Detailed overview of the OWASP Top 10 utilizing OWASP Juiceshop VM to cover application vulnerabilities.
Legal Usage: The information provided by [email protected] is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.
By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Based off TheCyberMentor amazing Udemy course available at https://www.udemy.com/course/practical-ethical-hacking/
OWASP Top 10 Testing Checklist
Link: https://www.owasp.org/index.php/Testing_Checklist Cheat Sheets: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Cheat Sheets: https://cheatsheetseries.owasp.org/
Major Headings Overview:
- Information Gathering
- Configuration and Deployment Management Testing
- Identity Management Testing
- Authentication Testing
- Authorization Testing
- Sessions Management Testing
- Data Validation Testing
- Error Handling
- Business Logic Testing
- Client Side Testing
Evolution of OWASP Top 10 2013 vs 2017
OWASP Testing Checklist Excel .xlsx Link: https://github.com/tanprathan/OWASP-Testing-Checklist
OWASP Testing Guide PDF Link: https://www.owasp.org/images/1/19/OTGv4.pdf
- Web Application Security Testing should use this PDF in accordance with the .xlsx
Installing OWASP Juiceshop
Installing Docker on Kali installer reference link: https://medium.com/@airman604/installing-docker-in-kali-linux-2017-1-fbaa4d1447fe
Add Docker PGP key:
Add repositoriy (in my case its arch=x86)
Download OWASP Juiceshop Vulnerable website - Learning tool for OWASP Top 10. Link: https://github.com/bkimminich/juice-shop Walkthrough Link: https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content/
Docker Container Install
NOTE: Should you ever restart/reboot remember to start docker service again with
*service docker start*
- Goal should be to work through “Part II - Challenge hunting” off the gitbook.io
Installing FoxyProxy - Burp Suite Link: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
- After installed - Configuring FoxyProxy to work with Burm
Adding Burp Suite to foxy proxy via “add”
Add localhost and port 8080 - I changed my color to Orange for Burp
Now we can quickly turn on/off Burp Suite proxy
- Import Burp Certificate to Firefox
Click CA Certificate - Download
- Install Certificate
Click Menu > Preference
- Type “Certificates” into search and click “View Certificates” > “Import”
- Import Downloaded
Attacking OWASP Juiceshop
Setting Juiceshop as target scope
localhost:3000as target scope and enable “show only in-scope items”
- Investigate unauthenticated side
Automated Scanners in reality on pick up about 10% of vulnerabilities.
- Adjust Proxy > options “Intercept Client Request” and “intercept Client Responses”
Intruder Faster Alternative - Turbo Intruder As intruder only allows for 1 thread on the Community Edition of Burp Suite Turbo Intruder expands the capability. **
- Install Turbo Intruder on Burp Suite from BApp store
- Navigate to:
- “Hide all” then Select “Injection”
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A1-Injection
- Test Login with captured request - send to Repeater:
- Within Repeater we are faced with an “Invalid email or password”
Submitted the SQL command could be:
Where moving to add an extra
' within the email we can result in a SQLITE ERROR and see the exact SQL command.
Modifying the statement to end in a true statement:
- Using an SQL injection to bypass the login
test' OR 1=1
The SQL injection allows for a true statement which is then processed by the application as a valid login:
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication
- Application Vulnerable
souce: OWASP Top 10 2017 A2 Broken Authentication
Testing for Broken Authenication
- When submitting a login field we want to be aware of the response if its leaking information such as “invalid email or password”
- “Forgot my password”
In this situation we are facing an area where we can enumerate users as the security question did not change:
From the previous attack we found the user email of admin as
[email protected].op to which the fields open based off the admin email.
Testing for session fixation involves creating an account and logging in and based on the cookie that is given if we logout we should not be able to use that same cookie to login again.
Sensitive Data Exposure
- Extracting data that is available who expose the web-server
Juiceshop Sensitive Data Exposure
/ftp was discovered and contains files that should not be facing the internet:
- kdbx - password storage
XML External Entities (XXE) Overview
- using a system entity within XML and using against a target
OWASP Link: https://www.owasp.org/index.php/Top_10-2017A4-XML_External_Entities(XXE)
XML Formatting Example
with this thought process we could use forward slashes and extract a file from inside the entity
Payloads Link: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
- Classic XXE
<?xml version=”1.0” encoding=”ISO-8859-1”?>
<!DOCTYPE foo [
<!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
using SYSTEM as an entity we can have it result in parser is external and to store content into it. When foo is called it calls the
save the payload locally as
- Create a new user on Juiceshop
- login to account - navigate to
/#/complainto which we will take adavange of the “Browse” upload feature and upload the
test.xml+ capture request
should the xxe had been successful in our repsonse window we would see a print out of the
*/etc/passwd* to which in this case we do not.
- Disable xml entities (DTEs)
Broken Access Control
- If there was an
/adminpanel when normal user should not have access too.
?=6and return another accounts information - Insecure Direct Object Reference (IDOR)
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
Attacking Broken Access - Juiceshop
- adding information from another user.
Forged Feedback: Post some feedback in another users name.
Under Customer Feedback
- leave bad review
- right click inspect elements
we have a “hidden” id event occuring - deleteing the word hidden results in a user id field box appearing and changing 17 to 1 (admin):
This is a prime example of broken access control.
- If something was configured incorrectly in anyway is considered a misconfiguration
- Default credential left unchanged is an example
- Application throwing detailed/verbose error messaging
- Unnecessary ports open
- Basically a “catch all” for vulnerabilities
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration
Cross Site Scripting (XSS)
Three types of Cross Site Scripting
- Reflected XSS - Popup / never stored on server / server reads responds - client side
- Stored XSS - Stored payload on the web server - server side
OWASP Link: https://www.owasp.org/index.php/Top_10-2017A7-Cross-Site_Scripting(XSS)
Reflected XSS Attack
- Requires social engineering - stealing a cookies from a user and redirected
create a php script
With this php script when accessing
index.php?username=exec the response on the site will be Hi Exec.
If in a situation where
<script>alert(1)</script> is left on a page and having the alert popup every time someone is to access the page.
In a different situation the stored xss could have a cookie stealing function and an attacker could then utilized that cookie in a forged request.
DOM based XSS Blog link: https://www.scip.ch/en/?labs.20171214
- Bit complex of an attack (source / sink)
- source input malicious code
- Sink executes code
- Least found out in the wild
- Client side attack that will require social engineering like reflective XSS
" will popup the XSS.
- Reflective XSS
/#/score-board we can see the available XSS:
Find a location to paste payload across the site testing within an an object “Banana Juice” posted as a review:
Doesn’t respond with the said popup.
Pasting the XSS payload into the search does proc a DOM XSS.
Testing in other areas such as the user profile with a moral being to attack any field that available:
To which under the Username: some form of filtering is occurring as it never fully added the payload to the username.
- Stored XSS
Regular user could leave something on the page that steal the administrators cookie and allows for
bypassing the username we see that the filtering and testing what could be done to get around filter.
results in adding script again allowing it to be filtered but letting it still exist in its full format:
now returning to the account profile page we have a stored xss:
- Using Intruder to perform attack against xss
Capture the xss “Set Username” with Burp and Send to Intruder
From Intruder tab clear all feilds and select only the xss location and press add:
Add payloads which can be found by googling: xss payloads Payloads Link: https://github.com/Pgaijin66/XSS-Payloads/blob/master/payload.txt
Under the Payloads tab under intruder we can add / paste the payloads from the github page:
- DOM XSS (has interactive tutorial)
- cookies set as HTTP-Only and HTTP-Secure
- HTTP-Only prevent users from viewing cookies
- XSS Header filtering
XSS Game (web application) for Testing Link: https://xss-game.appspot.com/
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization
- Convert an object to a disk via a serialized and sent over a network.
- Could be serialized with json, binary, xml, yml.
- Opposite process is de-serialized and executes it
Mitigation of Deserialization
- Do not accept serialization from un-trusted/unknown sources
- Tool: ysoserial
Github Link: https://github.com/frohoff/ysoserial
Using Components with Known Vulnerabilities
- Identifying software that has not been upgraded or patched and leveraging that aspect
Burp Suite contains a few tools that can be used:
Insufficient Logging & Monitoring
- Tracking is important and should be include on web servers (any/everything)
OWASP Link: https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring