OWASP A7 and A8

OWASP A7 & A8

pavanw3b

11 th February ServiceNow

$ whoami Pavan aka pavanw3b Security Engineer @ Core member - n|u Hyd Free time bug bounty participant

OWASP talks continued at n|u Hyd..

Open Web Application Security Project◦ Top 10◦ Tools◦ Testing guide◦ Cheat sheets

Web Top Ten 2013

A7 - Missing Function

Level Access Control

A7-Missing Function Level Access Control

https://pavanw3b.com/report/user

A7-Missing Function Level Access Control

https://pavanw3b.com/report/admin

How is it done?

◦ Force browse URL: /site/admin◦ Parameter: ?action=getappinfo

Wait a min..

Isn’t it IDOR?A4Insecure Direct Object Reference

Revisit A4 – Insecure Direct Object Reference https://biller.com/download?bill_id=1337

Missing Function Level Access Control

Performssomeoperation

Ability

to control the

Ability

to control the

Missing

How to find?◦ Navigation, Form action, API ◦ Escalate Privilege◦ Server-side Authentication & Authorization

How is different from IDOR?◦ Function level◦ Usually invokes a function ◦ For Programmers◦ Mostly about Vertical Privilege Escalation?◦ It’s a type of IDOR?◦ Not all IDOR are MFLA?

Prevent MFLA◦ Access Control at Server Side◦ Don’t just hide UI◦ Modular level authorization

A8 – Cross Site Request Forgery

(CSRF)

A8 – Cross Site Request ForgeryCross site : OutsideRequest : Perform Action Forgery : Fake

“Fake an user action outside the site”

How CSRF happens?◦ GET /delete?user_id=1001◦ POST /transact?toAccount=900123&amount=100◦ Innocent looking page◦ Hidden iframe – form – img – submit◦ Success!

Why it works?◦ Authenticated session exists ◦ (Stupid) Browser sends cookies by default!◦ Server can’t verify origin of the request

A few facts to note◦ Happens on someone’s site hence◦ CSRF = XSRF◦ Inducing User action◦ Unknown to the User◦ Riding on User session

The worst CSRF◦ Admin site – Neglected – CSRF & SQLi◦ Home DSL Router – Default cred – CSRF◦ Stored Self XSS & CSRF !

A few non-CSRF Scenario◦ Public action: Contact, logout◦ Read only – No state change

Preventing CSRF◦ Token - nonce

◦ URL◦ Form hidden field◦ HTTP Header

◦Confirm User interaction: Re-authenticate, CAPTCHA

Token Security◦ Should be treated as session token◦ Crypto random◦ Time bound◦ Can limit to user session, form

A few CSRF blunders◦ Multi stage form process◦ CSRF Token in Cookies◦ Redirection◦ Depending on HTTP Referer: Old version of flash & meta refresh tag

Reference◦ OWASP.org◦ Web Application Hackers Handbook

Thank you..fb.com/pavanw3b @pavanw3b

linkedin.com/in/pavanw3bwww.pavanw3b.com

fb.com/nullhyd @nullhyd#nullhyd

OWASP A7 and A8

Technology

Transcript of OWASP A7 and A8

FEATURES - X Rocker A-Control Panel ... A7-9V DC Power Input Jack A8-Power Indicator Light ... TX Transmission distance: < 65.6 ft / 20 meters ...

Model A7, A8 and A9 Manufactured after July 2005)raritaneng.com/pdf_files/Atlantes Freedom/L345v0911.pdfATLANTES FREEDOM Household Style Marine Toilet Model A7, A8 and A9 Manufactured

Virtex 5 - Xilinx...B1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A1 B2 B3 B4 B5 B6 B7 B8 B9 B10 A21 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15 A16 A17 A18 A19 A20 B11 B12 B13 B14 B15 B16 B17

simonrigelsford.files.wordpress.com · Web viewTest A6 – Decimal place value/Compare decimals/Add and subtract decimals Test A7 – Convert between fractions and decimals Test A8

Audi A7 Sportback - procarmanuals.com · Audi A8 '10 is fitted in the Audi A7 Sportback. The control unit also has the same part number (4H0.907.064) as the comfort/ Place of installation

Prep Work Exercises€¦ · OWASP A7 –Cross Site Scripting (XSS) • The Most Prevalent Vulnerability on the OWASP Top 10 • Was at the top until the ranking methodology changed

A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A14 A15 A16 A17 ...

02 BB A7,A8

OWASP Top 10 - 2013css.csail.mit.edu/6.858/2015/readings/owasp-top-10.pdf2) Cross-Site Request Forgery (CSRF) moved down in prevalence based on our data set from 2010-A5 to 2013-A8.

OWASP (Membership) and new OWASP Projects · OWASP 7 OWASP

SELECTED MILITARY COMPENSATION TABLESmilitarypay.defense.gov/Portals/3/Documents/... · compensation tables selected military. a1 a2 a3 a4 a5 a6 a7 - a8 ... monthly basic pay table

Live On Stage - Leica Microsystems DM4000 B LED/Bro… · 6 A8 Leica Scanning Stage 127 x 83 Art.-No.: 11522100 A7 Slim Motorized 3-Plate Stage 40 mm x 40 mm Art.-No.: 11522069 A7

Bla c k A A1 A2 A3 A4 A5 A6 A7 A8 ro from CABQ, BERNCO ... … · A1 A2 A3 A4 A5 A6 A7 A8 5 Petroglyph National Monument Double Eagle II Airport Albuquerque International Sunport

SPONSORSHIP - DATAVERSITY - Data Education for Business and …content.dataversity.net/rs/wilshireconferences/images/SemTechBiz2… · A7 Mobile App Sponsorship A8 Upgrade space to

GPIB Hardware Guide - Boston Universityg2pc1.bu.edu/~qzpeng/gpib/manual/370426e.pdfA9 7210 9914 A8 A7 A6 A5 A4 A3 PCII PCIIA 10U2 1 2689 7 345 OFF A9 7210 9914 A8 A7 A6 A5 A4 A3 View

CUT PROTECTION MADE SIMPLE CORESHIELD...A2 B A3 C A5 E A8 F A4 D A6 F A9 F A7 F A1 A A2 B A3 C A5 E A8 F A4 D A6 F A9 F A7 F Packaging: Gloves are packed in a plastic bag by inner

OWASP Top 10 2013 WP v4 - MSInfokom · to protect against the OWASP Top 10. OWASP TOP 10 2013 Changes ... 2010-A5 to 2013-A8. ... Security Misconfiguration, but now has a category

HeadTail T1 T2 T3 A1 A2A4 A5 A6 A7 A3 A8 Metamorphosis Quiltwork Assembly of a Fly.

A10 A13 A6 A2 A5 A8 A9 A1 A4 A3 A12 A11 A7 · 2019-07-25 · A2 A3 A4 A5 A6 A7 A8 A9 A10 A11 A12 A13 A15 A14 B1 B2 B5 B8 B3 B6 B9 B12 C13 C14 C10 C7 C4 B4 B7 B10 B11 C11 C8 C5 C2

RAILWAY BUILDING A3 A1 A4 A5 A2 A6 A8 A7 A10...A6 A8 A7 A5 A2 A1 A4 A3 LOW RELIEF OO / HO GAUGE COUNTRY TOWN RAILWAY BUILDING *model aeroplane not included. OO / HO GAUGE RIGID LAMINATED