Francesco Altomare
Hasenheide 9
10967 Berlin (Germany)
Mobile: +49 151 65623284

Blog

Security: OWASP Top 10 Attack Vectors #6

Welcome back our sensitive-data-transmitting Reader,

We hope that you enjoyed our last Article on highly virtualized Environments and their vulnerabilities, and so it is that we get on with yet another Article on Attack Vectors (remember our walk in Attack Vectors Park?).
This time it is the last from our introductory excursus on Attack Vectors, not from our introductory excursus on Security as such. Please appreciate that our intent so far has been to share notions on tactics and strategies with you – evergreen notions that will hold valid in many years’ time from now, not just temporary knowledge which may be confuted next year.

Today’s Article will detail mainly “traditional” Layer 7 Attack Vectors, that the OWASP puts up in a top ten yearly list and which will hopefully get you more insights on what exactly goes on in a crook’s mind – proved by authoritative numbers. Every growing cyber marketplace needs a reliable and unbiased source of information on currently present dangers and best protection practices as well as active groups devoted to promotion of open standards. One of those groups is the Open Web Application Security Project (OWASP).

OWASP is a non-profit group that helps Organizations develop, buy and maintain secure and reliable Software. Its unique position in the Security world allows it to provide practical information about Attack Vectors to Individuals, Organizations, Companies, Governments and Universities. This group has a large community of professionals who produce software tools and documentation on application Security. All of OWASP articles, technologies and documents are free of charge and available to public.

OWASP, which has become a place for information for the Technology Professional’s education and networking, publishes a popular Top Ten list which presents the biggest Web application Security Vulnerabilities and provides ways for dealing with those Vulnerabilities. Let’s examine “The Ten Most Critical Web Application Security Risks”.

The OWASP Top 10

A1 – Injection

Injection Vulnerabilities, such as SQL, OS and LDAP injection happen when untrusted information is sent to a translator as part of a command or query. The attacker’s malicious data can trick the translator into executing unintended commands or getting access to information without authorization.

1. Application Specific Threat
Anyone who can send malicious data to the target system, including external threat agents, users and administrators.

2. Attack Vectors
Easily exploitable. Attacker sends simple text-based data that exploits the syntax of the targeted translator. Literally, any source of information can be an injection vector, even internal sources.

3. Security flaws
This attack is quite common. Injection vulnerabilities happen when an application sends untrusted data to a translator. They are often found in SQL, LDAP, Xpath or NoSQL queries, XML parsers, OS commands, SMTP Headers, etc. Injection vulnerabilities are easy to detect when examining code, but often hard to detect via testing. On the other hand, scanners and fuzzers can help hackers find injection vulnerabilities.

4. Impact
Injection can lead to data corruption or loss or denial of access. In some cases, it can even lead to complete host hijacking. From the business point of view, all data could be deleted, modified or stolen and that could lead to serious reputation damage and more.

A2 – Broken Authentication and Session Management

Application functions related to authentication and session management are frequently implemented poorly, allowing attackers to steal passwords, session tokens or keys and to steal other user’s identities.

1. Application Specific Threat
Anonymous attackers and users with their personal accounts, who can try to compromise accounts of other users.

2. Attack Vectors
Exploitability is average. Hacker uses vulnerabilities in the authentication or session management (meaning – exposed accounts, session IDs, passwords) to steal identities of other users.

3. Security flaws
This attack is widespread. Developers often build custom session management schemes and authentication, but making these correctly is quite challenging. The results are flaws in schemes in areas such as password management, logout, secret question, remember me, etc. Discovery of these vulnerabilities can be difficult, mainly because each of these implementations is custom made and unique.

4. Impact
These vulnerabilities can permit some or all accounts to be attacked. If the attack was successful, the hacker can do whatever the legit user could do. That’s why privileged accounts are often targets of these attacks.

A3 – Cross-Site Scripting (XSS)

XSS vulnerabilities happen whenever an application takes untrusted information and sends it to a web browser without proper approval. XSS permits attackers to execute scripts in the victim’s browser, which can lead to defacing of web sites, hijacking user sessions or redirecting the users to malicious sites.

1. Application Specific Threat
Anyone who can send malicious data to the system, including hackers, users and administrators.

2. Attack Vectors
Attacks are fairly simple, targeting the translator in the browser. Anything can be an attack vector, including the databases.

3. Security flaws
This type of attack is very widespread, but easily detectible. XSS is the most exploited security flaw. There are 3 known types of XSS vulnerabilities – stored, reflected and DOM based XSS. Detection is very easy via code analysis or testing.

4. Impact
Impact of this attack is limited to the browser. It can hijack user sessions, insert malicious content, redirect user to certain sites, etc. If you are storing a lot of data online, then consider the business impact of public exposure of the data.

A4 – Insecure Direct Object References

A direct object refence happens when a developer exposes a reference to an internal implementation objects, such as a database key, directory or file. If there’s no access control check or similar protection, attackers can control these references to gain access to data without authorization.

1. Application Specific Threat
Users of the system. Ask yourself, do any users have partial access to certain sorts of data?

2. Attack Vectors
This flaw is easily exploitable. Authorized system user simply changes parameters that directly refer to a system object to another object the user doesn’t have authorization for.

3. Security flaws
Applications often use the name or key of an object when creating web pages and they don’t always check is the user authorized for the target object. This brings insecure direct object vulnerability. Good thing is that it is fairly easy to detect the flaw via testing or code analysis which shows whether authorization is correctly verified.

4. Impact
These vulnerabilities can compromise all the data referenced by the parameter. If object references are predictable, it’s easy for an attacker to access all data of that type. From the business perspective, consider the value exposed data could have.

A5 – Security Misconfiguration

Great security means having a secure configuration deployed for the application, application server, framework, web server, database server and platform. Also, software should be kept up to date.

1. Application Specific Threat
External attackers as well as users that may try to compromise the system.

2. Attack Vectors
This is very easy attack to perform. Attacker accesses default accounts, unpatched vulnerabilities, unprotected files, etc. to gain unauthorized access to the system.

3. Security flaws
Anything can be misconfigured – application stack, web server, the platform, database, etc. It’s important that administrators work with the developers in order to be sure that everything is properly configured.

4. Impact
These flaws are often used to gain unauthorized access to some system data or functionality. Sometimes it is even possible to hijack entire system. All the data could be stolen or changed without you knowledge. Recovery could cost a small fortune.

A6 – Sensitive Data Exposure

Numerous web applications do not protect sensitive data, per example credit cards, authentication credentials and tax IDs as they should. Hackers can modify or steal such weakly ensured information to conduct identity theft, credit card fraud and other crimes. Sensitive data should have additional protection such as encryption and also special safeguard when exchanged with the browser.

1. Application Specific Threat
Anyone who can gain access to your sensitive data.

2. Attack Vectors
This is one of the most difficult attacks. Attackers rarely break encryption. Instead, they break somewhere else and then do man-in-the-middle attacks, steal keys or data while in transit.

3. Security flaws
This attack is fairly uncommon. The biggest flaw here is simply keeping the sensitive data unencrypted. Attackers who are trying to exploit browser vulnerabilities are easy to detect, which means that their best shot is to try to break weak passwords or weak algorithms used by the victim.

4. Impact
Sensitive data can be completely compromised. This often includes personal data, credit cards, health records and other highly sensitive data. Consider she impact on your reputation if the confidential data trusted to you are exposed.

A7 – Missing Function Level Access Control

The majority of web applications check function level access just before making the functionality visible in the UI. However, application needs to conduct the same access control verification on the server when each function is accessed. On the off chance that requests aren’t verified, attackers will be able to create requests which could make it possible for them to access functionality without proper approval.

1. Application Specific Threat
Consider anyone who can send your application a request. It might happen that anonymous users access private functionality.

2. Attack Vectors
This is a very easily exploitable attack vector. Attacker, who can be an authorized system user, can change the URL or a parameter to a privileged function. Any anonymous user can access private functions if they are not protected properly.

3. Security flaws
Very often application functions aren’t protected properly. In some cases, function protection level is managed by configuration, and the system is misconfigured. Sometimes, developers do not include the proper code checks. The hardest part about this is identifying URLs vulnerable to attacks.

4. Impact
This attack allows attackers to access to privileged functionality. Usual targets of these attacks are administrative functions. Also, consider the impact to your reputation if this vulnerability is presented to public.

A8 – Cross-Site Request Forgery (CSRF)

A CSRF attack forces a signed in victim’s browser to send a fake HTTP request including victim’s session cookie and other authentication info, to a vulnerable web application. This permits the attacker to make the victim’s browser to send requests tricking the vulnerable application to think they are legitimate requests originated from the victim.

1. Application Specific Threat
Anyone who can load content into your browsers and force them to make a request.

2. Attack Vectors
Hacker makes forged HTTP requests tricking the victim to submit them by image tags, XSS and other methods. If the user is authenticated, the attack was performed successfully.

3. Security flaws
This is a fairly common attack and an easy one to detect, too. Because the browser sends session cookies automatically, hackers often create fake pages that can be hardly distinguished from the legitimate ones.

4. Impact
Attackers can trick victim into doing certain operations such as updating their account details, buying stuff, etc. Consider the option of not being sure if users really intended to perform a certain action. That could have very serious impact on your reputation.

A9 – Use of Components with Known Vulnerabilities

Components, for example, frameworks, libraries and other software, usually run with full privileges. In the event that a vulnerable component is exploited, that type of an attack can generate serious data loss or even server takeover. This can lead to undermining application security and open the gates for vast range of attacks.

1. Application Specific Threat
Certain vulnerable components can be exploited with automated tools, which means that the threat can be expanded from the original attackers and create complete chaos.

2. Attack Vectors
The Hacker identifies a vulnerable component and then customizes the exploit and performs the attack.

3. Security flaws
This is one of the widespread attacks and it’s very difficult to detect. Literally, every application has some vulnerability. In numerous cases, the developers do not know what components are they using, never mind if their versions are outdated.

4. Impact
Many attacks are possible, including injection, XSS, access control, etc. The impact can range from almost no damage to complete host takeover and loss of data.

A10 – Un-Validated Forwards and Redirects 

Many web applications often redirect and forward users to other websites and pages, using untrusted data to determine the destination pages. Without legitimate validation, attackers can redirect users to malicious websites or get access to unauthorized pages.

1. Application Specific Threat
Anyone who can trick your users into sending a request to your website.

2. Attack Vectors
Attackers place links to un-validated redirects to legitimate websites, tricking the victims to click on it. They often target unsafe forwards to
bypass security checks.

3. Security flaws
This is easily detectable attacks and it’s not very common. Applications often redirect users to other pages, which can be exploited. Detection of
unchecked redirects is easy – just looking for redirects where you can set the full URL. Unchecked forwards are much harder to detect, mainly because
they target internal pages.

4. Impact
These redirects often try to install malware or trick victims to reveal passwords and other data. Unsafe forwards can lead to access control bypass.
Keeping your user’s trust is one of the most important things in the business. What would happen if attackers could access internal functions? What
if your users’ get infected by malware?

Conclusion

The OWASP Top 10 list is something you should keep an eye on. These reports are packed with valuable information’s which can help you to keep you business
safe. You can find the full report here.

Share your feedback!

  • Linked In
  • Google

Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *