OWASP Top 10
Note: In this section our example will be taken using OWASP Juice shop which is a voluntarily vulnerable application. You can get it here along with explainations on how to install and run it on Kali (For the example the install was made using Docker and for challenges not available with docker I used the one from tryhackme here) We are also going to use examples from XSS Game
To go further with juice shop check out the gitbook here
SQL Injection
To find a SQL injection we can try to add special chars in forms and analyze the responses we get.
Defenses again SQLi
Source: PEH - TCM Security Academy
Broken authentication
In our example we have user enumeration
We also have to see if we can bypass authentication
Sensitive data exposure
Using directory busting we can find sensitive info like folders or backup files
We can check the response and grep on keywords like
passwords
orkeys
We also need to check if
HSTS
is enabled which means that we need to check if the strict transport security header is used and properly set up. Check this on OWASP for more info.It is also checking SSL we can use testssl for this purpose or nmap with
nmap --script=ssl-enum-ciphers -p 443 domain.com
XML External Entities (XXE)
In this XML code we are defining something that works like a constant in a way, everytime we will call the &from; we will put the value "someone".
However when using this we could mess up with it by adding special chars that would be interpreted as xml
We can try this payload taken from PayloadsAllTheThings(https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#classic-xxe)
For our example we put this in a file called test.xml
Broken Access Control
It means that a user gets access to something they should not be able to access
Security Misconfiguration
Default credentials in a login page
Stack traces
Cross Site Scripting
To find an XSS the thing to do is to look for inputs in the website like search bar, comment form, etc.
Goals: steal cookies, deface website, denial of service, keylogging, ...
Reflected
Our XSS is not persistent so our payload is not kept in database
Stored
Our XSS is persistent so our payload is stored in the database so anyone accessing our page will have the payload executed.
Prevent XSS
Source: PEH - TCM Security Academy
Insecure deserialization
Using components with known vulnerabilities
Insufficient Logging and Monitoring
Resources
Last updated