OWASP Top 10
Last updated
Last updated
Note: In this section our example will be taken using OWASP Juice shop which is a voluntarily vulnerable application. You can get it along with explainations on how to install and run it on Kali (For the example the install was made using Docker and for challenges not available with docker I used the one from tryhackme ) We are also going to use examples from
To go further with juice shop check out the gitbook
To find a SQL injection we can try to add special chars in forms and analyze the responses we get.
In our example we have user enumeration
We also have to see if we can bypass authentication
Using directory busting we can find sensitive info like folders or backup files
We can check the response and grep on keywords like passwords or keys
In this XML code we are defining something that works like a constant in a way, everytime we will call the &from; we will put the value "someone".
However when using this we could mess up with it by adding special chars that would be interpreted as xml
We can try this payload taken from PayloadsAllTheThings(https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#classic-xxe)
For our example we put this in a file called test.xml
It means that a user gets access to something they should not be able to access
Default credentials in a login page
Stack traces
To find an XSS the thing to do is to look for inputs in the website like search bar, comment form, etc.
Goals: steal cookies, deface website, denial of service, keylogging, ...
Our XSS is not persistent so our payload is not kept in database
Our XSS is persistent so our payload is stored in the database so anyone accessing our page will have the payload executed.
Source:
Source:
Source:
In our example when using a special char in the login form we got a very verbose sqlite error that indicates that we have sql injection
Using this payload test' OR 1=1;-- we were able to login because -- comments the rest of the query so the password is not checked
Source:
When a user exist if we go to forgot password we can get a security question
If the user does not exist we do not get a security question
In our example there is an ftp page
We also need to check if HSTS is enabled which means that we need to check if the strict transport security header is used and properly set up. Check on OWASP for more info.
It is also checking SSL we can use for this purpose or nmap with nmap --script=ssl-enum-ciphers -p 443 domain.com
We will abuse this file upload function
We select our xml file to upload it and enter some string in the description field and send this
It works we are able to get the /etc/passwd file
In our example we are going to use the customer feedback section and leave a feedback as another customer.
There is a hidden userID field on the form that we can see if we check out the source code
If we make it visible we can see our own user id is 21
We can change it to 1 for example
If we submit this we have successfully exploited Broken Access Control by posing feedback as another user
In our example we stumble on an interesting url that takes an id parameter:
We can try to inject our payload <iframe src="javascript:alert(xss)">
For this example we are going to use XSS game and this payload <img src='#' onerror=alert(1) />
It works
Source:
