Less Known Web Application Vulnerabilities
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
How to Secure Your Web Site Picked up SQL Injection and Cross-Site Scripting As Sample Cases of Failure Because These Two Are the Two Most Reported Vulnerabilities
How to Secure your Website rd 3 Edition Approaches to Improve Web Application and Web Site Security June 2008 IT SECURITY CENTER (ISEC) INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN This document is a translation of the original Japanese edition. Please be advises that most of the references referred in this book are offered in Japanese only. Both English and Japanese edition are available for download at: http://www.ipa.go.jp/security/english/third.html (English web page) http://www.ipa.go.jp/security/vuln/websecurity.html (Japanese web page) Translated by Hiroko Okashita (IPA), June 11 2008 Contents Contents ......................................................................................................................................... 1 Preface ........................................................................................................................................... 2 Organization of This Book ........................................................................................................... 3 Intended Reader ......................................................................................................................... 3 Fixing Vulnerabilities – Fundamental Solution and Mitigation Measure - .................................... 3 1. Web Application Security Implementation ............................................................................... 5 1.1 SQL Injection .................................................................................................................... 6 1.2 -
Web Hacking 101 How to Make Money Hacking Ethically
Web Hacking 101 How to Make Money Hacking Ethically Peter Yaworski © 2015 - 2016 Peter Yaworski Tweet This Book! Please help Peter Yaworski by spreading the word about this book on Twitter! The suggested tweet for this book is: Can’t wait to read Web Hacking 101: How to Make Money Hacking Ethically by @yaworsk #bugbounty The suggested hashtag for this book is #bugbounty. Find out what other people are saying about the book by clicking on this link to search for this hashtag on Twitter: https://twitter.com/search?q=#bugbounty For Andrea and Ellie. Thanks for supporting my constant roller coaster of motivation and confidence. This book wouldn’t be what it is if it were not for the HackerOne Team, thank you for all the support, feedback and work that you contributed to make this book more than just an analysis of 30 disclosures. Contents 1. Foreword ....................................... 1 2. Attention Hackers! .................................. 3 3. Introduction ..................................... 4 How It All Started ................................. 4 Just 30 Examples and My First Sale ........................ 5 Who This Book Is Written For ........................... 7 Chapter Overview ................................. 8 Word of Warning and a Favour .......................... 10 4. Background ...................................... 11 5. HTML Injection .................................... 14 Description ....................................... 14 Examples ........................................ 14 1. Coinbase Comments ............................. -
The Javascript Revolution
Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Shockers: Scribble & Fortuna Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Congrats on sneaky strategizing to get yourself to the top :) The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna The moment of fruit: the class has spoken Top teams present at Segfault Tank on 4/21: 1 Duel: 6 (2 extra shifted from self votes) 2 Ambassador: 4 3 QuickSource: 3 4 ChalkBoard: 3 5 Fortuna Beer: 3 Bottom teams present in class this Thursday 4/16: 1 Scribble: 2 2 ClearViz: 2 3 AllInOne: 1 4 TripSplitter: 0 Shockers: Scribble & Fortuna Congrats on sneaky strategizing -
Cross-Domain Communications
CSE 361: Web Security Cross-domain Communication Nick Nikiforakis 2 A World Without Separation between Sites http://kittenpics.org https://gmail.com 3 The Same-Origin Policy for JavaScript • Most basic access control policy • controls how active content can access resources • Same-Origin Policy for JavaScript for three actions • Script access to other document in same browser • frames/iframes • (popup) windows • Script access to application-specific local state • cookies, Web Storage, or IndexedDB • Explicit HTTP requests to other hosts • XMLHttpRequest 4 The Same-Origin Policy for JavaScript • Only allows access if origins match Protocol Hostname Port • Origin defined by protocol, hostname, and port http://example.org:80/path/ Originating document Accessed document Non-IE Browser Internet Explorer http://example.org/a http://example.org/b http://example.org http://www.example.org http://example.org https://example.org http://example.org http://example.org:81 5 Domain Relaxation • Two sub-domains of a common parent domain want to communicate • Notably: can overwrite different port! • Browsers allow setting document.domain property • Can only be set to valid suffix including parent domain • test.example.org -> example.org ok • example.org -> org forbidden • When first introduced, relaxation of single sub-domain was sufficient • Nowadays: both (sub-)domains must explicitly set document.domain 6 Domain Relaxation http://sub.kittenpics.org http://kittenpics.org document.domain = "kittenpics.org" document.domain = "kittenpics.org" 7 Domain Relaxation http://sub.kittenpics.org http://kittenpics.org document.domain = "kittenpics.org" Cross-Origin Communication 9 Cross-origin communication • Subdomains of the same domain can use domain relaxation when they want to talk to one another. -
Cross-Domain Embedding for Vaadin Applications
Cross-Domain Embedding for Vaadin Applications Janne Lautamäki and Tommi Mikkonen Department of Software Systems, Tampere University of Technology, Korkeakoulunkatu 1, FI-33720 Tampere, Finland {janne.lautamaki,tommi.mikkonen}@tut.fi Abstract. Although the design goals of the browser were originally not at running applications or at displaying a number of small widgets on a single web page, today many web pages considerably benefit from being able to host small embedded applications as components. While the web is full such applications, they cannot be easily reused because of the same origin policy restrictions that were introduced to protect web content from potentially malicious use. In this paper, we describe a generic design for cross domain embedding of web applications in a fashion that enables loading of applications from different domains as well as communication between the client and server. As the proof- of-concept implementation environment, we use web development framework Vaadin, a Google Web Toolkit based system that uses Java for application development. Keywords: Vaadin, JSONP, cross-domain applications. 1 Introduction Web applications – systems that resemble desktop applications in their behavior but are run inside the browser – are becoming increasingly common. The current trend is that web pages have dynamic components side by side with the traditional web content, such as static text and images. These dynamic components can be small widgets that for instance display current weather information or stock exchange data, or even full-fledged web applications that offer a service related to the theme of the web page where they are located [1]. Creating dynamic web pages is much more complex than building plain old web pages. -
Web Vulnerabilities (Level 1 Scan)
Web Vulnerabilities (Level 1 Scan) Vulnerability Name CVE CWE Severity .htaccess file readable CWE-16 ASP code injection CWE-95 High ASP.NET MVC version disclosure CWE-200 Low ASP.NET application trace enabled CWE-16 Medium ASP.NET debugging enabled CWE-16 Low ASP.NET diagnostic page CWE-200 Medium ASP.NET error message CWE-200 Medium ASP.NET padding oracle vulnerability CVE-2010-3332 CWE-310 High ASP.NET path disclosure CWE-200 Low ASP.NET version disclosure CWE-200 Low AWStats script CWE-538 Medium Access database found CWE-538 Medium Adobe ColdFusion 9 administrative login bypass CVE-2013-0625 CVE-2013-0629CVE-2013-0631 CVE-2013-0 CWE-287 High 632 Adobe ColdFusion directory traversal CVE-2013-3336 CWE-22 High Adobe Coldfusion 8 multiple linked XSS CVE-2009-1872 CWE-79 High vulnerabilies Adobe Flex 3 DOM-based XSS vulnerability CVE-2008-2640 CWE-79 High AjaxControlToolkit directory traversal CVE-2015-4670 CWE-434 High Akeeba backup access control bypass CWE-287 High AmCharts SWF XSS vulnerability CVE-2012-1303 CWE-79 High Amazon S3 public bucket CWE-264 Medium AngularJS client-side template injection CWE-79 High Apache 2.0.39 Win32 directory traversal CVE-2002-0661 CWE-22 High Apache 2.0.43 Win32 file reading vulnerability CVE-2003-0017 CWE-20 High Apache 2.2.14 mod_isapi Dangling Pointer CVE-2010-0425 CWE-20 High Apache 2.x version equal to 2.0.51 CVE-2004-0811 CWE-264 Medium Apache 2.x version older than 2.0.43 CVE-2002-0840 CVE-2002-1156 CWE-538 Medium Apache 2.x version older than 2.0.45 CVE-2003-0132 CWE-400 Medium Apache 2.x version -
The Definitive Guide to Same-Origin Policy
WHITEPAPER APRIL 2018 THE DEFINITIVE GUIDE TO SAME-ORIGIN POLICY Ziyahan Albeniz TABLE OF CONTENTS 3 INTRODUCTION 3 A WORLD WITHOUT SAME-ORIGIN POLICY 4 SAME-ORIGIN POLICY IN DETAIL 5 SAME-ORIGIN POLICY IMPLEMENTATIONS 6 DOM Access and Same-origin Policy 6 Internet Explorer 6 JavaScript Setting: document.domain 7 Same-origin Policy vs. Web 2.0 7 XmlHTTPRequest 8 JSON Padding (JSONP) 9 XDomainRequest and JSONP vs. CORS 10 CROSS-ORIGIN RESOURCE SHARING (CORS) IN DETAIL 10 Simple Request 11 Preflight Request 13 Cookies 13 Implementations 14 CORS on Security 15 SAME-ORIGIN POLICY FOR RICH INTERNET APPLICATIONS 15 Java – A Security Note 15 Flash and Silverlight 17 Security Implications 17 NEXT GENERATION SAME-ORIGIN POLICY 18 Security Perspective 19 FINAL THOUGHTS AND CONCLUSION Whitepaper | The Definitive Guide to Same-Origin Policy INTRODUCTION Back in the 1980s, the Internet was far different than it is today. Internet content was available only via email, special message boards like dial-in Bulletin Board Systems, newsgroups, etc. There was no well-defined rich content to the Internet, only plain text and plain files. But then in 1989, Sir Tim Berners-Lee invented the World Wide Web – a name no longer used, simply called “the Internet” today – as a way to enrich the content available online as something more than just text and data, but also content layouts, text decoration, media embedding, and so forth. Rather quickly, this idea caught on. Software called “Web Browsers” began to explode in popularity, including Cello, Mosaic, and most especially Netscape Navigator, rendering content generated from documents containing Ber- ners-Lee’s Hyper-Text Markup Language (HTML). -
HTTP Parameter Pollution Vulnerabilities in Web Applications @ Blackhat Europe 2011 @
HTTP Parameter Pollution Vulnerabilities in Web Applications @ BlackHat Europe 2011 @ Marco ‘embyte’ Balduzzi embyte(at)madlab(dot)it http://www.madlab.it Contents 1 Introduction 2 2 HTTP Parameter Pollution Attacks 3 2.1 Parameter Precedence in Web Applications . .3 2.2 Parameter Pollution . .4 2.2.1 Cross-Channel Pollution . .5 2.2.2 HPP to bypass CSRF tokens . .5 2.2.3 Bypass WAFs input validation checks . .6 3 Automated HPP Vulnerability Detection 6 3.1 Browser and Crawler Components . .7 3.2 P-Scan: Analysis of the Parameter Precedence . .7 3.3 V-Scan: Testing for HPP vulnerabilities . .9 3.3.1 Handling special cases . 10 3.4 Implementation . 10 3.4.1 Online Service . 11 3.5 Limitations . 11 4 Evaluation 11 4.1 HPP Prevalence in Popular Websites . 11 4.1.1 Parameter Precedence . 13 4.1.2 HPP Vulnerabilities . 14 4.1.3 False Positives . 15 4.2 Examples of Discovered Vulnerabilities . 15 4.2.1 Facebook Share . 16 4.2.2 CSRF via HPP Injection . 16 4.2.3 Shopping Carts . 16 4.2.4 Financial Institutions . 16 4.2.5 Tampering with Query Results . 17 5 Related work 17 6 Conclusion 18 7 Acknowledgments 18 1 1 Introduction In the last twenty years, web applications have grown from simple, static pages to complex, full-fledged dynamic applications. Typically, these applications are built using heterogeneous technologies and consist of code that runs on the client (e.g., Javascript) and code that runs on the server (e.g., Java servlets). Even simple web applications today may accept and process hundreds of different HTTP parameters to be able to provide users with rich, inter- active services. -
Developer Report Testphp Vulnweb Com.Pdf
Acunetix Website Audit 31 October, 2014 Developer Report Generated by Acunetix WVS Reporter (v9.0 Build 20140422) Scan of http://testphp.vulnweb.com:80/ Scan details Scan information Start time 31/10/2014 12:40:34 Finish time 31/10/2014 12:49:30 Scan time 8 minutes, 56 seconds Profile Default Server information Responsive True Server banner nginx/1.4.1 Server OS Unknown Server technologies PHP Threat level Acunetix Threat Level 3 One or more high-severity type vulnerabilities have been discovered by the scanner. A malicious user can exploit these vulnerabilities and compromise the backend database and/or deface your website. Alerts distribution Total alerts found 190 High 93 Medium 48 Low 8 Informational 41 Knowledge base WordPress web application WordPress web application was detected in directory /bxss/adminPan3l. List of file extensions File extensions can provide information on what technologies are being used on this website. List of file extensions detected: - php => 50 file(s) - css => 4 file(s) - swf => 1 file(s) - fla => 1 file(s) - conf => 1 file(s) - htaccess => 1 file(s) - htm => 1 file(s) - xml => 8 file(s) - name => 1 file(s) - iml => 1 file(s) - Log => 1 file(s) - tn => 8 file(s) - LOG => 1 file(s) - bak => 2 file(s) - txt => 2 file(s) - html => 2 file(s) - sql => 1 file(s) Acunetix Website Audit 2 - js => 1 file(s) List of client scripts These files contain Javascript code referenced from the website. - /medias/js/common_functions.js List of files with inputs These files have at least one input (GET or POST). -
WEB APPLICATION PENETRATION TESTING] March 1, 2018
[WEB APPLICATION PENETRATION TESTING] March 1, 2018 Contents Information Gathering .................................................................................................................................. 4 1. Conduct Search Engine Discovery and Reconnaissance for Information Leakage .......................... 4 2. Fingerprint Web Server ..................................................................................................................... 5 3. Review Webserver Metafiles for Information Leakage .................................................................... 7 4. Enumerate Applications on Webserver ............................................................................................. 8 5. Review Webpage Comments and Metadata for Information Leakage ........................................... 11 6. Identify Application Entry Points ................................................................................................... 11 7. Map execution paths through application ....................................................................................... 13 8. Fingerprint Web Application & Web Application Framework ...................................................... 14 Configuration and Deployment Management Testing ................................................................................ 18 1. Test Network/Infrastructure Configuration..................................................................................... 18 2. Test Application Platform Configuration....................................................................................... -
Implementation of Secure Cross-Site Communication on QIIIEP
International Journal of Advancements in Technology http://ijict.org/ ISSN 0976-4860 Implementation of Secure Cross-site Communication on QIIIEP Dilip Kumar Sharma GLA University, Mathura, UP, India [email protected] A. K. Sharma YMCA University of Science and Technology, Faridabad, Haryana, India [email protected] Abstract In today’s scenario, web is expanding exponentially and internet is evolving towards presentation to social connectivity. The web is in the phase of inter operative extensive data diffusion necessitating proper information dissemination. The query intensive interface information extraction protocol (QIIIEP) is proposed to fulfill this need. QIIIEP is the novel protocol proposed by the same author for efficient retrieval of deep web information. Implementation of QIIIEP is based on cross-site communication, which is a technique to provide communication between different sites by using various client or server side methods. As the functioning of QIIIEP protocol is based on cross-site communication, so purpose of this paper is to find out efficient, safe and secure mechanism for cross-site communication for QIIIEP protocol. In this paper, the different aspects of technological implementations of different available cross-site communication techniques with reference to QIIIEP protocol are analyzed with their relative advantages, limitations and security concerns. The purpose of this analysis is to find out the appropriate solution for query words extraction from web pages so that query words can be efficiently stored on the QIIIEP server [1]. A simple and secure mechanism is proposed in which all the confidential contents are enclosed in <secure> tag. This tag ensures encryption of contents at server side and decryption at client site. -
OWASP Annotated Application Security Verification Standard
OWASP Annotated Application Security Verification Standard Documentation Release 3.0.0 Boy Baukema Oct 03, 2017 Browse by chapter: 1 v1 Architecture, design and threat modelling1 2 v2 Authentication verification requirements3 3 v3 Session management verification requirements 13 4 v4 Access control verification requirements 19 5 v5 Malicious input handling verification requirements 23 6 v6 Output encoding / escaping 27 7 v7 Cryptography at rest verification requirements 29 8 v8 Error handling and logging verification requirements 31 9 v9 Data protection verification requirements 35 10 v10 Communications security verification requirements 39 11 v11 HTTP security configuration verification requirements 43 12 v12 Security configuration verification requirements 47 13 v13 Malicious controls verification requirements 49 14 v14 Internal security verification requirements 51 15 v15 Business logic verification requirements 53 16 v16 Files and resources verification requirements 55 17 v17 Mobile verification requirements 59 18 v18 Web services verification requirements 63 19 v19 Configuration 65 20 Level 1: Opportunistic 67 i 21 Level 2: Standard 69 22 Level 3: Advanced 71 ii CHAPTER 1 v1 Architecture, design and threat modelling 1.1 All components are identified Verify that all application components are identified and are known to be needed. Levels: 1, 2, 3 General The purpose of this requirement is twofold: 1. Discover third party components that may contain (public) vulnerabilities. 2. Discover ‘dead code / dependencies’ that increase attack surface without any benefit in functionality. Developers may be tempted to keep dead code / dependencies around ‘in case I ever need it’, however this is not an argument for a shippable product, such dead code / dependencies is better left on a source control system.