OWASP A7 & A8

pavanw3b

Hyd

11 th February ServiceNow

$ whoami Pavan aka pavanw3b Security Engineer @ Core member - n|u Hyd Free time bug bounty participant

OWASP talks continued at n|u Hyd..

Open Web Application Security Project◦ Top 10◦ Tools◦ Testing guide◦ Cheat sheets

Web Top Ten 2013

A7 - Missing Function

Level Access Control

A7-Missing Function Level Access Control

https://pavanw3b.com/report/user

A7-Missing Function Level Access Control

https://pavanw3b.com/report/admin

How is it done?

◦ Force browse URL: /site/admin◦ Parameter: ?action=getappinfo

Wait a min..

Isn’t it IDOR?A4Insecure Direct Object Reference

Revisit A4 – Insecure Direct Object Reference https://biller.com/download?bill_id=1337

Missing Function Level Access Control

Missing Function Level Access Control

Performssomeoperation

Ability

to

Missing Function Level Access Control

Performssomeoperation

Ability

to control the

to

Missing Function Level Access Control

Performssomeoperation

Ability

to control the

to

Missing

How to find?◦ Navigation, Form action, API ◦ Escalate Privilege◦ Server-side Authentication & Authorization

How is different from IDOR?◦ Function level◦ Usually invokes a function ◦ For Programmers◦ Mostly about Vertical Privilege Escalation?◦ It’s a type of IDOR?◦ Not all IDOR are MFLA?

Prevent MFLA◦ Access Control at Server Side◦ Don’t just hide UI◦ Modular level authorization

A8 – Cross Site Request Forgery

(CSRF)

A8 – Cross Site Request ForgeryCross site : OutsideRequest : Perform Action Forgery : Fake

“Fake an user action outside the site”

How CSRF happens?◦ GET /delete?user_id=1001◦ POST /transact?toAccount=900123&amount=100◦ Innocent looking page◦ Hidden iframe – form – img – submit◦ Success!

Why it works?◦ Authenticated session exists ◦ (Stupid) Browser sends cookies by default!◦ Server can’t verify origin of the request

A few facts to note◦ Happens on someone’s site hence◦ CSRF = XSRF◦ Inducing User action◦ Unknown to the User◦ Riding on User session

The worst CSRF◦ Admin site – Neglected – CSRF & SQLi◦ Home DSL Router – Default cred – CSRF◦ Stored Self XSS & CSRF !

A few non-CSRF Scenario◦ Public action: Contact, logout◦ Read only – No state change

Preventing CSRF◦ Token - nonce

◦ URL◦ Form hidden field◦ HTTP Header

◦Confirm User interaction: Re-authenticate, CAPTCHA

Token Security◦ Should be treated as session token◦ Crypto random◦ Time bound◦ Can limit to user session, form

A few CSRF blunders◦ Multi stage form process◦ CSRF Token in Cookies◦ Redirection◦ Depending on HTTP Referer: Old version of flash & meta refresh tag

Reference◦ OWASP.org◦ Web Application Hackers Handbook

Thank you..fb.com/pavanw3b @pavanw3b

linkedin.com/in/pavanw3bwww.pavanw3b.com

fb.com/nullhyd @nullhyd#nullhyd