April 25, 2017 at 13:37

Hacksplaining - an online course on web vulnerabilities

    image
     
    Hacksplaining presents a cataloged and intuitive online tutorial on major web vulnerabilities. For each vulnerability, a detailed description is provided of how often it is encountered, how difficult it is to exploit, and its level of criticality. Each vulnerability is accompanied by a detailed description, exploitation vector, vulnerable code and recommendations for elimination and protection. As an example, the article provides an analysis of one of the tasks for hacking virtual online banking using sql injection.

    Vulnerabilities considered:




    SQL injection

    Embedding SQL code is one of the most common methods of hacking sites and programs that work with databases, based on the introduction of arbitrary SQL code into the query.

    Cross-site Scripting (XSS)

    XSS is a "cross-site scripting" type of attack on web systems, which consists in introducing malicious code into the page issued by the web system (which will be executed on the user's computer when this page is opened) and in the interaction of this code with the attacker's web server. In the context of the site, three types of such attacks are considered: stored, reflected, and DOM-based.

    Command execution

    An attack in which the goal is to execute arbitrary commands on the host operating system through a vulnerable web application.

    Clickjacking

    Client-side attack vector: when a user clicks on a specially crafted page of an attacker, he actually clicks on a link to a completely different site.

    Cross-site Request Forgery

    "Cross-site request forgery" is a type of attack on website visitors that uses the disadvantages of the HTTP protocol. If a victim visits a site created by an attacker, a request is sent secretly on his behalf to another server (for example, to a payment system server) that performs some malicious operation (for example, transferring money to an attacker's account).

    Directory Traversal

    Directory traversal (or path traversal) consists in using insufficient security checks for user-provided file names, so that characters representing the transition to the parent directory are passed through the API.

    File Upload Vulnerabilities

    File downloads should be treated with caution - they are an easy way for an attacker to inject malicious code into your application.

    Broken access control

    All resources on your site must have implemented access control, even if they are not intended for ordinary users. You cannot rely on "security through obscurity."

    Open redirects

    Most web applications use redirection functionality. If your site redirects all the URLs indicated in the query string, this can help an attacker to generate phishing attack vectors.

    Unencrypted communication

    Insufficient encryption can make you vulnerable to attacks such as "Man-in-the-Middle." Be sure to use HTTPS when transmitting any type of confidential information.

    User enumeration

    If an attacker could abuse the authentication feature to check if a username exists on your site, it will greatly simplify the use of other vulnerabilities.

    Information leakage

    Identifying service information helps an attacker to learn about your site’s technologies, paths, etc. and may enable an attacker

    Password mismanagement

    Secure password processing is essential for a secure authentication system.

    Privilege Escalation

    Privilege escalation - an attacker uses the vulnerability to present to another user (usually with higher rights) or to obtain additional permissions.

    Session fixation

    Insecure handling of session identifiers can lead to user session hijacking.

    Weak session IDs

    Estimated session IDs make your site vulnerable to session hijacking.

    XML Bombs

    XML documents may include embedded macros. Insecure handling of these macros can make your server vulnerable to attacks from specially crafted XML files.

    XML External Entities

    XML files may include embedded links to other documents. Insecure processing of external links allows an attacker to gain access to the file system.

    Parsing a vulnerability case SQL injection


    At the first step, we see the online banking authorization form and a notification about the existence of a likely vulnerability:
     

     
    For convenience, the request log is located at the bottom of the page:
     

     
    Next, we are asked to enter an arbitrary legitimate username and password: The
     

     
    data is incorrect, we will try to bypass the authorization system:
     

     
    We get an error message (and more detailed information in the log):
     

     
    On the CODE tab that appears, we reveal the nature of the error:
     

     
    We see the completion of the request, now we will try to use this vulnerability to bypass online banking authorization:
     

     
    As you can see, we added the condition “1 = 1 ”, then the verification criterion will be“ if the username is 'user' or 1 = 1, ”but 1 is always equal to 1. If we describe it in a simpler language, we try to log in as user user, with a password equal to 1 = 1.
     

     
    The condition is met - 1 = 1, and the password field is discarded!
     

     
    In this way, we penetrated into online banking. Next, we are provided with a description of injection protection methods: code examples, risk descriptions, etc.

    Additionally


    As an addition to the operation of the vector, SQL injection is recommended to read: with the following material:

    Conclusion


    The online tutorial is made in sufficient detail and solidly and is recommended for study primarily by developers as a visual aid “how not to write code.” For information security experts, this is a good cheat sheet and a tool for visualizing web vulnerabilities with a good description and step-by-step demonstration of the attack vector.

    www.hacksplaining.com
    Tags:

    Also popular now: