# OWASP Top 10

* *Note: In this section our example will be taken using OWASP Juice shop which is a voluntarily vulnerable application. You can get it* [*here*](https://github.com/juice-shop/juice-shop) *along with explainations on how to install and run it on Kali (For the example the install was made using Docker and for challenges not available with docker I used the one from tryhackme* [*here*](https://tryhackme.com/room/owaspjuiceshop)*)*\
  \&#xNAN;*We are also going to use examples from* [*XSS Game*](https://xss-game.appspot.com/)
* *To go further with juice shop check out the gitbook* [*here*](https://pwning.owasp-juice.shop/)

## SQL Injection

![image](https://user-images.githubusercontent.com/96747355/176010538-421a6609-1607-4384-882e-bf5123bf3e15.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

![image](https://user-images.githubusercontent.com/96747355/176010787-f5efdc68-2296-43c4-af13-c95f3045f525.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

![image](https://user-images.githubusercontent.com/96747355/176010981-f0e51914-b9bc-4c71-8b92-9bb9fe84dd8a.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

* To find a SQL injection we can try to add special chars in forms and analyze the responses we get.
* In our example when using a special char in the login form we got a very verbose sqlite error that indicates that we have sql injection\
  ![image](https://user-images.githubusercontent.com/96747355/176012290-db39f368-c207-462c-8dcc-94e7568f2a74.png)
* Using this payload `test' OR 1=1;--` we were able to login because `--` comments the rest of the query so the password is not checked\
  ![image](https://user-images.githubusercontent.com/96747355/176012616-af412d41-faf8-4355-a46c-c4594ba8089e.png)

### Defenses again SQLi

![image](https://user-images.githubusercontent.com/96747355/176033585-5a7bcbb7-2e2f-4093-b1c3-94afa4d650d9.png)

> *Source:* [*PEH - TCM Security Academy*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

## Broken authentication

* [OWASP A2-Broken Authentication](https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication)
* In our example we have user enumeration
  * When a user exist if we go to forgot password we can get a security question\
    ![image](https://user-images.githubusercontent.com/96747355/176014637-643d1df8-a8e5-4ca2-8fee-ad7fc7054a35.png)
  * If the user does not exist we do not get a security question\
    ![image](https://user-images.githubusercontent.com/96747355/176014820-65e008a7-56d9-400f-ade9-2d1fa75ccd6e.png)
* We also have to see if we can bypass authentication

## Sensitive data exposure

* [OWASP A3-Sensetive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure)
* Using directory busting we can find sensitive info like folders or backup files
  * In our example there is an ftp page\
    ![image](https://user-images.githubusercontent.com/96747355/176016346-5f3989ee-f4a3-4071-8355-fdb534b843dc.png)
* We can check the response and grep on keywords like `passwords` or `keys`
* We also need to check if `HSTS` is enabled which means that we need to check if the strict transport security header is used and properly set up. Check [this](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html) on OWASP for more info.
* It is also checking SSL we can use [testssl](https://github.com/drwetter/testssl.sh) for this purpose or nmap with `nmap --script=ssl-enum-ciphers -p 443 domain.com`

## XML External Entities (XXE)

* In this XML code we are defining something that works like a constant in a way, everytime we will call the \&from; we will put the value "someone".
* However when using this we could mess up with it by adding special chars that would be interpreted as xml

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE gift [
  <!ENTITY from "someone">
]>
<gift>
  <To>someone else</To>
  <From>&from;</From>
  <Item>A nice item</Item>
</gift>
```

* We can try this payload taken from PayloadsAllTheThings(<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#classic-xxe>)

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
```

* For our example we put this in a file called test.xml
* We will abuse this file upload function\
  ![image](https://user-images.githubusercontent.com/96747355/176021996-7c6f4800-7808-4d64-bb0f-3a77bb130ace.png)
* We select our xml file to upload it and enter some string in the description field and send this ![image](https://user-images.githubusercontent.com/96747355/176022435-0d9bbbee-9213-458f-80f2-eaad66959593.png)
* It works we are able to get the /etc/passwd file\
  ![image](https://user-images.githubusercontent.com/96747355/176022664-f0efe050-90a0-4f2a-af53-ff76fd326ea9.png)

## Broken Access Control

* [OWASP A5-Broken Access Control](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control)
* It means that a user gets access to something they should not be able to access
* In our example we are going to use the customer feedback section and leave a feedback as another customer.\
  ![image](https://user-images.githubusercontent.com/96747355/176023546-cb4396e4-b743-412d-96f0-826138aabb4a.png)
* There is a hidden `userID` field on the form that we can see if we check out the source code\
  ![image](https://user-images.githubusercontent.com/96747355/176024183-dfa9068b-2726-4172-8526-bf092dddc635.png)
* If we make it visible we can see our own user id is 21\
  ![image](https://user-images.githubusercontent.com/96747355/176024421-47718465-3dbb-4c7d-9ccd-7ef93a8e6a1b.png)
* We can change it to 1 for example\
  ![image](https://user-images.githubusercontent.com/96747355/176024629-2da90820-e14f-4ef4-826f-8d3939c1617d.png)
* If we submit this we have successfully exploited Broken Access Control by posing feedback as another user\
  ![image](https://user-images.githubusercontent.com/96747355/176024824-fa21c18a-5aae-4fce-b83d-098612ef9419.png)

## Security Misconfiguration

* [OWASP A6-Security Misconfigurations](https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration)
* Default credentials in a login page
* Stack traces

## Cross Site Scripting

* [OWASP A7-Cross Site Scripting](https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_\(XSS\))
* [DOM Based XSS](https://www.scip.ch/en/?labs.20171214)
* [XSS Game](https://xss-game.appspot.com/)
* To find an XSS the thing to do is to look for inputs in the website like search bar, comment form, etc.
* Goals: steal cookies, deface website, denial of service, keylogging, ...

### Reflected

* Our XSS is not persistent so our payload is not kept in database
* In our example we stumble on an interesting url that takes an id parameter:\
  ![image](https://user-images.githubusercontent.com/96747355/176029906-a693641f-72f8-4fee-bfd8-5ad05e25fb21.png)
* We can try to inject our payload `<iframe src="javascript:alert(`xss`)">`\
  ![image](https://user-images.githubusercontent.com/96747355/176030400-bfbd0a17-bc01-4326-be03-9f0d2357cbd7.png)

### Stored

* Our XSS is persistent so our payload is stored in the database so anyone accessing our page will have the payload executed.
* For this example we are going to use XSS game and this payload `<img src='#' onerror=alert(1) />`\
  ![image](https://user-images.githubusercontent.com/96747355/176032738-483a7691-4db8-473e-9d2d-789f072374ea.png)
* It works\
  ![image](https://user-images.githubusercontent.com/96747355/176032836-44f5e708-896c-4344-9df3-b4294658c9aa.png)

### Prevent XSS

![image](https://user-images.githubusercontent.com/96747355/176033261-95863e91-614d-46da-a534-ef80f9e024f4.png)

> *Source:* [*PEH - TCM Security Academy*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

## Insecure deserialization

* [OWASP A8-Insecure Deserialization](https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization)

## Using components with known vulnerabilities

* [OWASP A9-Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities)

## Insufficient Logging and Monitoring

* [OWASP A10-Insufficient Logging & Monitoring](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A10-Insufficient_Logging%252526Monitoring.html)

## Resources

{% embed url="<https://www.youtube.com/watch?v=_qewIQILPw8&ab_channel=NJITACMChapter>" %}
My talk on Solving web vulnerabilities with pentesting
{% endembed %}

{% embed url="<https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course>" %}
Practical Ethical Hacking - TCM Security
{% endembed %}

{% embed url="<https://github.com/tanprathan/OWASP-Testing-Checklist>" %}
OWASP Testing Checklist
{% endembed %}

{% embed url="<https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf>" %}
OWASP Testing Guide
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://csbygb.gitbook.io/pentips/web-pentesting/owasptop10.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.