Table of contents
A4 XML External Entity Vulnerability
A6 Security configuration error
A7 Cross-site scripting attack
A8 Insecure Deserialization Vulnerabilities
A9 Use components with known vulnerabilities
A10 Risks from Inadequate Logging and Monitoring
In the direction of penetration testing in information security, OWASP TOP 10 is what penetration testers must understand and learn in depth. Today we will have an in-depth understanding and study of the two most important versions released by OWASP in the past. Vulnerabilities that are easy to introduce, follow-up articles will update specific vulnerability causes, scenarios, and protection methods to improve our application's ability to resist risks.
Application Security Risks
Attackers can take many different paths through an application to compromise business. Each path method represents a risk that deserves attention.
Recommended detailed article: (9 messages) Detailed Explanation of OWASP top 10 Vulnerabilities_owasp top10 Cases_Datong Andy Lau's Blog-CSDN Blog
A1 injection vulnerability
It ranked first in the 2013 and 2017 versions, which shows how easy it is to introduce this vulnerability, and also proves how serious the harm of this vulnerability is.
Attack method
Utilizes application weaknesses, writes malicious codes into the database through malicious characters, obtains sensitive data or further executes commands on the server.
The cause of the vulnerability
Unaudited data input box
Use the URL to directly pass variables
Unfiltered special characters
SQL error echo
The impact of the vulnerability
Obtain sensitive data or further execute commands on the server to take over the server
SQL injection
There are actually many types of injection, common injections include: SQL, OS commands, ORM, LDAP and Expression Language or OGNL injection, the concepts are the same for application interpreters. For the most common type of SQL injection, backend developers often concatenate SQL queries; inadvertently introducing SQL injection vulnerabilities.
An example
select * from users where pwd='输入字符'
-- 恶意代绕过 ' or 1=1 --'
select * from uses where pwd = '' or 1=1 --'
SQL injection tool
As the most powerful SQL injection tool, here is the SQLmap developed based on python, which supports automatic injection of PostgreSql, MySQL, Access, MsSql Server and other databases. It is the most powerful tool for checking SQL injection vulnerabilities.
SQL injection protection
Turn off SQL error echo
Front-end input character whitelist verification (length, type, etc.)
Use escaping for input special characters to process
SQL operations Use PreParedStatement
The SQL service runs on a dedicated account and uses the least privileges
Restrict remote access to the SQL service and only open it to specific developers
Code auditing, one of the most effective methods for detecting application injection risks
Use mature waf
A2 Invalid authentication
Attack methods
Attackers use identity authentication flaws in website applications to gain high authority and attack Application service
flaws Causes
App identity authentication system authentication
flaws affect
account and identity theft
Common design flaws
Modify and use network protocol packets to obtain user account passwords
Poor website design can directly bypass the verification page.
Users forget to log out, allowing attackers to take advantage of
weak passwords . Weak
password attacks
. Identity authentication is very
vulnerable to weak password attacks. Leaked password dictionary attacks
Use company name abbreviations, domain names, phone numbers,
full numbers, and simple English passwords
Account and password are the same
Different websites, computers, and APPs use the same password
vulnerability protection
The login page of the website uses encrypted connections
The website should be specific Good authority control and management
The website should have a timeout logout mechanism
A3 Sensitive Data Leakage
Attack method
The common attack method is mainly to scan the application to obtain sensitive data
vulnerabilities.
Application maintenance or developers upload sensitive data unintentionally, such as github file leakage.
Sensitive data file permissions are set incorrectly, such as database backup files in the website directory leaking to
the network. Weaknesses in the protocol and algorithm itself, such as telent, ftp, md5 and other
vulnerabilities affect
applications and websites are modified.
Personal data and company data are leaked and used to sell profit-making
vulnerability protection
. For github leaks, regularly scan the warehouse
. Scan
using strong network protocols and algorithms
A4 XML External Entity Vulnerability
Attack method
When an application parses an XML file that contains references to external entities, the attacker passes a malicious file containing XML code to read specified server resources.
Vulnerability reason
The design feature of the XML protocol document itself can introduce external resources; the external entity used when defining the XML file introduces functional
vulnerabilities and affects
reading sensitive data on the server, such as/etc/password
reading application source code
vulnerability protection
. Close DTD (Data Type Definition)
Prohibition of importing external entities
A5 invalid access control
Attack method
No identity check, which directly leads to the attacker bypassing permissions and directly accessing the vulnerability.
Cause of the
vulnerability Vulnerability impact
Bypassing the path, such as checking unread parameters, causing the path to bypass and read sensitive files with elevated
permissions, if the permission is not checked , causing the attacker to change the authority
vertically , the attacker can elevate the authority from ordinary users to the administrator's authority to access the application
level , and the attacker can elevate the authority from ordinary user A to the authority of ordinary user B to access the application vulnerability
protection
Whitelist filtering of parameters
Redesign and restriction of permission control management
Restriction of download file types
A6 Security configuration error
Attack method
Attackers use wrong configuration attacks to obtain sensitive data or elevate privileges
Vulnerabilities Causes
Developers or maintainers set wrong configurations, such as enabling the Debug mode
vulnerability for the Django framework in the production environment during python development. The impact of vulnerabilities
can allow attackers to obtain sensitive Data
can allow attackers to elevate their privileges, such as not modifying the default password of the application configuration, not deleting the application installer directory file, etc.
A7 Cross-site scripting attack
Attack method
The attacker uses malicious characters to embed and run the application code to steal application data
Common attack payload
><script>alert(document.cookie)</script>='><script>alert(document.cookie)< /script>"><script>alert(document.cookie)</script><script>alert(document.cookie)</script><script>alert (vulnerable)</script>%3Cscript%3Ealert('XSS' )%3C/script%3E<script>alert('XSS')</script><img src="javascript:alert('XSS')"><img src="http://888.888.com/999 . png " οnerrοr="alert('XSS')"><div style="height:expression(alert('XSS'), 1) "></div> (this is only valid before IE7 (including))
the cause of the vulnerability
The application does not filter and check the application input, resulting in user data being executed as code.
The vulnerability affects
deceiving users to click and embed malicious The normal website of the website, obtain the sensitive data used
Steal the user's cookie, impersonate the user's identity
vulnerability protection
Verify the input/received characters, filter or replace illegal characters
Use the whitelist mechanism
A8 Insecure Deserialization Vulnerabilities
Attack method
The attacker uses the deserialization function of the application to deserialize malicious objects to attack the application.
Vulnerability cause
When the application program deserializes the data object, it executes the malicious data object passed by the attacker
Vulnerability impact
In the worst case, it can lead to remote code execution RCE
injection attack Protection
against unauthorized access Sign the data object and perform a complete inspection of the data object Do strict type checks on the data in the data to limit some malicious attacks. Isolate the deserialization operating environment
A9 Use components with known vulnerabilities
Attack methods
Use known vulnerabilities in frameworks, libraries, and tools in the application technology stack to attack, and obtain high-privilege or sensitive data
Vulnerabilities Cause
The frameworks, libraries, and tools used in the application technology stack have vulnerabilities Ability to update and repair
vulnerability impacts
in a timely manner Sensitive data leakage
Elevate privileges
Remote code execution
vulnerability protection
Update and repair component vulnerabilities in a timely manner
Remove dependent components that are no longer used
A10 Risks from Inadequate Logging and Monitoring
Vulnerability Causes
Insufficient monitoring of log records prevents attackers from attacking systems, applications, and stealing data from being discovered and traced.
Impact of Vulnerabilities
Unable to determine the occurrence of security incidents
Unable to determine and repair vulnerabilities,
leading to re-intrusion
vulnerability protection
Enable log monitoring and alarm mechanism Enable
off-site monitoring, C/S architecture supervision mechanism
Record all logs as completely as possible