SlideShare a Scribd company logo
1 of 17
Download to read offline
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfiguration
Access 4.1.3 Verify that the principle of least privilege exists - users should only be able to access functions,
data files, URLs, controllers, services, and other resources, for which they possess specific
authorization. This implies protection against spoofing and elevation of privilege. C7
Access 4.1.4 Verify that the principle of deny by default exists whereby new users/roles start with minimal or
no permissions and users/roles do not receive access to new features until access is explicitly
assigned. C7
Access 4.1.5 Verify that access controls fail securely including when an exception occurs. C10
Access 4.2.1 Verify that sensitive data and APIs are protected against direct object attacks targeting creation,
reading, updating and deletion of records, such as creating or updating someone else's record,
viewing everyone's records, or deleting all records.
Access 4.3.2 Verify that directory browsing is disabled unless deliberately desired. Additionally, applications
should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db,
.DS_Store, .git or .svn folders.
Config 14.2.2 Verify that all unneeded features, documentation, samples, configurations are removed, such as
sample applications, platform documentation, and default or example users.
Config 14.5.3 Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses
a strict white-list of trusted domains to match against and does not support the "null" origin.
Config 14.4.4 Verify that all responses contain X-Content-Type-Options: nosniff.
Broken Access
Control
42%
Broken Access Control: Basics
Admin
User
Supervisor
Manager
User + Admin
Just User
User + Supervisor
User + Manager
web_app.com/admin/
web_app.com/user_info?user=1
1. Modifying get-parameter in url
http://10.2.3.143/bWAPP/directory_traversal_2.php?directory=documents
http://10.2.0.170/bWAPP/directory_traversal_1.php?page=message.txt
2. Restrict folder access
http://10.2.3.143/bWAPP/restrict_folder_access.php
http://10.2.3.143/bWAPP/documents/ (login-guest)
3. Using malicious url as parameter
http://10.2.3.143/bWAPP/rlfi.php
http://www.c99php.com/shell/symlink.txt
What is confidential:
● Tokens
● API Keys
● Passwords
● Certificates
Strictly prohibited!!
bank_config =
{
acc_name = “admin”
auth_token = “Djkdfhsdjkf342RFfdgffhdsfg”
pass = “qwerty1234”
email = “admin@admin.com”
}
Strictly prohibited also!!
You can be vulnerable if:
● Bypass access control checks through URL changes
● Permission to change the primary key to someone else’s user
account, allowing you to view or edit someone else’s account
● Elevation of privilege. Acting as a user without being logged in,
or acting as an admin when logged in as a user.
● Browsing to authenticated pages as an unauthenticated user OR
to privileged pages as a standard user.
Recommendations
● Implement access controls once and repeatedly
use them throughout the application
● Accounts data changes should have only
account holders
● Close access to backup settings of
accounts, for example in git
● Log access control failures
● JWT tokens should be invalidated on the server
after logout
Security
Misconfiguration
Security Misconfiguration : Basics
Authorization
User
Pass
admin
admin
Open ports+server
configurations
allowing ddos
robots.txt
Example1- default credentials
Example2 - Robots.txt
Example3 - open ports (nmap), DDOS examples (slowloris)
You can be vulnerable if:
- Unnecessary features are enabled or installed (open ports, services,
pages, accounts or privileges)
- Default accounts and their passwords are still used and unchanged
- Overly Informative Error Handling
- For upgraded systems, latest security features are disabled or not
configured correctly
- The server does not send security headers or they are not set to
secure values
- Software is out of date or vulnerable
Recommendations
● A minimal platform w/o unnecessary features, components,
documentation etc. Remove or do not install unused
features and frameworks.
● Sending secure directives to clients (e.g. Secure Headers: HSTS,
HPKP, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, etc)
● Do not use default configurations
● For robots.txt:
○ close from crawling and indexing: admin page, search
results, registration page, login, reset password, etc
○ do not add robots.txt, if content is updated constantly
○ check for errors (Google Вебмастерс)
Link / Literature
https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://www.immuniweb.com/vulnerability/improper-access-control.html
https://github.com/gkbrk/slowloris
http://blog.osinpaul.ru/2019/01/10/owasp-a6-security-misconfiguration-2017/
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
https://www.owasp.org/index.php/Testing_for_Error_Code_(OTG-ERR-001)
https://www.owasp.org/index.php/Testing_for_configuration_management
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
Questions?

More Related Content

What's hot

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilitiesebusinessmantra
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site ScriptingAli Mattash
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & TestingDeepu S Nath
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 

What's hot (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Web security
Web securityWeb security
Web security
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Cross Site Scripting
Cross Site ScriptingCross Site Scripting
Cross Site Scripting
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Web application security & Testing
Web application security  & TestingWeb application security  & Testing
Web application security & Testing
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 

Similar to OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfiguration

information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...Zara Nawaz
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloSalesforce Admins
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access ManagementBeyondTrust
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.pptRahafKhalid14
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
 
Sap Access Risks Procedures
Sap Access  Risks ProceduresSap Access  Risks Procedures
Sap Access Risks ProceduresInprise Group
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforceSunil kumar
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptxmissionsk81
 
Sharing and security in Salesforce
Sharing and security in SalesforceSharing and security in Salesforce
Sharing and security in SalesforceSaurabh Kulkarni
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsSam Bowne
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Less10 security mb3
Less10 security mb3Less10 security mb3
Less10 security mb3Imran Ali
 
Data base security
Data base securityData base security
Data base securitySara Nazir
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql databasegourav kottawar
 
PowerTech - Part-Time Privileges: Accountability for Powerful Users
PowerTech - Part-Time Privileges: Accountability for Powerful UsersPowerTech - Part-Time Privileges: Accountability for Powerful Users
PowerTech - Part-Time Privileges: Accountability for Powerful UsersHelpSystems
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Andrejs Prokopjevs
 

Similar to OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfiguration (20)

information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
How to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris ZulloHow to be a Security Minded Admin by Chris Zullo
How to be a Security Minded Admin by Chris Zullo
 
10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management10 Steps to Better Windows Privileged Access Management
10 Steps to Better Windows Privileged Access Management
 
OER UNIT 5 Audit
OER UNIT  5 AuditOER UNIT  5 Audit
OER UNIT 5 Audit
 
Chapter 12 Access Management
Chapter 12 Access ManagementChapter 12 Access Management
Chapter 12 Access Management
 
98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt98_364_Slides_Lesson05.ppt
98_364_Slides_Lesson05.ppt
 
Privileged Access Management - 2016
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016
 
Sap Access Risks Procedures
Sap Access  Risks ProceduresSap Access  Risks Procedures
Sap Access Risks Procedures
 
4_5949547032388570388.ppt
4_5949547032388570388.ppt4_5949547032388570388.ppt
4_5949547032388570388.ppt
 
Profiles and permission sets in salesforce
Profiles and permission sets in salesforceProfiles and permission sets in salesforce
Profiles and permission sets in salesforce
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptx
 
Sharing and security in Salesforce
Sharing and security in SalesforceSharing and security in Salesforce
Sharing and security in Salesforce
 
CNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access ControlsCNIT 129S: 8: Attacking Access Controls
CNIT 129S: 8: Attacking Access Controls
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Less10 security mb3
Less10 security mb3Less10 security mb3
Less10 security mb3
 
Data base security
Data base securityData base security
Data base security
 
security and privacy in dbms and in sql database
security and privacy in dbms and in sql databasesecurity and privacy in dbms and in sql database
security and privacy in dbms and in sql database
 
PowerTech - Part-Time Privileges: Accountability for Powerful Users
PowerTech - Part-Time Privileges: Accountability for Powerful UsersPowerTech - Part-Time Privileges: Accountability for Powerful Users
PowerTech - Part-Time Privileges: Accountability for Powerful Users
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 

Recently uploaded

online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9Jürgen Gutsch
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기Chiwon Song
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Projectwajrcs
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Neo4j
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 

Recently uploaded (20)

online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Program with GUTs
Program with GUTsProgram with GUTs
Program with GUTs
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9About .NET 8 and a first glimpse into .NET9
About .NET 8 and a first glimpse into .NET9
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기20240330_고급진 코드를 위한 exception 다루기
20240330_고급진 코드를 위한 exception 다루기
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!Webinar - IA generativa e grafi Neo4j: RAG time!
Webinar - IA generativa e grafi Neo4j: RAG time!
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 

OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfiguration

  • 2. Access 4.1.3 Verify that the principle of least privilege exists - users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. C7 Access 4.1.4 Verify that the principle of deny by default exists whereby new users/roles start with minimal or no permissions and users/roles do not receive access to new features until access is explicitly assigned. C7 Access 4.1.5 Verify that access controls fail securely including when an exception occurs. C10 Access 4.2.1 Verify that sensitive data and APIs are protected against direct object attacks targeting creation, reading, updating and deletion of records, such as creating or updating someone else's record, viewing everyone's records, or deleting all records. Access 4.3.2 Verify that directory browsing is disabled unless deliberately desired. Additionally, applications should not allow discovery or disclosure of file or directory metadata, such as Thumbs.db, .DS_Store, .git or .svn folders. Config 14.2.2 Verify that all unneeded features, documentation, samples, configurations are removed, such as sample applications, platform documentation, and default or example users. Config 14.5.3 Verify that the cross-domain resource sharing (CORS) Access-Control-Allow-Origin header uses a strict white-list of trusted domains to match against and does not support the "null" origin. Config 14.4.4 Verify that all responses contain X-Content-Type-Options: nosniff.
  • 4. Broken Access Control: Basics Admin User Supervisor Manager User + Admin Just User User + Supervisor User + Manager web_app.com/admin/ web_app.com/user_info?user=1
  • 5. 1. Modifying get-parameter in url http://10.2.3.143/bWAPP/directory_traversal_2.php?directory=documents http://10.2.0.170/bWAPP/directory_traversal_1.php?page=message.txt 2. Restrict folder access http://10.2.3.143/bWAPP/restrict_folder_access.php http://10.2.3.143/bWAPP/documents/ (login-guest) 3. Using malicious url as parameter http://10.2.3.143/bWAPP/rlfi.php http://www.c99php.com/shell/symlink.txt
  • 6. What is confidential: ● Tokens ● API Keys ● Passwords ● Certificates
  • 7. Strictly prohibited!! bank_config = { acc_name = “admin” auth_token = “Djkdfhsdjkf342RFfdgffhdsfg” pass = “qwerty1234” email = “admin@admin.com” }
  • 9. You can be vulnerable if: ● Bypass access control checks through URL changes ● Permission to change the primary key to someone else’s user account, allowing you to view or edit someone else’s account ● Elevation of privilege. Acting as a user without being logged in, or acting as an admin when logged in as a user. ● Browsing to authenticated pages as an unauthenticated user OR to privileged pages as a standard user.
  • 10. Recommendations ● Implement access controls once and repeatedly use them throughout the application ● Accounts data changes should have only account holders ● Close access to backup settings of accounts, for example in git ● Log access control failures ● JWT tokens should be invalidated on the server after logout
  • 12. Security Misconfiguration : Basics Authorization User Pass admin admin Open ports+server configurations allowing ddos robots.txt
  • 13. Example1- default credentials Example2 - Robots.txt Example3 - open ports (nmap), DDOS examples (slowloris)
  • 14. You can be vulnerable if: - Unnecessary features are enabled or installed (open ports, services, pages, accounts or privileges) - Default accounts and their passwords are still used and unchanged - Overly Informative Error Handling - For upgraded systems, latest security features are disabled or not configured correctly - The server does not send security headers or they are not set to secure values - Software is out of date or vulnerable
  • 15. Recommendations ● A minimal platform w/o unnecessary features, components, documentation etc. Remove or do not install unused features and frameworks. ● Sending secure directives to clients (e.g. Secure Headers: HSTS, HPKP, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, etc) ● Do not use default configurations ● For robots.txt: ○ close from crawling and indexing: admin page, search results, registration page, login, reset password, etc ○ do not add robots.txt, if content is updated constantly ○ check for errors (Google Вебмастерс)