SMT 1-2 Web Security Overview

NSHC Training
28 Jul 202406:18

Summary

TLDRThis web security session delves into common vulnerabilities, focusing on the OWASP Top 10, which lists critical web security risks updated every few years. It covers client-side issues like XSS, CSRF, and authentication, and server-side threats including SQL injection, SSRF, and local file inclusion. The session explains the importance of proper configuration, software updates, and secure authentication practices to mitigate risks like injection attacks and path traversal, which can lead to unauthorized access and data leaks.

Takeaways

  • 🌐 Web security is crucial for protecting against vulnerabilities on both client and server sides.
  • πŸ”’ The OWASP Top 10 is a widely recognized list of web security vulnerabilities that are updated every 3-4 years.
  • πŸ“‰ Injection attacks, including SQL, OS, and LDAP, have consistently ranked as a top vulnerability but dropped to third in the 2021 version.
  • πŸ”‘ Broken authentication is a persistent issue, always ranking highly and including access control and session management flaws.
  • πŸ“ Cross-Site Scripting (XSS) has been a notable vulnerability, but SSRF (Server Side Request Forgery) has been added in the latest version.
  • πŸ› οΈ Security misconfiguration is a recurring issue, highlighting the importance of proper settings to maintain security.
  • πŸ”„ Outdated components are a significant risk, with regular software updates being essential to protect against vulnerabilities.
  • πŸ“œ Local File Inclusion (LFI) allows attackers to include and potentially leak local server files through user input.
  • πŸ”„ Path Traversal enables attackers to access unauthorized files by manipulating directory paths.
  • πŸ“ File upload vulnerabilities can lead to the execution of malicious code on the server if arbitrary file uploads are allowed.
  • πŸ’‘ Understanding and mitigating these vulnerabilities is key to enhancing web application security.

Q & A

  • What is the main focus of the web security session described in the transcript?

    -The main focus of the session is to provide an overview of web security, covering topics such as the OWASP Top 10, client-side and server-side vulnerabilities, including XSS, CSRF, authentication, SQL injection, SSRF, LFI, path traversal, and file upload vulnerabilities.

  • What is the OWASP Top 10 project?

    -The OWASP Top 10 project is a list of the 10 most critical web security vulnerabilities that are regularly updated every 3 or 4 years. It is widely referenced by standards, books, papers, and organizations for understanding and addressing web security risks.

  • Why is the injection vulnerability significant in web security?

    -Injection vulnerabilities, including SQL, OS command, and LDAP injection, are significant because they have consistently ranked high in the OWASP Top 10, indicating their potential to have a major impact on web security.

  • What is the difference between authentication and authorization in the context of web security?

    -Authentication is the process of verifying who the user is, typically through passwords. Authorization, on the other hand, is the process of verifying what applications and data a user can access. Authorization always takes place after authentication.

  • Why should client-side authentication be avoided in web applications?

    -Client-side authentication should be avoided because it can be easily manipulated and bypassed. Developers should authenticate on the server-side to ensure security.

  • What is Local File Inclusion (LFI) vulnerability, and how can it be exploited?

    -LFI is a vulnerability that allows an attacker to include files that are locally present on the server. It can be exploited by providing the path to the file as user input, potentially leading to the leakage of sensitive information.

  • What is Path Traversal, and how does it differ from Local File Inclusion?

    -Path Traversal is a vulnerability that allows attackers to access files on the web server that they should not have access to by manipulating the file path. Unlike LFI, which focuses on including local files, Path Traversal focuses on accessing unauthorized files by traversing the directory structure.

  • What techniques can be used to bypass Path Traversal security measures?

    -Techniques to bypass Path Traversal security measures include using '../' to represent the parent directory, encoding slashes as '%2F' or '%5C', and utilizing alternative representations like 'dot-dot-slash' to traverse directories.

  • What is a file upload vulnerability, and how can it be exploited by an attacker?

    -A file upload vulnerability occurs when a web service allows users to upload files to the server without proper validation. Attackers can exploit this by uploading malicious files to the server's file system, potentially leading to the execution of arbitrary code or OS commands.

  • What is a webshell, and how is it related to file upload vulnerabilities?

    -A webshell is a script or program that is uploaded to a web server and allows an attacker to execute OS commands remotely through the website. It is related to file upload vulnerabilities because if an attacker can upload a webshell to the server, they can gain unauthorized control over the system.

Outlines

00:00

πŸ›‘οΈ Web Security Overview and OAS Top 10

This paragraph introduces the web security session, highlighting the distinction between client-side and server-side vulnerabilities. The client side is prone to XSS, CSRF, and client-side authentication issues, while the server side faces SQL injection, SSRF, local file inclusion, path traversal, and file upload risks. The Open Web Application Security Project (OWASP) Top 10 is discussed as a critical list of web security vulnerabilities updated every 3-4 years. The paragraph also reviews the changes in the ranking of vulnerabilities from 2013 to 2021, emphasizing the importance of proper configuration and regular software updates to mitigate risks.

05:01

πŸ”’ Authentication vs. Authorization and Security Vulnerabilities

The second paragraph delves into the concepts of authentication and authorization, explaining that authentication verifies user identity while authorization determines access to applications and data. It cautions against client-side authentication due to its susceptibility to manipulation. The paragraph then discusses local file inclusion (LFI), a vulnerability where user input can lead to the inclusion of unintended local files, potentially leaking sensitive information. It also touches on path traversal, where attackers can access unauthorized files by manipulating file paths. Several path traversal techniques are presented, including the use of directory traversal payloads and URL encoding to bypass security measures.

Mindmap

Keywords

πŸ’‘Web Security

Web security refers to the protection of websites and web applications against unauthorized access, data breaches, and various cyber threats. It is the main theme of the video, as it discusses various vulnerabilities and security issues that can affect web applications. The script mentions web security in the context of the OWASP Top 10, a standard reference for the most critical security risks to web applications.

πŸ’‘OWASP Top 10

The OWASP Top 10 is a list of the most critical web application security risks, prioritized by severity and frequency. It is mentioned in the script as a regularly updated resource that is widely referenced in the field of web security. The video discusses the evolution of the list, with the latest version being from 2021, and highlights the importance of staying informed about these vulnerabilities.

πŸ’‘Injection

Injection is a type of attack where an attacker sends malicious input to an application, which is then executed by the server. The script notes that injection attacks, including SQL, OS command, and LDAP injection, have consistently ranked high in the OWASP Top 10, emphasizing the need for proper input validation to prevent such attacks.

πŸ’‘Broken Authentication

Broken authentication refers to vulnerabilities that allow attackers to compromise access controls and authentication mechanisms. The script explains that this category has always ranked highly in the OWASP Top 10, indicating the critical nature of robust access control and session management in web security.

πŸ’‘XSS (Cross-Site Scripting)

XSS is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. The script mentions that XSS has been a persistent issue in web security, highlighting the need for proper input sanitization and output encoding to prevent such attacks.

πŸ’‘SSRF (Server-Side Request Forgery)

SSRF is a type of attack where an attacker abuses a server's functionality to make unauthorized requests to local or remote systems. The script notes that SSRF has been added to the latest version of the OWASP Top 10, underscoring the evolving nature of web security threats.

πŸ’‘Configuration

Proper configuration of web applications and servers is crucial for security. The script points out that security misconfiguration has consistently ranked in the OWASP Top 10, indicating the importance of secure settings to prevent unauthorized access and other vulnerabilities.

πŸ’‘Outdated Components

Using outdated software components can expose web applications to known vulnerabilities. The script emphasizes the need for regular updates to protect against such risks, as outdated components have been a recurring issue in the OWASP Top 10 rankings.

πŸ’‘Client-Side Authentication

Client-side authentication refers to the process of verifying a user's identity on the client side of an application. The script warns against the practice, explaining that it can be easily manipulated and bypassed, and recommends server-side authentication for security.

πŸ’‘Local File Inclusion (LFI)

LFI is a vulnerability that allows an attacker to include files present on the server, potentially leading to sensitive information disclosure. The script provides examples of how LFI can be exploited through user input, such as modifying a URL to access unintended files like 'slcp passwd'.

πŸ’‘Path Traversal

Path traversal is a security vulnerability that allows attackers to access files outside the intended directory. The script discusses techniques used in path traversal attacks, such as using '../' to access parent directories, and demonstrates how this can lead to unauthorized file access.

πŸ’‘File Upload Vulnerability

A file upload vulnerability occurs when an attacker is able to upload malicious files to a server, potentially leading to arbitrary code execution. The script describes how this can be exploited to upload a 'webshell', a script that allows the execution of OS commands through the web application.

Highlights

Web security session focuses on an overview of web security vulnerabilities including a WAS, top 10 overview, and various client and server-side issues.

Client-side vulnerabilities include XSS, CSRF, and client-side authentication, while server-side issues encompass SQL injection, SSRF, local file inclusion, path traversal, and file upload.

OAS top 10 project lists 10 web security vulnerabilities with significant impact, first published in 2003 and regularly updated.

The OAS top 10 list is widely referenced by standards, books, papers, and organizations for its comprehensive vulnerability coverage.

Injection, including SQL, OS command, and LDAP injection, was the top vulnerability in 2013 and 2017 but dropped to number three in the 2021 version.

Broken authentication consistently ranks high, indicating the importance of robust access control and session management.

XSS, or cross-site scripting, has been a prominent vulnerability in recent years, affecting web applications.

SSRF, or server-side request forgery, has been added to the latest version of the OAS top 10, highlighting its growing significance.

Security configuration and outdated components are emphasized as important vulnerabilities, underscoring the need for regular software updates.

Using known vulnerable components is a recurring issue, ranked consistently across different versions of the OAS top 10.

Injection vulnerabilities occur when user input is not validated, leading to potential security breaches.

SSRF allows attackers to make the server request to another server, exploiting vulnerabilities when importing remote resources.

Authentication is about verifying user identity, typically through passwords, while authorization is about access control to applications and data.

Client-side authentication can be easily manipulated; server-side authentication is recommended for security.

Local file inclusion (LFI) is a vulnerability where user input can lead to the inclusion of unintended local files on the server.

Path traversal allows attackers to access unauthorized files on the web server by manipulating directory paths.

File upload vulnerability can enable attackers to upload malicious files to the server, potentially executing arbitrary code.

Webshell is a type of file that, when uploaded, allows execution of OS commands through the web application.

Transcripts

play00:00

welcome back to the web security session

play00:02

today we are going to look at web

play00:04

security overview which includes a was

play00:06

top 10 overview client side

play00:08

authentication local file inclusion path

play00:11

Traverse and file

play00:13

upload before we get started let's recap

play00:16

this figure on the left side is the

play00:18

client and on the right side is the

play00:20

server on each side there are

play00:23

vulnerabilities or security issues that

play00:25

can occur on the client side we have xss

play00:29

csrf and client side authentication

play00:31

while on the server side we have SQL

play00:34

injection ssrf local file inclusion path

play00:37

Traverse and file upload we will dive

play00:40

into this topic

play00:42

later let's start with OAS top 10 OAS

play00:46

top 10 project is a list of 10 web

play00:48

security vulnerabilities that can have a

play00:50

significant impact on security first

play00:53

published in 2003 it is regularly

play00:56

updated many standards books papers and

play00:59

organizations refer to this OAS top 10

play01:02

project the security vulnerabilities

play01:04

list is updated every 3 or 4 years

play01:08

regularly this is what the OAS top 10

play01:10

tables look like for previous years in

play01:13

the previous slide we learned that OAS

play01:15

top 10 list serious vulnerabilities and

play01:18

that they are updated every 3 or 4 years

play01:21

and on the right side is the latest 2021

play01:23

version let's check the content of this

play01:26

table together the injection was top one

play01:28

in both the 2013 and 2017 ranks but

play01:31

dropped to number three in the latest

play01:34

version the injection includes SQL OS

play01:37

command injection and ldap injection

play01:40

broken authentication is always in the

play01:42

top rank this includes broken access

play01:45

control and broken authentication and

play01:47

session management xss also known as

play01:50

cross- site scripting is out in the

play01:51

latest version instead the ssrf or

play01:54

server side request forgery has now been

play01:57

added to the latest version security

play02:00

configuration is a five in the latest

play02:01

version a six in the 2017 version and a

play02:04

six in the 2013 version this means

play02:07

proper configuration is important in

play02:10

security also outdated component is rank

play02:13

six which means regular updates of the

play02:16

latest version of the software can

play02:17

protect from many vulnerabilities it was

play02:20

also ranked nine in both the 2013 and

play02:22

2017 tables as using known vulnerable

play02:25

components and using components with

play02:27

known vulnerabilities so do update your

play02:29

software and keep it the latest because

play02:31

it can protect you from many

play02:35

vulnerabilities now let's see what

play02:37

injection and S srfr the injection

play02:40

includes SQL OS command and ldap

play02:42

injection and it occurs when a web

play02:44

application uses the user input without

play02:47

validating the user input on the other

play02:49

hand attackers use ssrf and make the

play02:52

server request to the other server ssrf

play02:54

occurs when a web application Imports a

play02:57

remote resource without validating the

play02:59

URL provider Ed by the

play03:01

user before we talk in detail about

play03:04

client side authentication let's look at

play03:07

authorization versus authentication

play03:09

authentication is the process of

play03:11

verifying who the user is it works

play03:13

through passwords in General on the

play03:16

other hand authorization is the process

play03:18

of verifying what applications and data

play03:20

a user can access to authorization

play03:23

always takes place after

play03:26

authentication when authentication is

play03:28

processed on the client side it can be

play03:30

easily manipulated and bypassed

play03:32

developers never authenticate using

play03:34

JavaScript instead they authenticate on

play03:37

the server

play03:38

side let's move on to local file

play03:41

inclusion local file inclusion is the

play03:43

process of including files that are

play03:45

locally present on the server this

play03:47

vulnerability can occur when a page

play03:49

receives the path to the file that has

play03:51

to be included as user

play03:53

input for example here we have the

play03:56

following URL the following server URL

play03:59

can be act like this instead of this URL

play04:02

with read PHP as written in the subtitle

play04:04

we can use other URL which is also shown

play04:07

in the subtitle if there is a local file

play04:10

located in the URL the local file

play04:13

slcp passwd can also be included with

play04:17

that we can leak the contents in slcp

play04:22

passwd if you understand the lfi

play04:25

vulnerability that we covered in the

play04:26

previous video you can understand path

play04:28

Traverse a past traversal vulnerability

play04:31

allows the attackers to access files on

play04:33

the web server that they should not

play04:35

access the attacker can call other apis

play04:38

by accessing the parent path d da means

play04:41

Parent Directory which means the

play04:42

attacker can access files in The Parent

play04:44

Directory in other words the attacker

play04:47

can Traverse the

play04:49

server now let's take a look at some

play04:51

examples of path Traverse bypass

play04:53

techniques let's take a look one by one

play04:56

at this payload first is this in the

play04:58

subtitle which is the parent

play05:00

directory second we have do percent 2f

play05:04

which is the hex decimal expression of a

play05:06

sci code for slash we can also change do

play05:10

slash with percent to e and it would

play05:12

make it like this in the

play05:13

subtitle then we have. backlash backs

play05:17

slash can also be encoded as percent 5c

play05:20

we can also express it like this in the

play05:23

subtitle finally we have this as shown

play05:26

in the

play05:27

subtitle there are also many other types

play05:29

of payloads besides

play05:31

this let's move on to the file upload

play05:34

vulnerability file upload means

play05:36

uploading some files to a server through

play05:38

a web service users can upload photos

play05:41

and documents to the server so that they

play05:43

can share them with other users if the

play05:45

server has a file upload vulnerability

play05:48

the attacker can upload the malicious

play05:50

file to the server's file system if

play05:52

users can upload the arbitrary file to

play05:54

the web service operating directory they

play05:57

can execute the arbitrary code on the

play05:59

server OS commands may be executed with

play06:01

functions supported by the web

play06:03

application language example is shown in

play06:05

the

play06:07

subtitle this is called webshell when

play06:09

you successfully upload a webshell to

play06:11

the web server you can run OS commands

play06:14

through the website

Browse More Related Video

SMT 1-4 Server Side Security (1)

CompTIA Security+ SY0-701 Course - 2.3 Explain Various Types of Vulnerabilities

SMT 1-3 Client Side Security

CompTIA Security+ SY0-701 Course - 2.4 Analyze Indicators of Malicious Activity. - PART B

37. OCR GCSE (J277) 1.4 Preventing vulnerabilities

1.2.2 "A Flaw in the System's Design..."

Rate This
β˜…
β˜…
β˜…
β˜…
β˜…

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Web SecurityVulnerabilitiesOAS Top 10Injection AttacksAuthenticationAuthorizationClient-SideServer-SideLFI VulnerabilityPath TraversalFile Upload Risks