This article is owasptop10 study notes. Sentiment in the dot recording paper down. Recording sequence is based on the reading order of the document.
The first point of interest is the text of the proposed risk rating, because the actual work will encounter such problems, and I do not know how to grading. I think it can be described in terms of risk rating and the text given way
For example: The business system is xxxxxxxxxxx (Application Description) by (attack vector: easy, average and difficult; the universality of vulnerability: widespread, common and rare; vulnerability detectability: easy, average and difficult; technical effects: severe, moderate small) the comprehensive assessment of the risk level is high, medium and low risk: risk xxxxxxxxx (business description of the business)
But OWASP risk ranking method link (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) given in the text are more complicated for some of the fine assessed by reference. (Google translation to view the full text found to have a more sophisticated risk assessment indicators and methods. This paper therefore focuses not here no longer get to the bottom.)
Then on to the top10, top1 is the famous injection. But I did not expect so many points had injected himself usually only know sqli. Look at the document definition for injection:
When sent to the parser untrusted data as part of a command or query, poor students will be injected. sql injection, NoSQL injection, injection and implantation defects os LDAP injection. The malicious attacker can induce unintended parser execute commands or access data without authorization.
Talk about the search to the unfamiliar inject it: os injection, only to find that is very familiar but usually he will return to the command is executed after a search. I did not expect this plan in the injection.
Network explained: OS instruction execution is a technique for execution of a command in the OS web server through the network interface. If the application of the external input string or character string assembly is influenced by external command, and without proper filtering, may result in OS command injection attacks.
Type the Internet is divided into two categories:
1. The application executes a fixed program their control to execute commands through user input parameters. In this case, by the delimiter parameter, the command injection parameters, execute the command the attacker wants to run.
2. Application entire string input as a command, just to be a transit application, the operating system executes the commands to, for example, be performed by Exec command, then you can inject command from the command separator.
The first feels like linux command in the | or & connector of this type of injection. Suddenly thought of buffer overflow count injection. There are differences, the definition refers to the injection of the parser in terms of reach unintended commands or accessing data. The buffer overflow is a type of direct operating binaries. It can not be considered injected.
The second is to facilitate the understanding, for example, three external execution command function provided php, system (), shell_exec (), passthru () tips: there is a direct Backticks · ipconfig · command can also be achieved. exec can but need to increase in order parameters, the output will be passed to the new parameters. E.g. <php $ cmd = $ _ GET [ 'cmd'];? Exec ($ cmd, $ ls); var_dump ($ ls);?>
ldap injection: LDAP (Lightweight Directory Access Protocol): Lightweight Directory Access Protocol, is an online directory access protocol. LDAP is mainly used for search and query the directory resources. Injection techniques using the key is to control the LDAP filter for directory search service. Common LDAP have Microsoft ADAM (Active Directory Application Mode) and OpenLDAP. For the study of attitudes toward issues like to look at this aspect, but taking into account their current level, and such attacks are rarely used. It is the first recorded. Have the opportunity to engage.
In addition to the above two injection google me back to when I mentioned the injection of another type owasp not mentioned: xpath injection. In fact, it is injected into the parser and syntax sql injection In addition to feeling very different. There are online looking for a php parser and simple test it.
top2: authentication failure
The vulnerability of general application authentication may be the following aspects:
1. Allow credentials to fill, which allows an attacker to obtain a list of valid user name and password. (Voucher filling: credentials to fill automatically inject user name in violation of / password to gain access to user accounts fraudulently. This is a subset of violent attacks categories: large spills credentials are automatically entered into the website, until they could match an existing account, then an attacker can hijack for their own purposes. )
2. Allow brute force or other automated attack.
3. To allow a default, weak or well known password, such as "Password1" or "admin / admin".
4. The use of weak or failed authentication credentials, forgotten password procedures, such as "answer based on knowledge", which is unsafe.
5. plaintext, the encrypted hashed password or weak
6. The lack or failure of multi-factor authentication.
7. exposure session ID (e.g. URL rewriting) the URL.
8. After a successful login does not update the session ID. ?
9. incorrectly having the session ID fails. When the user is not active when the user session or authentication token (especially single sign-on (SSO) token) is not properly log off or fail.
In fact, that is how to prevent the booster for the weaknesses mentioned above. I will not repeat them. Record the following special points mentioned in the text:
1. confirm the registration, credentials and resume the path API, by using the same message to all the output to repel account enumeration attacks.
2. limit or failed login attempts gradually delayed. Failure to record all the information and alert administrators when filling credentials, or other brute force attack is detected.
3. Using server-side security built-in session manager, a new generation of highly complex random session ID after logging in. Session ID in the URL can not be safely stored and out when idle, absolute timeout after it failed.
top3: disclosure of sensitive information
Such loopholes in contact with the most common work. Display the following document proposes several possible points of vulnerability:
1. Did you use clear text in the data transfer process? This and related transport protocols, such as: HTTP, SMTP, and FTP. External network traffic is very dangerous. Verify that all internal through channel, such as: the communication between the load balancer, Web servers or backend systems.
2. When data is long-term storage, no matter where it is stored, whether they are encrypted, the package containing the backup data?
3. Whether the default condition or source code, if any are still using the old or fragile plus encryption algorithm?
4. whether to use the default encryption key generation or re-use weak encryption keys, or the lack of proper key management or key rotation?
5. whether to force encrypted sensitive data, for example: the user agent (such as: Browser) instruction and transmission protocol is encrypted?
6. The user agent (such as: application, e-mail client) if the server certificate does not verify the validity of the book?
top4: XML external entity (XXE)
If an attacker can upload an XML document or add malicious content in an XML document, through the vulnerable code, dependencies or integration, they will be able to attack the XML processor contains defects.
XXE defects may be used to extract data, the remote server on request, internal scanning system, perform denial of service attacks and other attacks. Business Impact depends on all the affected application and data protection needs.
top5: Broken access control
Use of access control is a core skill penetration testers. DAST SAST tools and tools that can detect the lack of access control, but does not verify their functionality. Access control may be detected manually, or, in certain automated detection frame deletion control access.
Because of the lack of automated testing and application developers lack of effective functional testing, and thus access control deficiencies are common. Access control is usually not suitable for automated detection of static or dynamic tests. Manual testing is the best method for detecting missing or invalid access control, comprising: HTTP methods (eg: GET and the PUT), the controller, direct object references and the like.
Technology is affecting the attacker can impersonate the user, the administrator or privileged user, or create, access, update or delete any records. Business impact depends on the protection needs of applications and data.
top6: Security Configuration Error
Typically, the attacker is not able to repair vulnerabilities, access the default account, the page no longer in use, unprotected files and directories, etc. to obtain unauthorized access to or knowledge of the system. Security configuration errors can occur at any level of an application stack, including network services, platforms, Web servers, application servers, database, framework, and custom code pre-installed virtual machines, containers and storage. Security Configuration automatic scanner can be used to detect errors, or use the default configuration accounts, unnecessary services, legacy options. These vulnerabilities could allow an attacker unauthorized access to some frequently system functions or data. Sometimes these vulnerabilities lead to a complete break system.
top7: Cross-site scripting (XSS)
XSS attacks usually refers to the left when developed through the use of web vulnerabilities by injecting malicious code into the pages of instructions through clever way to enable users to load and execute web application attacks by malicious fabrication. These programs are usually malicious Web pages JavaScript, but in fact can also include Java, VBScript, ActiveX, Flash or even plain HTML. After the successful attack, the attacker could get including but not limited to higher authority (such as the implementation of some operations), private web page content, session and cookie and other content
There are three types of XSS, for the user's browser typically include: unverified and escape without user input application API, or as part of HTML output: reflective XSS. A successful attack could allow an attacker to execute arbitrary HTML and JavaScript in a victim's browser. Typically, users will need to point to some malicious attacker to take control of the linked pages to interact, such as a malicious Web site vulnerabilities, advertising or similar content. Stored XSS: your application or API to store raw user input down and show it at a later stage in other user or administrator of the page. Storage-type XSS is generally regarded as high-risk or serious risk. DOM-based XSS: dynamically will join the attacker controlled content JavaScript framework page, there are loopholes in this type of single-page program or API. Ideally, you should avoid sending the attacker controlled data to insecure JavaScript API. A typical XSS attack can lead to steal session, accounts, bypassing the MFA, DIV replacement, attacks on the user's browser (for example: a malicious software download, keyloggers) attacks, and other user side.
xss online learning can refer to the famous xss filter table ( https://www.freebuf.com/articles/web/153055.html )
top8: Unsafe deserialization
To give a deserialization performed xss php chestnuts:
<?php
class test
{
public $name='name';
function __wakeup()
{
echo $this->name;
}
}
$test = new test();
echo serialize($test);
unserialize($_GET['c']);
?>
Browser to execute: http: //127.0.0.1/1.php c = O: 4: "test": 1: {s: 4: "name"; s:? 25: "<script> alert (0) < / script> ";}
Achieve pop:
top9: using components contain known vulnerabilities
Common use is the web middleware, such as:
(A) IIS
1, PUT Vulnerability
2, guess solution short file name
3, remote code execution
4, Parsing Vulnerability
(二) Apache
1, Parsing Vulnerability
2, directory traversal
(C) Nginx
1, document analysis
2, directory traversal
3, CRLF injection
4, directory traversal
(D) Tomcat
1, remote code execution
2, war backdoor file deployment
(五)jBoss
1, deserialization vulnerability
2, war backdoor file deployment
(Vi) WebLogic
1, deserialization vulnerability
2、SSRF
3, arbitrary file upload
4, war backdoor file deployment
(Vii) Other related vulnerabilities Middleware
1, FastCGI unauthorized access to arbitrary command execution
2, PHPCGI remote code execution
top10: lack of logging and monitoring
Logging and the use of inadequate monitoring hotbed of almost every major security incidents. Attackers rely on inadequate and untimely response monitoring to achieve their goals without being known.
To determine whether you have a strategy adequate monitoring is to check the log after penetration testing. Testers activities should be fully recorded, reflects their cause what kind of impact.
