🔐
oneforall
  • Welcome
  • ETHICAL HACKING METHODOLOGY / USUAL AND USEFUL TOOLS
    • Reconnaissance
      • Overview
    • Enumeration
      • Scanning
      • Ports
    • Exploitation
    • Post-exploitation
      • Password cracking
      • File transfers
      • Maintaining access
      • Pivoting
      • Cleaning up & Covering tracks
  • Active Directory
    • Basics
    • Attack vectors
      • Network poisoning
      • SMB services
      • LDAP
      • OSINT
    • Post-compromise
      • Enumeration
        • PowerView
        • Bloodhound
      • Attacks
        • Pass the hash / password
        • Token impersonation
        • Kerberoasting
        • GPP / cPassword
        • Mimikatz
  • WEB
    • TOP 10 OWASP
  • WEB SERVER
    • SQL Injection
    • Authentication
    • OS injection
    • CSRF
  • WIRELESS
    • WPA2 PSK
  • FORENSIC
    • Radare2
    • Obtaining Memory Samples
    • Volatility
    • USB forensic
  • EXPLOIT DEVELOPMENT
    • Buffer Overflow
  • SCRIPTING AND PL
    • HTML
    • C basics
    • Python
      • Libraries & hacking usages
    • Bash basics
      • Hacking usages
    • Powershell basics
    • PHP
  • NETWORK SECURITY
    • Network reminders
    • CCNAv7
      • LAN security concepts
      • Switch security configuration
    • Wireshark
  • MISC
    • VIM basics
    • Metasploit Cheatsheet
    • Common ports & protocols
    • Tmux Cheatsheet
    • Linux reminders
  • STEGANOGRAPHY
    • Steganography
  • Privilege Escalation
    • Linux
    • Windows
  • CRYPTO
    • Encryption
    • Hashing
    • RSA
      • Tools
      • Factorisarion
Powered by GitBook
On this page
  • Broken authentication
  • Sensitive Data Exposure
  • Broken Access Control
  • Cross-Site Scripting (XSS)

Was this helpful?

  1. WEB

TOP 10 OWASP

PreviousMimikatzNextSQL Injection

Last updated 4 years ago

Was this helpful?

Broken authentication

When talking about flaws within authentication, we include mechanisms that are vulnerable to manipulation.

  • Weak passwords in high privileged accounts

  • Forgotten password pages

Examples of test:

Test to see if the form said invalid user or invalid password which allow us to know if the user is right or the password is right.

Test the forgot password section to see if there is a security question according to a username or email address , maybe osint to find the answer of this question.

Test if the session ID is always the same.

Test if we can brute force.

Test two factor authentication.

Sensitive Data Exposure

A web application should store and transmit sensitive data safely and securely. But in some cases, the developer may not correctly protect their sensitive data, making it vulnerable.

Most of the time, data protection is not applied consistently across the web application making certain pages accessible to the public. Other times information is leaked to the public without the knowledge of the developer, making the web application vulnerable to an attack.

Testing for Sensitive Data Exposure :

Dirbuster Backup files Look in the scope in Burp Suite Look HTTP header nmap --script=ssl-enum-ciphers -p443 <domain>

Restricted backup file download bypass story :

We will now go back to the /ftp/folder and try to download package.json.bak. But it seems we are met with a 403 which says that only .md and .pdf files can be downloaded. To get around this, we will use a character bypass called "Poison Null Byte". A Poison Null Byte looks like this: %00. Note that we can download it using the url, so we will encode this into a url encoded format.The Poison Null Byte will now look like this: %2500. Adding this and then a .md will bypass the 403 error! How does this work? A Poison Null Byte is actually a NULL terminator. By placing a NULL character in the string at a certain byte, the string will tell the server to terminate at that point, nulling the rest of the string.

Broken Access Control

When Broken Access Control exploits or bugs are found, it will be categorised into one of two types:

Modern-day systems will allow for multiple users to have access to different pages. Administrators most commonly use an administration page to edit, add and remove different elements of a website. You might use these when you are building a website with programs such as Weebly or Wix.

Type of privilege

Explanations

Horizontal Privilege Escalation

Occurs when a user can perform an action or access data of another user with the same level of permissions.

Vertical Privilege Escalation

Occurs when a user can perform an action or access data of another user with a higher level of permissions.

Cross-Site Scripting (XSS)

XSS or Cross-site scripting is a vulnerability that allows attackers to run javascript in web applications. These are one of the most found bugs in web applications. Their complexity ranges from easy to extremely hard, as each web application parses the queries in a different way.

There are three major types of XSS attacks:

  1. DOM (Special)

  2. Persistent (Server-side)

  3. Reflected (Client-side)

DOM XSS (Document Object Model-based Cross-site Scripting) uses the HTML environment to execute malicious javascript. This type of attack commonly uses the <script></script> HTML tag.

Persistent XSS is javascript that is run when the server loads the page containing it. These can occur when the server does not sanitise the user data when it is uploaded to a page. These are commonly found on blog posts.

Reflected XSS is javascript that is run on the client-side end of the web application. These are most commonly found when the server doesn't sanitise search data.

Examples of XSS :

DOM XSS

We will use the iframe tag with an alert: <iframe src="javascript:alert(`xss`)"> in the search tab. This type of XSS is also called XFS (Cross-Frame Scripting), is one of the most common forms of detecting XSS within web applications. Websites that allow the user to modify the iframe will most likely be vulnerable to XSS.

Persistent XSS

We are going to navigate to the "Last Login IP" page for this attack. As it logs the 'last' login IP we will now logout so that it logs the 'new' IP. Make sure that Burp intercept is on, so it will catch the logout request. We will then head over to the Headers tab where we will add a new header: True-Client-IP: <iframe src="javascript:alert(`xss`)"> Then forward the request to the server! When signing back into the admin account and navigating to the Last Login IP page again, we will see the XSS alert!

Reflected XSS

First, we are going to need to be on the right page to perform the reflected XSS!Login into the admin account and navigate to the 'Order History' page. From there you will see a "Truck" icon, clicking on that will bring you to the track result page. You will also see that there is an id paired with the order. We will use the iframe XSS, <iframe src="javascript:alert(`xss`)">, in the place of the 5267-f73dcd000abcc353After submitting the URL, refresh the page and you will then get an alert saying XSS!

https://securityheaders.com/