owasp a7 and a8
TRANSCRIPT
OWASP A7 & A8
pavanw3b
Hyd
11 th February ServiceNow
$ whoami Pavan aka pavanw3b Security Engineer @ Core member - n|u Hyd Free time bug bounty participant
OWASP talks continued at n|u Hyd..
Open Web Application Security Project◦ Top 10◦ Tools◦ Testing guide◦ Cheat sheets
Web Top Ten 2013
A7 - Missing Function
Level Access Control
A7-Missing Function Level Access Control
https://pavanw3b.com/report/user
A7-Missing Function Level Access Control
https://pavanw3b.com/report/admin
How is it done?
◦ Force browse URL: /site/admin◦ Parameter: ?action=getappinfo
Wait a min..
Isn’t it IDOR?A4Insecure Direct Object Reference
Revisit A4 – Insecure Direct Object Reference https://biller.com/download?bill_id=1337
Missing Function Level Access Control
Missing Function Level Access Control
Performssomeoperation
Ability
to
Missing Function Level Access Control
Performssomeoperation
Ability
to control the
to
Missing Function Level Access Control
Performssomeoperation
Ability
to control the
to
Missing
How to find?◦ Navigation, Form action, API ◦ Escalate Privilege◦ Server-side Authentication & Authorization
How is different from IDOR?◦ Function level◦ Usually invokes a function ◦ For Programmers◦ Mostly about Vertical Privilege Escalation?◦ It’s a type of IDOR?◦ Not all IDOR are MFLA?
Prevent MFLA◦ Access Control at Server Side◦ Don’t just hide UI◦ Modular level authorization
A8 – Cross Site Request Forgery
(CSRF)
A8 – Cross Site Request ForgeryCross site : OutsideRequest : Perform Action Forgery : Fake
“Fake an user action outside the site”
How CSRF happens?◦ GET /delete?user_id=1001◦ POST /transact?toAccount=900123&amount=100◦ Innocent looking page◦ Hidden iframe – form – img – submit◦ Success!
Why it works?◦ Authenticated session exists ◦ (Stupid) Browser sends cookies by default!◦ Server can’t verify origin of the request
A few facts to note◦ Happens on someone’s site hence◦ CSRF = XSRF◦ Inducing User action◦ Unknown to the User◦ Riding on User session
The worst CSRF◦ Admin site – Neglected – CSRF & SQLi◦ Home DSL Router – Default cred – CSRF◦ Stored Self XSS & CSRF !
A few non-CSRF Scenario◦ Public action: Contact, logout◦ Read only – No state change
Preventing CSRF◦ Token - nonce
◦ URL◦ Form hidden field◦ HTTP Header
◦Confirm User interaction: Re-authenticate, CAPTCHA
Token Security◦ Should be treated as session token◦ Crypto random◦ Time bound◦ Can limit to user session, form
A few CSRF blunders◦ Multi stage form process◦ CSRF Token in Cookies◦ Redirection◦ Depending on HTTP Referer: Old version of flash & meta refresh tag
Reference◦ OWASP.org◦ Web Application Hackers Handbook
Thank you..fb.com/pavanw3b @pavanw3b
linkedin.com/in/pavanw3bwww.pavanw3b.com
fb.com/nullhyd @nullhyd#nullhyd