Detailed overview of the OWASP Top 10 utilizing OWASP Juiceshop VM to cover application vulnerabilities.
Legal Usage: The information provided by execute@will is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Based off TheCyberMentor amazing Udemy course available at https://www.udemy.com/course/practical-ethical-hacking/
OWASP Top 10 Testing Checklist
source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
Link: https://www.owasp.org/index.php/Testing_Checklist Cheat Sheets: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Cheat Sheets: https://cheatsheetseries.owasp.org/
Major Headings Overview:
- Information Gathering
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Sessions Management Testing
- Data Validation Testing
- Error Handling
- Cryptography
- Business Logic Testing
- Client Side Testing
Evolution of OWASP Top 10 2013 vs 2017
source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
OWASP Testing Checklist Excel .xlsx Link: https://github.com/tanprathan/OWASP-Testing-Checklist
OWASP Testing Guide PDF Link: https://www.owasp.org/images/1/19/OTGv4.pdf
- Web Application Security Testing should use this PDF in accordance with the .xlsx
Installing OWASP Juiceshop
Requirements: Docker
Installing Docker on Kali installer reference link: https://medium.com/@airman604/installing-docker-in-kali-linux-2017-1-fbaa4d1447fe
Add Docker PGP key:
1 |
|
Add repositoriy (in my case its arch=x86)
1 |
|
Apt update
1 |
|
Install docker-ce
1 |
|
Download OWASP Juiceshop Vulnerable website - Learning tool for OWASP Top 10. Link: https://github.com/bkimminich/juice-shop Walkthrough Link: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
Docker Container Install
1 |
|
NOTE: Should you ever restart/reboot remember to start docker service again with *service docker start*
- Goal should be to work through “Part II - Challenge hunting” off the gitbook.io
Installing FoxyProxy - Burp Suite Link: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
- After installed - Configuring FoxyProxy to work with Burm
-
Adding Burp Suite to foxy proxy via “add”
-
Add localhost and port 8080 - I changed my color to Orange for Burp
-
Now we can quickly turn on/off Burp Suite proxy
- Import Burp Certificate to Firefox
Navigate to: http://burp
Click CA Certificate - Download
- Install Certificate
Click Menu > Preference
- Type “Certificates” into search and click “View Certificates” > “Import”
- Import Downloaded
.der
Attacking OWASP Juiceshop
Setting Juiceshop as target scope
- Adding
localhost:3000
as target scope and enable “show only in-scope items”
- Investigate unauthenticated side
Automated Scanners in reality on pick up about 10% of vulnerabilities.
- Adjust Proxy > options “Intercept Client Request” and “intercept Client Responses”
Intruder Faster Alternative - Turbo Intruder As intruder only allows for 1 thread on the Community Edition of Burp Suite Turbo Intruder expands the capability. **
- Install Turbo Intruder on Burp Suite from BApp store
Injection Attacks
- Navigate to:
http://localhost:3000/#/score-board
- “Hide all” then Select “Injection”
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A1-Injection
Login Admin
Link: http://localhost:3000/#/login
- Test Login with captured request - send to Repeater:
- Within Repeater we are faced with an “Invalid email or password”
Submitted the SQL command could be:
1 |
|
Where moving to add an extra '
within the email we can result in a SQLITE ERROR and see the exact SQL command.
Modifying the statement to end in a true statement:
1 |
|
- Using an SQL injection to bypass the login
Email: test' OR 1=1
Password: Password
The SQL injection allows for a true statement which is then processed by the application as a valid login:
Broken Authentication
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
- Application Vulnerable
souce: OWASP Top 10 2017 A2 Broken Authentication
Testing for Broken Authenication
- When submitting a login field we want to be aware of the response if its leaking information such as “invalid email or password”
- “Forgot my password”
In this situation we are facing an area where we can enumerate users as the security question did not change:
From the previous attack we found the user email of admin as [email protected]
to which the fields open based off the admin email.
Testing for session fixation involves creating an account and logging in and based on the cookie that is given if we logout we should not be able to use that same cookie to login again.
Sensitive Data Exposure
- Extracting data that is available who expose the web-server
Link: https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
Juiceshop Sensitive Data Exposure
Location: /ftp
was discovered and contains files that should not be facing the internet:
- kdbx - password storage
XML External Entities (XXE) Overview
- using a system entity within XML and using against a target
OWASP Link: https://www.owasp.org/index.php/Top_10-2017A4-XML_External_Entities(XXE)
XML Formatting Example
1 |
|
with this thought process we could use forward slashes and extract a file from inside the entity
Payloads Link: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
- Classic XXE
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo [
<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “file:///etc/passwd” >]>&xxe;
using SYSTEM as an entity we can have it result in parser is external and to store content into it. When foo is called it calls the */etc/passwd*
Attacking XXE
save the payload locally as test.xml
1 |
|
- Create a new user on Juiceshop
- login to account - navigate to
/#/complain
to which we will take adavange of the “Browse” upload feature and upload thetest.xml
+ capture request
should the xxe had been successful in our repsonse window we would see a print out of the */etc/passwd*
to which in this case we do not.
Mitigating XXE
- Disable xml entities (DTEs)
Broken Access Control
- If there was an
/admin
panel when normal user should not have access too. - changeing
?=5
to?=6
and return another accounts information - Insecure Direct Object Reference (IDOR)
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
Attacking Broken Access - Juiceshop
- adding information from another user.
Forged Feedback: Post some feedback in another users name.
Under Customer Feedback
- leave bad review
- right click inspect elements
we have a “hidden” id event occuring - deleteing the word hidden results in a user id field box appearing and changing 17 to 1 (admin):
This is a prime example of broken access control.
Security Misconfiguration
- If something was configured incorrectly in anyway is considered a misconfiguration
- Default credential left unchanged is an example
- Application throwing detailed/verbose error messaging
- Unnecessary ports open
- Basically a “catch all” for vulnerabilities
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration
Cross Site Scripting (XSS)
Three types of Cross Site Scripting
- Reflected XSS - Popup / never stored on server / server reads responds - client side
- Stored XSS - Stored payload on the web server - server side
- DOM XSS - Document Object Model (Javascript) - client side
OWASP Link: https://www.owasp.org/index.php/Top_10-2017A7-Cross-Site_Scripting(XSS)
Reflected XSS Attack
- Requires social engineering - stealing a cookies from a user and redirected
create a php script
1 |
|
With this php script when accessing index.php?username=exec
the response on the site will be Hi Exec.
Alerting Script
1 |
|
Javascript pop up an window with alert one into the field.
Stored XSS
If in a situation where <script>alert(1)</script>
is left on a page and having the alert popup every time someone is to access the page.
In a different situation the stored xss could have a cookie stealing function and an attacker could then utilized that cookie in a forged request.
DOM based XSS Blog link: https://www.scip.ch/en/?labs.20171214
- Bit complex of an attack (source / sink)
- source input malicious code
- Sink executes code
- Least found out in the wild
- Client side attack that will require social engineering like reflective XSS
source: https://www.scip.ch/en/?labs.20171214
Adding a <img src=
"
test
"
onerror=
"
alert(
'
XSS
'
)
"
will popup the XSS.
Attack XSS
- Reflective XSS
Within Juiceshop /#/score-board
we can see the available XSS:
1 |
|
Find a location to paste payload across the site testing within an an object “Banana Juice” posted as a review:
Doesn’t respond with the said popup.
Pasting the XSS payload into the search does proc a DOM XSS.
Testing in other areas such as the user profile with a moral being to attack any field that available:
To which under the Username: some form of filtering is occurring as it never fully added the payload to the username.
- Stored XSS
Regular user could leave something on the page that steal the administrators cookie and allows for
1 |
|
bypassing the username we see that the filtering and testing what could be done to get around filter.
results in adding script again allowing it to be filtered but letting it still exist in its full format:
1 |
|
To which
now returning to the account profile page we have a stored xss:
- Using Intruder to perform attack against xss
Capture the xss “Set Username” with Burp and Send to Intruder
From Intruder tab clear all feilds and select only the xss location and press add:
Add payloads which can be found by googling: xss payloads Payloads Link: https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt
Under the Payloads tab under intruder we can add / paste the payloads from the github page:
- DOM XSS (has interactive tutorial)
Mitigating XSS
- cookies set as HTTP-Only and HTTP-Secure
- HTTP-Only prevent users from viewing cookies
- XSS Header filtering
XSS Game (web application) for Testing Link: https://xss-game.appspot.com/
Level 1: <script>alert(
'
xss
'
)</script>
Insecure Deserialization
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
- Convert an object to a disk via a serialized and sent over a network.
- Could be serialized with json, binary, xml, yml.
- Opposite process is de-serialized and executes it
Mitigation of Deserialization
- Do not accept serialization from un-trusted/unknown sources
- Tool: ysoserial
Github Link: https://github.com/frohoff/ysoserial
Using Components with Known Vulnerabilities
- Identifying software that has not been upgraded or patched and leveraging that aspect
Burp Suite contains a few tools that can be used:
1 |
|
Insufficient Logging & Monitoring
- Tracking is important and should be include on web servers (any/everything)
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring