- all types of users
Injection vulnerabilities are often found in:
- SQL queries
- LDAP queries
- XPath queries
- NoSQL queries
- OS commands,
- XML parsers
- SMTP headers
- expression languages
- ORM queries.
Injection
When does this occur?
How can these vectors be found?
Injection flaws occur when an attacker can send hostile data to an interpreter.
Scanners and fuzzers can help attackers find injection flaws.
Injection flaws are easy to discover when examining code.
Injection
Remote File Inclusion
Occurs when an application can be forced into reading a file from a remote location and including it in a response or, in more severe cases, executing the file as code on the server.
The problem is due to the fact that many scripting languages do not discriminate between local and remote resources, and will automatically adjust to the protocol specified in the resource location string.
If external input is used to construct this location string, it may be able to change the file that gets included, or the location from where the file is fetched.
Injection
Prevent Remote File Inclusion
Never directly pass user input to “file include” commands. It is recommended to use an indirect reference map instead.
Apply whitelist validation against all user controllable input such as form parameters, cookies, and HTTP headers.
Authentication
Forceful Browsing
This vulnerability occurs when an application allows access to restricted content by default and prevents access by hiding user interface elements.
It is easy to guess or enumerate hidden web pages or links. If no further access checks are performed, an attacker can “forcefully browse” to these pages and gain access without authorization or authentication.
Authentication
Prevent Forceful Browsing
A core principle in secure access control is to deny access by default, and only allow access after an access check succeeds.
Ensure all relevant pages, routes, and endpoints require proper authentication and access checks.
XML External Entity (XXE)
Attack
A type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.
This attack may lead to:
- Disclosure of confidential data
- Denial of service
- Server-side request forgery
- Port scanning from the perspective of the machine where the parser is located
XML External Entity (XXE)
A type of custom XML entity whose defined values are loaded from outside of the DTD (document type definition) in which they are declared.
External entities are particularly interesting from a security perspective because they allow an entity to be defined based on the contents of a file path or URL.
XML External Entity (XXE)
Prevent XXE Injection
Developers should apply application-wide filters or sanitization on all user-provided input. Consider GET and POST parameters, Cookies and other HTTP headers.
Always apply allowlist (whitelist) input validation.
XML parsers should disable support for external entities, or DTDs completely.
Insecure Deserialization
How can this be prevented?
Sanitize the data of a serialized object as untrusted user input through filtering or validation.
Implement integrity checks such as digital signatures on any serialized object.
Isolate and run code that deserializes in a low privilege environment.
Insecure Deserialization
How does an attacker use it?
It is used to abuse the logic flow of an application, execute arbitrary code, or inflict a denial of service (DoS) when it is being deserialized.
The attack occurs when a serialized object is loaded, deserialized by the application and the data is used without validation.
Depending on how the application uses the serialized object, an attack could result in SQL injection, XSS, or remote code execution.
Insecure Deserialization
What is serialization?
When data structures or object states are translated into a format that can be stored (a series of bytes).
Insecure Deserialization
What is deserialization?
When a data structure is extracted from a series of bytes.
Insufficient Logging and Monitoring
The lack of recording proper historical information about events that happened inside an application.
The application does not log auditable events, such as logins, failed logins, and high-value transactions.
Warnings and errors generate inadequate, unclear, or no log messages at all.
The application is unable to detect, escalate, or alert for active attacks in real-time.
Penetration testing and vulnerability scans do not trigger alerts.
Insufficient Logging and Monitoring
How can this be prevented?
Ensure all failures are properly logged with sufficient user context.
Log entries should be held for a sufficient time to allow thorough forensic analysis.
Ensure that logs are generated in a format that can be easily consumed by a centralized log management solution.
Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
Make sure you have effective monitoring and alerting so suspicious activities are detected and handled in a timely fashion.
