# OWASP Top 10

* *Note: In this section our example will be taken using OWASP Juice shop which is a voluntarily vulnerable application. You can get it* [*here*](https://github.com/juice-shop/juice-shop) *along with explainations on how to install and run it on Kali (For the example the install was made using Docker and for challenges not available with docker I used the one from tryhackme* [*here*](https://tryhackme.com/room/owaspjuiceshop)*)*\
  \&#xNAN;*We are also going to use examples from* [*XSS Game*](https://xss-game.appspot.com/)
* *To go further with juice shop check out the gitbook* [*here*](https://pwning.owasp-juice.shop/)

## SQL Injection

![image](https://user-images.githubusercontent.com/96747355/176010538-421a6609-1607-4384-882e-bf5123bf3e15.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

![image](https://user-images.githubusercontent.com/96747355/176010787-f5efdc68-2296-43c4-af13-c95f3045f525.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

![image](https://user-images.githubusercontent.com/96747355/176010981-f0e51914-b9bc-4c71-8b92-9bb9fe84dd8a.png)

> *Source:* [*Practical Ethical Hacking - TCM Security*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

* To find a SQL injection we can try to add special chars in forms and analyze the responses we get.
* In our example when using a special char in the login form we got a very verbose sqlite error that indicates that we have sql injection\
  ![image](https://user-images.githubusercontent.com/96747355/176012290-db39f368-c207-462c-8dcc-94e7568f2a74.png)
* Using this payload `test' OR 1=1;--` we were able to login because `--` comments the rest of the query so the password is not checked\
  ![image](https://user-images.githubusercontent.com/96747355/176012616-af412d41-faf8-4355-a46c-c4594ba8089e.png)

### Defenses again SQLi

![image](https://user-images.githubusercontent.com/96747355/176033585-5a7bcbb7-2e2f-4093-b1c3-94afa4d650d9.png)

> *Source:* [*PEH - TCM Security Academy*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

## Broken authentication

* [OWASP A2-Broken Authentication](https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication)
* In our example we have user enumeration
  * When a user exist if we go to forgot password we can get a security question\
    ![image](https://user-images.githubusercontent.com/96747355/176014637-643d1df8-a8e5-4ca2-8fee-ad7fc7054a35.png)
  * If the user does not exist we do not get a security question\
    ![image](https://user-images.githubusercontent.com/96747355/176014820-65e008a7-56d9-400f-ade9-2d1fa75ccd6e.png)
* We also have to see if we can bypass authentication

## Sensitive data exposure

* [OWASP A3-Sensetive Data Exposure](https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure)
* Using directory busting we can find sensitive info like folders or backup files
  * In our example there is an ftp page\
    ![image](https://user-images.githubusercontent.com/96747355/176016346-5f3989ee-f4a3-4071-8355-fdb534b843dc.png)
* We can check the response and grep on keywords like `passwords` or `keys`
* We also need to check if `HSTS` is enabled which means that we need to check if the strict transport security header is used and properly set up. Check [this](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html) on OWASP for more info.
* It is also checking SSL we can use [testssl](https://github.com/drwetter/testssl.sh) for this purpose or nmap with `nmap --script=ssl-enum-ciphers -p 443 domain.com`

## XML External Entities (XXE)

* In this XML code we are defining something that works like a constant in a way, everytime we will call the \&from; we will put the value "someone".
* However when using this we could mess up with it by adding special chars that would be interpreted as xml

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE gift [
  <!ENTITY from "someone">
]>
<gift>
  <To>someone else</To>
  <From>&from;</From>
  <Item>A nice item</Item>
</gift>
```

* We can try this payload taken from PayloadsAllTheThings(<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XXE%20Injection/README.md#classic-xxe>)

```xml
<?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
```

* For our example we put this in a file called test.xml
* We will abuse this file upload function\
  ![image](https://user-images.githubusercontent.com/96747355/176021996-7c6f4800-7808-4d64-bb0f-3a77bb130ace.png)
* We select our xml file to upload it and enter some string in the description field and send this ![image](https://user-images.githubusercontent.com/96747355/176022435-0d9bbbee-9213-458f-80f2-eaad66959593.png)
* It works we are able to get the /etc/passwd file\
  ![image](https://user-images.githubusercontent.com/96747355/176022664-f0efe050-90a0-4f2a-af53-ff76fd326ea9.png)

## Broken Access Control

* [OWASP A5-Broken Access Control](https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control)
* It means that a user gets access to something they should not be able to access
* In our example we are going to use the customer feedback section and leave a feedback as another customer.\
  ![image](https://user-images.githubusercontent.com/96747355/176023546-cb4396e4-b743-412d-96f0-826138aabb4a.png)
* There is a hidden `userID` field on the form that we can see if we check out the source code\
  ![image](https://user-images.githubusercontent.com/96747355/176024183-dfa9068b-2726-4172-8526-bf092dddc635.png)
* If we make it visible we can see our own user id is 21\
  ![image](https://user-images.githubusercontent.com/96747355/176024421-47718465-3dbb-4c7d-9ccd-7ef93a8e6a1b.png)
* We can change it to 1 for example\
  ![image](https://user-images.githubusercontent.com/96747355/176024629-2da90820-e14f-4ef4-826f-8d3939c1617d.png)
* If we submit this we have successfully exploited Broken Access Control by posing feedback as another user\
  ![image](https://user-images.githubusercontent.com/96747355/176024824-fa21c18a-5aae-4fce-b83d-098612ef9419.png)

## Security Misconfiguration

* [OWASP A6-Security Misconfigurations](https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration)
* Default credentials in a login page
* Stack traces

## Cross Site Scripting

* [OWASP A7-Cross Site Scripting](https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_\(XSS\))
* [DOM Based XSS](https://www.scip.ch/en/?labs.20171214)
* [XSS Game](https://xss-game.appspot.com/)
* To find an XSS the thing to do is to look for inputs in the website like search bar, comment form, etc.
* Goals: steal cookies, deface website, denial of service, keylogging, ...

### Reflected

* Our XSS is not persistent so our payload is not kept in database
* In our example we stumble on an interesting url that takes an id parameter:\
  ![image](https://user-images.githubusercontent.com/96747355/176029906-a693641f-72f8-4fee-bfd8-5ad05e25fb21.png)
* We can try to inject our payload `<iframe src="javascript:alert(`xss`)">`\
  ![image](https://user-images.githubusercontent.com/96747355/176030400-bfbd0a17-bc01-4326-be03-9f0d2357cbd7.png)

### Stored

* Our XSS is persistent so our payload is stored in the database so anyone accessing our page will have the payload executed.
* For this example we are going to use XSS game and this payload `<img src='#' onerror=alert(1) />`\
  ![image](https://user-images.githubusercontent.com/96747355/176032738-483a7691-4db8-473e-9d2d-789f072374ea.png)
* It works\
  ![image](https://user-images.githubusercontent.com/96747355/176032836-44f5e708-896c-4344-9df3-b4294658c9aa.png)

### Prevent XSS

![image](https://user-images.githubusercontent.com/96747355/176033261-95863e91-614d-46da-a534-ef80f9e024f4.png)

> *Source:* [*PEH - TCM Security Academy*](https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course)

## Insecure deserialization

* [OWASP A8-Insecure Deserialization](https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization)

## Using components with known vulnerabilities

* [OWASP A9-Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities)

## Insufficient Logging and Monitoring

* [OWASP A10-Insufficient Logging & Monitoring](https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A10-Insufficient_Logging%2526Monitoring.html)

## Resources

{% embed url="<https://www.youtube.com/watch?v=_qewIQILPw8&ab_channel=NJITACMChapter>" %}
My talk on Solving web vulnerabilities with pentesting
{% endembed %}

{% embed url="<https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course>" %}
Practical Ethical Hacking - TCM Security
{% endembed %}

{% embed url="<https://github.com/tanprathan/OWASP-Testing-Checklist>" %}
OWASP Testing Checklist
{% endembed %}

{% embed url="<https://owasp.org/www-project-web-security-testing-guide/assets/archive/OWASP_Testing_Guide_v4.pdf>" %}
OWASP Testing Guide
{% endembed %}