OWASP A7 and A8
-
Upload
pavan-m -
Category
Technology
-
view
85 -
download
1
Transcript of OWASP A7 and A8
![Page 1: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/1.jpg)
OWASP A7 & A8
pavanw3b
Hyd
11 th February ServiceNow
![Page 2: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/2.jpg)
$ whoami Pavan aka pavanw3b Security Engineer @ Core member - n|u Hyd Free time bug bounty participant
![Page 3: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/3.jpg)
OWASP talks continued at n|u Hyd..
Open Web Application Security Project◦ Top 10◦ Tools◦ Testing guide◦ Cheat sheets
Web Top Ten 2013
![Page 4: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/4.jpg)
A7 - Missing Function
Level Access Control
![Page 5: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/5.jpg)
A7-Missing Function Level Access Control
https://pavanw3b.com/report/user
![Page 6: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/6.jpg)
A7-Missing Function Level Access Control
https://pavanw3b.com/report/admin
![Page 7: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/7.jpg)
How is it done?
◦ Force browse URL: /site/admin◦ Parameter: ?action=getappinfo
![Page 8: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/8.jpg)
Wait a min..
Isn’t it IDOR?A4Insecure Direct Object Reference
![Page 9: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/9.jpg)
Revisit A4 – Insecure Direct Object Reference https://biller.com/download?bill_id=1337
![Page 10: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/10.jpg)
Missing Function Level Access Control
![Page 11: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/11.jpg)
Missing Function Level Access Control
Performssomeoperation
Ability
to
![Page 12: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/12.jpg)
Missing Function Level Access Control
Performssomeoperation
Ability
to control the
to
![Page 13: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/13.jpg)
Missing Function Level Access Control
Performssomeoperation
Ability
to control the
to
Missing
![Page 14: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/14.jpg)
How to find?◦ Navigation, Form action, API ◦ Escalate Privilege◦ Server-side Authentication & Authorization
![Page 15: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/15.jpg)
How is different from IDOR?◦ Function level◦ Usually invokes a function ◦ For Programmers◦ Mostly about Vertical Privilege Escalation?◦ It’s a type of IDOR?◦ Not all IDOR are MFLA?
![Page 16: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/16.jpg)
Prevent MFLA◦ Access Control at Server Side◦ Don’t just hide UI◦ Modular level authorization
![Page 17: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/17.jpg)
A8 – Cross Site Request Forgery
(CSRF)
![Page 18: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/18.jpg)
A8 – Cross Site Request ForgeryCross site : OutsideRequest : Perform Action Forgery : Fake
“Fake an user action outside the site”
![Page 19: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/19.jpg)
How CSRF happens?◦ GET /delete?user_id=1001◦ POST /transact?toAccount=900123&amount=100◦ Innocent looking page◦ Hidden iframe – form – img – submit◦ Success!
![Page 20: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/20.jpg)
Why it works?◦ Authenticated session exists ◦ (Stupid) Browser sends cookies by default!◦ Server can’t verify origin of the request
![Page 21: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/21.jpg)
A few facts to note◦ Happens on someone’s site hence◦ CSRF = XSRF◦ Inducing User action◦ Unknown to the User◦ Riding on User session
![Page 22: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/22.jpg)
The worst CSRF◦ Admin site – Neglected – CSRF & SQLi◦ Home DSL Router – Default cred – CSRF◦ Stored Self XSS & CSRF !
![Page 23: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/23.jpg)
A few non-CSRF Scenario◦ Public action: Contact, logout◦ Read only – No state change
![Page 24: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/24.jpg)
Preventing CSRF◦ Token - nonce
◦ URL◦ Form hidden field◦ HTTP Header
◦Confirm User interaction: Re-authenticate, CAPTCHA
![Page 25: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/25.jpg)
Token Security◦ Should be treated as session token◦ Crypto random◦ Time bound◦ Can limit to user session, form
![Page 26: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/26.jpg)
A few CSRF blunders◦ Multi stage form process◦ CSRF Token in Cookies◦ Redirection◦ Depending on HTTP Referer: Old version of flash & meta refresh tag
![Page 27: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/27.jpg)
Reference◦ OWASP.org◦ Web Application Hackers Handbook
![Page 28: OWASP A7 and A8](https://reader036.fdocuments.in/reader036/viewer/2022062412/58ed60451a28ab6f6a8b46a3/html5/thumbnails/28.jpg)
Thank you..fb.com/pavanw3b @pavanw3b
linkedin.com/in/pavanw3bwww.pavanw3b.com
fb.com/nullhyd @nullhyd#nullhyd