Sunday, 18 April 2021

XML external entity vs Broken Access Control vs Security Misconfiguration


XML external entity vs Broken Access Control vs Security Misconfiguration

Question: What is XML external entity injection?
It allows an attacker to interfere with an application's processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end.

Question: How do XXE vulnerabilities arise?
Some applications use the XML format to transmit data between the browser and the server.
Applications that do this virtually always use a standard library or platform API to process the XML data on the server.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.

Question: What are the types of XXE attacks?
  1. Exploiting XXE to retrieve files
  2. Exploiting XXE to perform SSRF attacks
  3. Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
  4. Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

Question: How to prevent XXE vulnerabilities
The easiest and most effective way to prevent XXE attacks is to disable dangerous XML features that the application does not need or intend to use.

What is Broken Access Control?
Most of the website/Application have Access controls by Groups. When this functionality was not implemented properly or having loop holes thats Broken Access Control Vulnerablity.
Access control sounds like a simple problem but is insidiously difficult to implement correctly.

How to Protect Yourself from Broken Access Control Vulnerablity?
  1. Insecure Id’s : Web applications should not rely on the secrecy of any id’s for protection.
  2. Forced Browsing Past Access Control Checks
  3. Path Traversal must be there before grant access
  4. File Permissions: We should give minimum file access
  5. Client Side Caching: Developers should use multiple mechanisms, including HTTP headers and meta tags, to be sure that pages containing sensitive information are not cached by user’s browsers.

Question: What is Security Misconfiguration?
Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls.

Give few example of Security Misconfiguration Attack Scenarios?
  1. The application server comes with sample applications that are not removed from the production server.
    These sample applications have known security flaws attackers use to compromise the server.
  2. Directory listing is not disabled on the server.
  3. The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users
  4. cloud service provider has default sharing permissions open to the Internet by other CSP users.

Question: How to Prevent Security Misconfiguration?
  1. Remove sample application that comes.
  2. Directory listing must be disabled on the server
  3. Disabled default error message dtails
  4. Always give least permissions
  5. Upto date the servers.
  6. Must be unit testing by developer then by QA
  7. An automated process to verify the effectiveness of the configurations and settings in all environments.
  8. Remove or do not install unused features and frameworks.

What is sensitive data exposure


What is sensitive data exposure

Question: What is sensitive data exposure?
Sensitive data exposure happen when an application OR company exposes users's personal data that might be result of no-encryption, weak encryption, software flaws or upload data to public by mistake.

Question: Example of Attack Scenarios?
  1. Someone upload the company data in Facebook/twitter etc by mistake
  2. Transfer of data through HTTP/FTP/SMTP without encryption
  3. Storing the credit card numbers, health records, personal information (email/phone) storing in database without encryption
  4. Encrypting the data with weak cryptographic algorithms or default algorithms
  5. Reuse of cryptographic algorithms OR hash
  6. Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing
  7. User agent (e.g. app, mail client) not verifying the certificate when received request.

Question: How to Prevent sensitive data exposure?
  1. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs
  2. Apply controls as per the classification.
  3. Don’t store sensitive data unnecessarily
  4. Make sure to encrypt all sensitive data at rest.
  5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  6. Encrypt all data in transit with secure protocols such as TLS
  7. Disable caching for response that contain sensitive data
  8. Store passwords using strong adaptive and salted hashing functions.
  9. Verify independently the effectiveness of configuration and settings

Question: Give few popular data breach in history?
  1. Sony PlayStation Network: 77 million records compromised in 2010
  2. Sony Online Entertainment: 24.6 million records compromised in 2011
  3. Evernote: 50 million records compromised in 2013
  4. Living Social: 50 million records compromised in 2013
  5. Target: 70 million records compromised in 2013
  6. eBay: 145 million records compromised in 2014
  7. Home Depot: 56 million records compromised in 2014
  8. JP Morgan Chase: 76 million records compromised in 2014
  9. Anthem: 80 million records compromised in 2015
  10. Yahoo: One billion records compromised in 2016
  11. Deep Root Analytics: 198 million voter records in 2017