Web Application Vulnerability Assignment Sample
Question
A Security Testing Report
You are required to write a penetration test report. This report (2000 words) focuses on the technical aspects of web application vulnerabilities. In this pen-test report, you will need to demonstrate at least 3 vulnerabilities in the OWASP top 10 list (2017 version). You may use any vulnerable web applications or web sites included in the ethical hacking environment that we set up in course 3, that is, the OWASP broken web application box.
This report should include the following sections:
- Executive summary: Executive summaries should cover what led up to the issue being addressed, the problematic situation, and proposed solution with expected results. Executive reports do not require technical details and should target leadership rather than technical staff. (You may find hints on writing good executive summaries from http://unilearning.uow.edu.au/report/4bi1.html.)
- Methodology: This section includes an overview of how you deliver services. Highlights should include your process for each phase of an engagement, tools used, and how you handle identified threats.
- Detailed Testing Procedures: This section covers technical details. The target audience is typically the technical staff, and the goal is to provide as much information as possible around identified issues of concern. Typically, subjects to include are targets discovery, mapping, vulnerability assessment, architecture analysis, exploiting, and reporting.
- Vulnerabilities: Vulnerabilities found should include a clear description about the source of the weakness, impact to business operations and likelihood of being exploited. If time and resources permit, each instance of vulnerability should be manually verified together with the results obtained from the scanners. Some details that could be included for identified vulnerabilities include 1) Vulnerability name, 2) Vulnerability description, 3) Technical details.
- Reference list.: https://www.owasp.org/index.php/Top_10-2017_Top_10
Answer
Executive Summary: The Open Web Application Security Project (OWASP) happens to be a group of companies functioning over the medium of the internet along the production of articles that are made available at free of cost, research method guidelines, documentation works, apparatus and technical help in the arena of web application safety.
Established in the September 2001 by Mark Curphey is a non-profit establishment that works in the direction of providing security to the web application. Every year OWASP comes up with a list of Application Security Risks and their possible threats along with the possible remedies with them. In this penetration report based on the topic of Web Application Vulnerabilities, I choose 3 of them as per the Top 10 given in the year 2017 and the three vulnerabilities that I choose are
- Injection,
- Broken Authentication and
- Sensitive Data Exposure.
The above mentioned vulnerabilities can cause a lot of problems to the applications like loss of data, the entire system being corrupted, loss of accountability, the accounts denying access to the owners and even the breakdown of the systems as well. The possible solutions to these issues that I will discuss in the penetration report can be that of using LIMIT and similar SQL controls with the adequate queries so that it would not have a lot of information disclosed to the world and even escaping the special characters in then using some specific syntax for the process of interpretation. All of these above mentioned points will be discussed in the report ranging from their cause to the solutions that I would want to propose.
Methodology
In case of computer technologies in the current day scenario vulnerability and threats happens to be an immediate guest in every part of human existence. It can be defined as a feeble point that can be put to exploitation by a threat causing agent that can have the access of performing unconstitutional actions within a system.
To take advantage of weakness one should have at least a single usable method to establish connection with system weaknesses. Managing the vulnerability is a recurring process of identification, classification, remediation and mitigation of vulnerabilities. The process is referred to as the software vulnerabilities in the computer systems [1]. There is always a risk associated with the security as is most likely misled to be vulnerability. When vulnerability is considered to be a risk, it leads to anomaly.
The risk has a potential to put impacts on the systems significantly that would lead to a great extent of vulnerability. Then comes vulnerability that do not carry risks along with them. There is security software used to find vulnerability out of the system and get rid of them easily. According to Al-Khurafi, a vulnerability acts as a loophole in the entire application system that can architect a complete problem or a flaw in the process of implementation and gives way to the attacker to get to cause potential damage to the shareholders of an application [2].
Share holders like the owner of the entire application, users of the application and the other entities associated with the application. Vulnerabilities can be in the types of deficient in user input validation, deficient in the system for logging in, failure in open the error and handling it and the failure of being able to close the database in the appropriate manner.
When we talk about the top vulnerabilities, we can categorically look at each one of them individually and discuss about them in briefs. For the record, let’s have Injection to be the first vulnerability in the row. There can be nuances in the process of injection like SQL, NoSQL, OS and LDAP injection to name a few. These types of vulnerabilities show up when there is the transmission of an unknown and illegal data into the interpreter in the form of a command [3]. The invader happens to be antagonistic and so happens to be its data and it has the potential to trap the interpreter to execute commands unintentionally or access the database without the appropriate amount of authority. In this kind of vulnerability, there can be an anonymous source to the data acting as a vector for injection with variables like the ecological parameters, web services working internally and externally along with any kind of user interfaces.
The flaws in the injection vulnerability show up on during the time of sending an intimidating data to the interpreter [4]. This process leads to injection vulnerability and causes a potential threat to the application software. These injection flaws happen to be established and ubiquitous specifically in the legacy codes. The kinds of injection vulnerabilities are most likely to be found inside the SQL, LDAP, XPath or NoSQL queries, commands to the OS, XML parsers, SMTP headers, expression languages and ORM queries. These flaws are easily traceable during time of examination of the codes. The important equipments used to find the traces of these flaws are scanners and fuzzers and they not only help traces the flaws but also are helpful in the process of eradicating the flaws from the systems and software. Injection flaws can be the potential agents for losing a lot of data, corrupting the system, disclosing the confidential information to illegal party holders, losses in accountability and denial of getting an access to the system as well. It can also be as fatal as a complete loss of taking over the host that is completely dependent over the application and the data which in turn happens to be the fundamental unit of the business organisation [5].
Taking into consideration the next vulnerability we consider Broken Authentication. Under this kind of vulnerability the attacking agents have a right of entry in numerous authentic usernames and the respective passwords that comes in combinations for the process of stuffing in the credentials, varied numbers of valuable lists of administrative accounts, automatically running brute forces and dictionary attacking tools. The occurrence of an event in which authorisation is broken is highly common because of the designs and by implementing almost all the identities and access reins [6].
Session management is the basic of authenticating and accessing the controls and is found in the convenient application software. The attacking agents can find the busted authentication by making use of the physical means and then take advantage of them by means of automation tools along with the list of passwords that they achieve during the attacks. In this case of vulnerability and attack, the attacking agents need to have the right of entry to some of the accounts or into a single admin account to make a compromise into the system. It is completely dependent on the domain of the application that it would given an allowance to launder money, social security number fraudulent and the theft of identity that cannot be disclosed to anyone legally as is it stored in a very sensitive shell being highly sensitive information [7].
Coming next is the third top vulnerability in the name of Sensitive Data Exposure. In this process, the attackers do not directly attack the crypto. But on the contrary they get down to stealing the keys, executing man in the middle attacks, stealing clear data that is present in the form of texts from the server during time of transit.
For this kind of an attack, a physical presence of a human must be required as the passwords that are retrieved prior to the attack could be used to force into the Graphic Processing Units. Since some years this has been one of the most prevalent kinds of an attack with high potential of causing damage to the application software and system [8]. The most common flaw in this case is not the encryption of sensitised data. In the time the crypto is in working, the most common cipher usage is generating the weak key along with managing the same, the weak algorithm protocol and password hashing storage techniques.
For the data in transit, the weaknesses in the server side are convenient to find but to figure it out and get rid of it is actually needed. Failure in the case happens to face the compromises during which all the data has to be protected. In general, this kind of a data has the inclusions of sensitive personal information, personal data and credit cards. This most likely needs protection by the specific kinds of laws and guidelines like EU GDPR and the locally occurring private laws.
Detailed Testing Procedures:
In the case of injection, the most commonly used technique is by using the safest API t hat has the capability to avoid using the interpreter completely and helps in providing a parametric interface or helps in migrating to using the Object Relational Mapping tool. Using the positive or preferred server side of the input in the process of validation the data is also advisable. This does not happen to be a complete defensive mechanism as a lot of applications would require special characters in it as in the form of text areas and API for mobile applications [9].
In case of broken authentication it advisable to make use of implementing multi factor authentication to keep the automated and credential stuffing away. Not shipping or deploying other default credentials in specifics the admin users is a suggestion for such kinds of vulnerability. Implementing weak password checks like testing new passwords against the old ones is kind of testing procedure used prevalently. Aligning the password lengths, making the rotation policies complex is also considered to be a method. Consulting the references, classifying the processed data, storing or transmitting the data for the step is advisable. Identifying the sensitive data in accordance to the privacy laws, regulatory requirements and business needs is a step to be taken predominantly. Application of controls as per the desired classification can also help in the process.
Vulnerabilities:
Injection: In case of Injection, the application happens to be vulnerable in different situations. Some of the possible situations are as follows. When the data regarding the user looses validation, filtration and the process of sanitization by the application there is a scenario. In the situation of dynamic queries or non-parameterized calls without the contexts being aware about the same injection vulnerability comes in to play [5].
When aggressive data is made use of in the object relational mapping search parameters then there is a fear of vulnerability. Some of the common types of inject like SQL, NoSQL, OS Command, ORM, LDAP and they needed to be taken into priority during the situations of application securities [10].
Broken Authentication: Broken Authentication can be vulnerability after the confirmation of the identity of the users and management of the session. But still the system can face the problem of vulnerability if it has the following issues [10]. If it allows the automated attacks like stuffing of the identification requirements in which the attacker has the access to information on usernames and passwords. If it permits the brutal force of other automated attacking agents in to the system and application with the permission of default or common passwords like 1234. If it uses weak identity credentials revival information and the process of forgot password that can be made a safer turn to the users [7].
Sensitive Data Exposure: In case of Sensitive Data Exposure, the primary task to do is the determination of protection needs of the information in the state of motion or stationary. For illustration we can consider passwords, credit card information, the records pertaining to the health of an individual, privacy of policies and some of the secret information as well [10]. It is important to check if there is a kind of data that has undergone the process of transmission in clear text or not.
This is a matter of concern for the protocols like HTTP, SMTP and FTP. The involvement of external traffic is not at all advisable in this kind of scenario. It is also important to check the age of the algorithms as the weak and old algorithms are vulnerable to be missing and hence can be potential threats turning into vulnerabilities.
References
[1] Adams, Kyle, and Victor Pinenkov. "Methods for proactively securing a web application and apparatuses thereof." U.S. Patent 8,949,988, issued February 3, 2015.
[2] Al-Khurafi, Ossama B., and Mohammad A. Al-Ahmad. "Survey of Web Application Vulnerability Attacks." In Advanced Computer Science Applications and Technologies (ACSAT), 2015 4th International Conference on, pp. 154-158. IEEE, 2015.
[3] Ekstedt, Mathias, Pontus Johnson, Robert Lagerström, Dan Gorton, Joakim Nydrén, and Khurram Shahzad. "Securi cad by foreseeti: A cad tool for enterprise cyber security management." In Enterprise Distributed Object Computing Workshop (EDOCW), 2015 IEEE 19th International, pp. 152-155. IEEE, 2015.
[4] Ji, Peng, Lin Luo, Vugranam C. Sreedhar, Shun Xiang Yang, and Yu Zhang. "Hierarchical rule development and binding for web application server firewall." U.S. Patent 8,627,442, issued January 7, 2014.
[5] McClintock, Jon, and Alun Jones. "Adaptive web application vulnerability scanner." U.S. Patent 9,923,916, issued March 20, 2018.
[6] Shar, Lwin Khin, Lionel C. Briand, and Hee Beng Kuan Tan. "Web application vulnerability prediction using hybrid program analysis and machine learning." IEEE Transactions on Dependable and Secure Computing 12, no. 6 (2015): 688-707.
[7] Sima, Caleb, Raymond Kelly, and William M. Hoffman. "Web application assessment based on intelligent generation of attack strings." U.S. Patent 8,656,495, issued February 18, 2014.
[8] Von Solms, Basie, and Jonathan Roussel. "A Solution to improve the cyber security of home users." In African Cyber Citizenship Conference 2015 (ACCC2015), p. 157. 2015.
[9] Yoo, Hyunguk, and Taeshik Shon. "Challenges and research directions for heterogeneous cyber–physical system based on IEC 61850: Vulnerabilities, security requirements, and security architecture." Future generation computer systems 61 (2016): 128-136.
[10] "Top 10-2017 Top 10 - OWASP", Owasp.org, 2018. [Online]. Available: https://www.owasp.org/index.php/Top_10-2017_Top_10. [Accessed: 12- May- 2018]