OWASP TOP 10¶

OWASP Top 10 Overview

OWASP Top 10 Update Cycle

These get updates after every 3 year !

OWASP Top 10 Chart 1

OWASP Top 10 Chart 2

Broken Access Control¶

Broken Access Control 1

Broken Access Control 2

Broken Access Control 3

Broken Access Control 4

Broken Access Control 5

File Inclusion Attack

File Inclusion Example 1

File Inclusion Example 2

File Inclusion Example 3

This here displays the 1st OWASP Vuln > File Inclusion Attack -

/etc/passwd > could show the credentials

?page=file/../../../../../../../etc/passwd

Cryptographic Failures¶

Hack-Tools - Chrome Web Store

https://github.com/LasCC/HackTools

Crypto Failure 1

Crypto Failure 2

INJECTION 3 TYPES - XSS, SQLI, CMD¶

We can say it's baically for any user field.

XSS ( DOM, REFLECTED, STORED)¶

XSS 1

XSS 2

XSS DOM¶

Experiment with the url parameters. Check what they ment to do to the page.

XSS DOM Example

Whatever we change inside the url is reflected in the dropdown !

XSS DOM Example 2

decodeURI used in one location inside a js but not throughout is a vulnerability in this case !

XSS DOM Example 3

Whatever changes we make in the url, is reflected in the drop down because of the js.

Key Segment (Reflected XSS Risk):

if (document.location.href.indexOf("default=") >= 0) {
    var lang = document.location.href.substring(document.location.href.indexOf("default=")+8);
    document.write("<option value='" + lang + "'>" + decodeURI(lang) + "</option>");
}

This takes a string from the URL (e.g. ?default=<input>) and injects it directly into the HTML using document.write, without sanitization.

⚠️ Security Flaw: Reflected XSS

If an attacker crafts a URL like:

<script>alert(1)</script>

It would result in this being injected into the page:

<option value='<script>alert(1)</script>'><script>alert(1)</script></option>

Which then executes the script in the user's browser, a classic reflected XSS attack.

🔥 The Exploit

<img src=x onerror="alert('XSS')" />

This payload is a reflected Cross-Site Scripting (XSS) attack. It leverages poor input handling to inject arbitrary HTML and JavaScript into the page.

XSS REFLECTED¶

XSS Reflected 1

Check for arbitary html record : while entering

<h1>Test</h1>

XSS Reflected 2

And we can now inject XSS:

<script>alert('XSS')</script>

If the backend logic suppose don't let you parse through the script tag as it might be stoped by a parameter but somethime missing case sensative parameters could also leads to XSS.

XSS STORED¶

XSS Stored 1

While you are filling a form and you find it there is a input constrain you can always go to inspect and cange the input numerical character which is assigned as the parameter and passed by the client side so we can make changes.

XSS Stored 2

We can now see this :

XSS Stored 3

Suppose there is a parameter checker and by default you can't perform this at that point of time one can always use:

Test<img src=x onerror="alert('XSS')" />

Cookies are small key value pairs that are set by the server and store your activity on the server side. It does includes our session ID & some other information.

We can hijack someone session if the session cookie contents are disclosed !

XSS Cookie Hijack

The HttpOnly flag must be unset on the session id for this to happen. In that case js can interact with the cookie.

XSS PHPSESSID

PHPSESSID is visible this is scary :

set port listner using nc -nvlp 8000

XSS Port Listener

fetch function is a built in js function which allows arbitary web request.

This is dope :

XSS Fetch

Just copy paste that session id to the cookie and boom we are logged i without UID and PASS.

SQLI¶

https://github.com/swisskyrepo/PayloadsAllTheThings

SQLI 1

SQLI 2

SQLI 3

So the 1' or 1=1; --

This is going to list out all the ID's out of the database !

SQLI 4

We can use the more advance version of this via using sqlmap to detect the vulnerability or let's do one thing we can use ZAP or Burpsuit to set the the post request and fuzz it to out list which we have!

SQLI 5

Choose the payload > File Fuzzer

SQLI Blind 1

SQLI Blind 2

We need to construct a query to know what's going inside the database.

SQLI Blind 3

COMMAND INJECTION¶

Command Injection 1

Command Injection 2

To run shell command basically !

INSECURE DESIGN¶

Insecure Design

CSRF¶

Is when a site accepts form requests or http request that send data to the site from off site.

Cross-Site Request Forgery (CSRF) is a web security vulnerability that allows an attacker to trick a victim into submitting malicious requests on their behalf. These requests are sent from the user's browser while they're authenticated, so the server processes them as legitimate.

One can trick the token also which changes continously upon refresh.

Security Misconfiguration¶

Security Misconfiguration 1

Security Misconfiguration 2

Vulnerable and Outdated Components¶

Vulnerable Components 1

Vulnerable Components 2

CANARY TOKENS¶

Which allows you to generate tokens for many diff kinds of things. Canary Tokens if accessed, will trigger a DNS request, which this service will alert you to if the request is triggered.

Identification and Authentication Failures¶

Identification and Auth Failures

WEAK SESSION VULNERABILITY¶

A weak session vulnerability refers to flaws in how a web application creates, manages, or secures session identifiers (session IDs), which can allow attackers to hijack or impersonate a user's session. Sessions are used to maintain a user's state (e.g., logged in) across multiple HTTP requests, so weak session management can lead to serious security breaches.

Common Weak Session Vulnerabilities:¶

Predictable Session IDs:
- If the session ID is generated using predictable patterns (e.g., sequential numbers or timestamps), attackers can guess valid session IDs and hijack sessions.
Exposed Session IDs in URLs:
- Including session IDs in URLs (e.g., example.com/?sessionid=12345) can lead to leakage via browser history, referer headers, or logs.
Session Fixation:
- An attacker sets a session ID for a victim and then tricks the victim into using it, gaining access once the victim logs in.
No Session Expiry or Timeout:
- If sessions don't expire after a period of inactivity, they remain valid indefinitely, increasing the window of opportunity for an attacker.
Insecure Storage of Session IDs:
- Storing session IDs insecurely on the client-side (like in local storage) or failing to use secure cookies can expose them to theft (e.g., via XSS).
Lack of Secure and HttpOnly Flags on Cookies:
- Without the Secure flag, session cookies can be transmitted over unencrypted connections.
- Without HttpOnly, JavaScript can access cookies, making them vulnerable to XSS attacks.
Session IDs Not Invalidated on Logout:
- If a session ID remains valid after the user logs out, an attacker could reuse it.

Software and Data Integrity Failures¶

Software and Data Integrity Failures

Security Logging and Monitoring Failures¶

Security Logging and Monitoring Failures

Server-Side Request Forgery¶

Server-Side Request Forgery

OWASP Top 10 Summary 1

OWASP Top 10 Summary 2

https://github.com/epi052/feroxbuster

Feroxbuster is a dope thing.

feroxbuster -u http://10.10.128.37/ -t 5 -L 5 -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o feroxbuster.txt

Flag / Option	Meaning
`-u http://pwst-server:8002/`	Target URL for scanning
`-n`	Don't auto-filter 404-like responses (shows everything)
`-t 5`	Use 5 threads (controls concurrency — conservative)
`-L 5`	Maximum recursion depth of 5 levels
`-w [wordlist path]`	Path to the wordlist used for brute-forcing directories
`-o feroxbuster.txt`	Output the results to a file named `feroxbuster.txt`