FINAL PROJECT
Using the most recent OWASP Top 10 (From 2013). Pick the first 3 of the top ten and describe 3 different types on each (don’t include SQL injection since we covered that last week assignment) and provide your own unique summary of the issue. Here is a link for review:
Here have I have list with the types (but types could be different than mine- find them on the site)
1. Broken Authentication and Session Management – types could be any
a) Session IDs are vulnerable to session fixation attacks.
b) Session IDs are exposed in the URL (e.g., URL rewriting).
c) Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren’t properly invalidated during logout.
2. Cross-Site Scripting (XSS)
a) Stored XSS (AKA Persistent or Type I XSS)
b) Reflected XSS (AKA Non-Persistent or Type II XSS)
c) DOM Based XSS
3. Insecure Direct Object References
a) For direct references to restricted resources, does the application fail to verify the user is authorized to access the exact resource they have requested?
b) If the reference is an indirect reference, does the mapping to the direct reference fail to limit the values to those authorized for the current user
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
In your summary be sure to include a detailed attack scenario and details to prevent this attack. Dig deep to find out more details than those provided in the reference article. Reference your sources.
Also, include your assessment for the technical and business impact.
Use my part of last week assignment for SQL Injection as an example on how to approach this project (this simple way was enough to get me 100%)
This is vulnerable code to attack on the search box seems to work fine but can be bypassed,
starting with a single quote (Act as a start of a string)
Followed with letters and some wildcards (usually they avoid indexes and searches for text)
Then pressed submit button will most likely return a plain text word revealing a data maybe a username.
In other word, it’s also possible to pass in a special character through and
eventually it will be quoted which can end up deleting or retrieving lots of records
Other causes could be with surname like O’sullivan that disregards the double quote of a string username
(“$username”) and make the last quote meaningless in SQL statement and that’s too would be the beginning of an SQL Injection attack.
<html>
<head>
<title>search DB</title>
</head>
<body>
<h1>Search Results</h>
<hr>
<table>
<tr><th>UserID</th><th>Username</th></tr>
<? php
require_Once ‘dbconnect.php’;
echo “Connected to $host <BR>’;
$username = htmlentities($_GET[‘username’]);
$query = “SELECT * FROM users WHERE username = $username'”;
$result = mysqli_query($dbh,$query);
if (!$result) {
echo “Error in query <BR>”;
} else { while ( $row = mysqli_fetch_array($result,mysql_assoc)) {
echo “<tr><td>” . $row[‘userid’] . “</td><td>” . $row[‘username’] . “</td><td>”;
}
}
mysql_free_result($result);
mysqli_close($dbh);
?>
<table>
How to preventing the SQL Injection code
<html>
<head>
<title>search DB</title>
</head>
<body>
<h1>Search Results</h>
<hr>
<table>
<tr><th>UserID</th><th>Username</th></tr>
<?php
require_Once ‘dbconnect.php’;
echo “Connected to $host <BR>’;
$username = htmlentities($_GET[‘username’]);
$query = “SELECT * FROM users WHERE username = $username'”;
// Resolution code will capture all escape single quote and treat them as little character rather than a //distraction in SQL statement
$username = mysqli_real_escape_string($dbh,$username);
$result = mysqli_query($dbh,$query);
if (!$result) {
echo “Error in query <BR>”;
} else { while ( $row = mysqli_fetch_array($result,mysql_assoc)) {
echo “<tr><td>” . $row[‘userid’] . “</td><td>” . $row[‘username’] . “</td><td>”;
}
}
mysql_free_result($result);
mysqli_close($dbh);
?>
<table>
