Sunday 18 April 2021

XML external entity vs Broken Access Control vs Security Misconfiguration


XML external entity vs Broken Access Control vs Security Misconfiguration

Question: What is XML external entity injection?
It allows an attacker to interfere with an application's processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end.

Question: How do XXE vulnerabilities arise?
Some applications use the XML format to transmit data between the browser and the server.
Applications that do this virtually always use a standard library or platform API to process the XML data on the server.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.

Question: What are the types of XXE attacks?
  1. Exploiting XXE to retrieve files
  2. Exploiting XXE to perform SSRF attacks
  3. Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
  4. Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

Question: How to prevent XXE vulnerabilities
The easiest and most effective way to prevent XXE attacks is to disable dangerous XML features that the application does not need or intend to use.

What is Broken Access Control?
Most of the website/Application have Access controls by Groups. When this functionality was not implemented properly or having loop holes thats Broken Access Control Vulnerablity.
Access control sounds like a simple problem but is insidiously difficult to implement correctly.

How to Protect Yourself from Broken Access Control Vulnerablity?
  1. Insecure Id’s : Web applications should not rely on the secrecy of any id’s for protection.
  2. Forced Browsing Past Access Control Checks
  3. Path Traversal must be there before grant access
  4. File Permissions: We should give minimum file access
  5. Client Side Caching: Developers should use multiple mechanisms, including HTTP headers and meta tags, to be sure that pages containing sensitive information are not cached by user’s browsers.

Question: What is Security Misconfiguration?
Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls.

Give few example of Security Misconfiguration Attack Scenarios?
  1. The application server comes with sample applications that are not removed from the production server.
    These sample applications have known security flaws attackers use to compromise the server.
  2. Directory listing is not disabled on the server.
  3. The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users
  4. cloud service provider has default sharing permissions open to the Internet by other CSP users.

Question: How to Prevent Security Misconfiguration?
  1. Remove sample application that comes.
  2. Directory listing must be disabled on the server
  3. Disabled default error message dtails
  4. Always give least permissions
  5. Upto date the servers.
  6. Must be unit testing by developer then by QA
  7. An automated process to verify the effectiveness of the configurations and settings in all environments.
  8. Remove or do not install unused features and frameworks.