Embed Size (px)
Citation preview
Top 5 Things a Security Researcher Looks for When Attacking an App
Robert Kugler
About me● Ethical hacker
● Penetration tester
● Data Protection consultant
● Speaker + Human rights activist
EXPECTATION...
REALITY...
1. Injections
2. Broken Authentication 4. XML External Entities
3. Sensitive Data Exposure 5. Broken Access Control
6. Bonus
What is it?How to look for it?
What’s the impact?
1. Injections
What is it?
Insecurely crafted database queries or OS commands mishandling user input
How to look for it?
● Fuzz the application using automated scanners & manual analysis
● Check common vulnerable parameters e.g. $id, $username, $password
● Don’t forget cookie values or HTTP headers!
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Data loss○
2. Broken Authentication
What is it?
● Weak authentication and session management
How to look for it?
● Check for default credentials, 2FA, session fixation, session timeouts, bruteforce protections, JWT & OAuth weaknesses
● Look for predictable password reset / confirmation tokens, lifetime of tokens
What’s the impact?
● Worst-case: Data loss or privilege escalation○
● Best-case: Targeted account takeover e.g. a 2FA bypass○
3. Sensitive Data Exposure
What is it?
● Sensitive data is leaked to third parties
How to look for it?
● Check for sensitive data transmitted over unencrypted channels or GET requests, vulnerable TLS ciphers, plain text password storage, leaks of tokens through the referrer, unencrypted backups
testssl.sh (command-line)
What’s the impact?
● Worst-case: Privilege escalation with stolen credentials
● Best-case: Targeted data loss e.g. losing confidentiality of communications○
4. XML External Entities
What is it?
● Vulnerable XML parser processes XML external entities and DTDs
How to look for it?
● Inject external entities in XML payloads and measure response times
● Switch the Content-Type to see if you can find deprecated XML parsers
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Data loss○
5. Broken Access Control
What is it?
● Unauthorized users are able to access sensitive data, mainly a API issue.
How to look for it?
● Check for CORS misconfigurations, insecure direct object references (IDORs), privilege escalation through different roles inside the application
What’s the impact?
● Worst-case: Data loss○
● Best-case: Privilege escalation or account takeover○
Bonus: Server-Side Request Forgery
What is it?
● An attacker is able to send a crafted request from a vulnerable web application
How to look for it?
● Check common vulnerable endpoints e.g. webhooks, embed videos or pictures
● Make requests to localhost, 127.0.0.1 or use domains pointing to it
● Measure response times, if you don’t have access to the response data
What’s the impact?
● Worst-case: Remote Code Execution○
● Best-case: Access to the internal company network○
Summary
● Flaws trivial to exploit● Data loss always involved● Manual testing required
