IDOR Know-How.pdf
•
0 likes•76 views
- About Web Objects - How are they insecure - Where do they reside in OWASP Top 10 - Access Control issues - Compliant and non-compliant codes - Test cases
Report
Share
Report
Share
Download to read offline
Recommended
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Method for exploiting IDOR on nodejs+mongodb based backend
Luis Alvarado Day, Associate Manager at Arstar IT
OWASP Top 10 Web Application Vulnerabilities
This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
OWASP Top 10 2021 What's New
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
OWASP Top 10 2021 Presentation (Jul 2022)
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
API Security - OWASP top 10 for APIs + tips for pentesters
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
Vulnerabilities in modern web applications
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Bug bounty
This document discusses bug bounty programs (BBPs), which reward security researchers for responsibly disclosing software vulnerabilities. It introduces BBPs, noting they save companies money while improving security. Major companies like Google and Facebook run BBPs. The document outlines prerequisites for BBPs like learning security testing techniques. It provides tips for finding vulnerabilities like understanding a site's scope, tools, and avoiding duplicate reports. Common vulnerability types in BBPs include injection flaws and insecure data storage.
Insecure direct object reference (null delhi meet)
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Recommended
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
APIsecure - April 6 & 7, 2022
APIsecure is the world’s first conference dedicated to API threat management; bringing together breakers, defenders, and solutions in API security.
Method for exploiting IDOR on nodejs+mongodb based backend
Luis Alvarado Day, Associate Manager at Arstar IT
OWASP Top 10 Web Application Vulnerabilities
This document provides an overview of the OWASP Top 10 Risk Rating Methodology. It explains how risks are rated based on four factors: threat agent, attack vector, technical impact, and business impact. Each factor is given a rating of 1-3 (easy to difficult) and these ratings are multiplied together to calculate an overall weighted risk rating. An example of how this methodology would be applied to an SQL injection vulnerability is also provided.
OWASP Top 10 2021 What's New
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
OWASP Top 10 2021 Presentation (Jul 2022)
The document provides information about the OWASP Top 10 2021 list of web application security risks. It describes the top risk, A01: Broken Access Control, giving its definition, examples of vulnerabilities it can enable, prevention methods, and examples. It also summarizes the second and third top risks, A02: Cryptographic Failures and A03: Injection, in a similar manner.
API Security - OWASP top 10 for APIs + tips for pentesters
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
Vulnerabilities in modern web applications
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Bug bounty
This document discusses bug bounty programs (BBPs), which reward security researchers for responsibly disclosing software vulnerabilities. It introduces BBPs, noting they save companies money while improving security. Major companies like Google and Facebook run BBPs. The document outlines prerequisites for BBPs like learning security testing techniques. It provides tips for finding vulnerabilities like understanding a site's scope, tools, and avoiding duplicate reports. Common vulnerability types in BBPs include injection flaws and insecure data storage.
Insecure direct object reference (null delhi meet)
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
Saying Hello to Bug Bounty
This document provides an introduction to bug bounty programs. It discusses what a bug bounty is, which are popular bug bounty platforms, how to choose target programs, reconnaissance methods like subdomain enumeration and content discovery, attacking single domains by analyzing requests and responses and hidden endpoints, and provides examples of the author's past bug bounty finds. The presentation ends by answering any questions about bug bounty programs.
OWASP Top 10 - 2017
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Cross Site Scripting ( XSS)
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
iOS Application Static Analysis - Deepika Kumari.pptx
This document discusses static analysis techniques for testing iOS applications. It covers analyzing the app manifest file (plist) for sensitive information, checking for insecure data storage in databases and the keychain, verifying code signatures, and dumping runtime memory. The document provides examples of using tools like MobSF, otool, and objection to extract plaintext passwords and other data from test apps.
Static Analysis Security Testing for Dummies... and You
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Secure code practices
Secure code best practices for developers. And comparison of 2017 and 2021 OWASP top 10 with description of vulnerability and mitigation.
Waf bypassing Techniques
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Sql injections - with example
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Owasp top 10 vulnerabilities
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Secure coding presentation Oct 3 2020
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
SSRF For Bug Bounties
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
Pentesting ReST API
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
Introduction to Web Application Penetration Testing
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
This document discusses security issues related to broken access control and security misconfiguration. It provides examples of broken access control including modifying URL parameters to access restricted resources, restricting folder access, and using malicious URLs as parameters. Recommendations are given to implement access controls consistently, limit account data changes to account holders, and log access control failures. Examples of security misconfiguration include using default credentials and configurations, having an overly informative error handling, and leaving unnecessary features enabled. Recommendations include removing unused features, sending secure headers, not using default configurations, and properly configuring robots.txt files. Links to additional resources on these topics are also provided.
Secure Code Review 101
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
OWASP Secure Coding
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
The document summarizes API security topics presented by Erez Yalon at a Checkmarx Meetup event. Yalon discusses how API-based applications are different from traditional apps and deserve their own security focus. He outlines the OWASP API Security Project and the proposed API Security Top 10 risks, including broken object level authorization, excessive data exposure, lack of resources/rate limiting, and improper asset management. Yalon calls for community contributions to further develop the Top 10 and other API security resources.
Xss attack
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
Directory Traversal & File Inclusion Attacks
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
Top 10 Web Security Vulnerabilities (OWASP Top 10)
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
CiNPA Security SIG - Exploiting the Tiredful API
Exploiting the Tiredful API
Matt Scheurer
https://twitter.com/c3rkah
Abstract:
The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. Matt has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. He maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
SecureWV: Exploiting Web APIs
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
More Related Content
What's hot
Saying Hello to Bug Bounty
This document provides an introduction to bug bounty programs. It discusses what a bug bounty is, which are popular bug bounty platforms, how to choose target programs, reconnaissance methods like subdomain enumeration and content discovery, attacking single domains by analyzing requests and responses and hidden endpoints, and provides examples of the author's past bug bounty finds. The presentation ends by answering any questions about bug bounty programs.
OWASP Top 10 - 2017
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Cross Site Scripting ( XSS)
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
iOS Application Static Analysis - Deepika Kumari.pptx
This document discusses static analysis techniques for testing iOS applications. It covers analyzing the app manifest file (plist) for sensitive information, checking for insecure data storage in databases and the keychain, verifying code signatures, and dumping runtime memory. The document provides examples of using tools like MobSF, otool, and objection to extract plaintext passwords and other data from test apps.
Static Analysis Security Testing for Dummies... and You
Most enterprise application security teams have at least one Static Analysis Security Testing (SAST) tool in their tool-belt; but for many, the tool never leaves the belt. SAST tools have gotten a reputation for being slow, error-prone, and difficult to use; and out of the box, many of them are – but with a little more knowledge behind how these tools are designed, a SAST tool can be a valuable part of any security program.
In this talk, we’ll help you understand the strengths and weaknesses of SAST tools by illustrating how they trace your code for vulnerabilities. You’ll see out-of-the-box rules for commercial and open-source SAST tools, and learn how to write custom rules for the widely-used open source SAST tool, PMD. We’ll explain the value of customizing tools for your organization; and you’ll learn how to integrate SAST technologies into your existing build and deployment pipelines. Lastly, we’ll describe many of the common challenges organizations face when deploying a new security tool to security or development teams, as well as some helpful hints to resolve these issues
Secure code practices
Secure code best practices for developers. And comparison of 2017 and 2021 OWASP top 10 with description of vulnerability and mitigation.
Waf bypassing Techniques
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Sql injections - with example
The slide consists of:
An explanation for SQL injections.
First order and second order SQL injections.
Methods: Normal and Blind SQL injections with examples.
Examples: Injection using true/false, drop table and update table commands.
Prevention using dynamic embedded SQL queries.
Conclusion and References.
Owasp top 10 vulnerabilities
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Secure coding presentation Oct 3 2020
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
SSRF For Bug Bounties
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
Pentesting ReST API
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
Introduction to Web Application Penetration Testing
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
This document discusses security issues related to broken access control and security misconfiguration. It provides examples of broken access control including modifying URL parameters to access restricted resources, restricting folder access, and using malicious URLs as parameters. Recommendations are given to implement access controls consistently, limit account data changes to account holders, and log access control failures. Examples of security misconfiguration include using default credentials and configurations, having an overly informative error handling, and leaving unnecessary features enabled. Recommendations include removing unused features, sending secure headers, not using default configurations, and properly configuring robots.txt files. Links to additional resources on these topics are also provided.
Secure Code Review 101
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
OWASP Secure Coding
Good Secure Development Practices Presented By: Bil Corry lasso.pro Education Project. It recommends validating all user input, distrusting even your own requests, and taking a layered approach to validation, enforcement of business rules, and authentication. Some specific best practices include implementing positive authentication, principle of least privilege, centralized authorization routines, separating admin and user access, and ensuring error handling fails safely.
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
The document summarizes API security topics presented by Erez Yalon at a Checkmarx Meetup event. Yalon discusses how API-based applications are different from traditional apps and deserve their own security focus. He outlines the OWASP API Security Project and the proposed API Security Top 10 risks, including broken object level authorization, excessive data exposure, lack of resources/rate limiting, and improper asset management. Yalon calls for community contributions to further develop the Top 10 and other API security resources.
Xss attack
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
Directory Traversal & File Inclusion Attacks
Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.
Top 10 Web Security Vulnerabilities (OWASP Top 10)
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
What's hot (20)
iOS Application Static Analysis - Deepika Kumari.pptx
iOS Application Static Analysis - Deepika Kumari.pptx
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Similar to IDOR Know-How.pdf
CiNPA Security SIG - Exploiting the Tiredful API
Exploiting the Tiredful API
Matt Scheurer
https://twitter.com/c3rkah
Abstract:
The "Tiredful API" is an intentionally designed broken app. The aim of this web app is to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. This presentation features live demos exploiting some of the known vulnerabilities including: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS).
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. Matt has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. He maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
SecureWV: Exploiting Web APIs
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
Security In PHP Applications
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
Ethical_Hacking_ppt
The document discusses ethical hacking and summarizes key points in 3 sentences:
Ethical hackers, also known as white hats, help improve security by identifying vulnerabilities in systems without malicious intent and work to fix them, while black hat hackers break into systems illegally; common hacking techniques include SQL injection, cross-site scripting, and using Google dorks to find sensitive information on public websites. The document outlines skills and jobs of ethical hackers, different types of hackers, and provides examples of common attacks like SQL injection and cross-site scripting.
PwnSchool: Exploiting Web APIs
Meeting Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference, Access Control, Throttling, SQL Injection (SQLite), and Cross Site Scripting (XSS). Many of these vulnerabilities are contained in the OWASP Top 10.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), Information Systems Security Association (ISSA), and InfraGard.
CONHESI 2021 - Exploiting Web APIs
Topic: Exploiting Web APIs
Speaker: Matt Scheurer
https://twitter.com/c3rkah
Abstract:
This talk features live demos of Web API exploits against the “Tiredful API”, which is an intentionally broken web app. The objectives are to teach developers, QA, or security professionals about flaws present in a Web Services (REST API) due to insecure coding practices. Examples include: Information Disclosure, Insecure Direct Object Reference (IDOR), Access Control, Throttling, SQL Injection (SQLi), and Cross Site Scripting (XSS). Many of these vulnerabilities are found in the OWASP Top 10 list.
Bio:
Matt Scheurer works on a Computer Security Incident Response Team (CSIRT) performing Digital Forensics and Incident Response (DFIR). Matt has more than twenty years of combined experience in Information Technology and Information Security. He is the Security Director for the Cincinnati Networking Professionals Association (CiNPA) and a 2019 comSpark “Rising Tech Stars Award” winner. He has presented on numerous Information Security topics at many local area technology groups and large Information Security conferences across the country. Matt maintains active memberships in several professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Information Systems Security Association (ISSA), and InfraGard.
Owasp top 10 2013
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
Php & Web Security - PHPXperts 2009
The document discusses various web application security issues like SQL injection, input validation, cross-site scripting and provides recommendations to prevent these vulnerabilities when developing PHP applications. It emphasizes the importance of validating all user inputs, using prepared statements and output encoding to prevent code injection attacks and ensuring session security. The document also covers other attacks like cross-site request forgery and provides mitigation techniques.
4 andrii kudiurov - web application security 101
This document provides an overview of common web application security vulnerabilities and how to test for them. It covers:
1. Never trusting user input and how HTTP works.
2. Testing for misconfiguration issues, hidden options, forced navigation, mass parameter assignment, CSRF, injection flaws like XSS and SQLi, open redirect, path traversal, and DoS vulnerabilities.
3. Recommending automation tools like Dirbuster and BurpSuite to help find issues, but noting that context is important and automated scanners have limitations. More manual testing is needed.
Drupal campleuven: Secure Drupal Development
Drupal core is a secure product, but how secure are contrib modules? And custom ones?
This session is about proper use of the drupal api's and some best practices for secure drupal development.
Hacking Client Side Insecurities
The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.
Securing the Web @DevDay Da Nang 2018
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
The document discusses web security and tools for assessing vulnerabilities. It covers the top 10 vulnerabilities according to OWASP, including code injection, broken authentication, sensitive data exposure, and more. Examples of each vulnerability are provided. Open source tools for scanning websites for vulnerabilities are also introduced, such as VEGA, OpenVAS, and the Zed Attack Proxy (ZAP). ZAP is highlighted for its features like being open source, easy to use, free, and actively developed by an international team.
Why Browser Debugger is a Developer's Best Friend
This document discusses how browser developer tools can help developers debug and develop Odoo web pages. It covers the main developer tools in browsers like Chrome and Firefox, including the Elements, Console, Sources, Network, and other tools. It provides tips on how to use each tool to inspect HTML, execute JavaScript, debug code issues, analyze network requests, and more in order to better understand how Odoo web pages work and troubleshoot problems.
Hunting for Privilege Escalation in Windows Environment
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
My first zf presentation part two
This document is a summary of part two of a presentation on building a web application with the Zend Framework. It covers adding security features like authentication and authorization using Zend_Auth and Zend_Acl. It also discusses using action helpers and layouts to hook into the request dispatch process and create a consistent site-wide layout.
OWASP Top 10 vs Drupal - OWASP Benelux 2012
The document discusses securing Drupal against the OWASP Top 10 vulnerabilities. It provides examples of how vulnerabilities like SQL injection, XSS, session hijacking, insecure direct object references, CSRF, misconfiguration issues and failure to restrict URL access could occur in Drupal. It also explains the security measures Drupal has implemented, such as input filtering, form tokens, access control and encryption to address these risks.
From Reversing to Exploitation
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
VTU network security(10 ec832) unit 6 notes
This document discusses network security and focuses on unit 6 which covers intruders, intrusion detection, and password management. It defines different types of intruders such as masqueraders, misfeasors, and clandestine users. It also describes common intrusion techniques like exploiting vulnerabilities, password cracking, and acquiring privileged access. The document outlines typical behavior patterns of hackers, criminal enterprises, and insider threats. Finally, it discusses the importance of intrusion detection as a secondary line of defense when intrusion prevention fails.
Similar to IDOR Know-How.pdf (20)
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
[DevDay2018] Securing the Web - By Sumanth Damarla, Tech Speaker at Mozilla
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Recently uploaded
Generating privacy-protected synthetic data using Secludy and Milvus
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
A Comprehensive Guide to DeFi Development Services in 2024
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays, June 2024 with Maria Copot 20
Main news related to the CCS TSI 2023 (2023/1695)
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Skybuffer SAM4U tool for SAP license adoption
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Digital Marketing Trends in 2024 | Guide for Staying Ahead
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Trusted Execution Environment for Decentralized Process Mining
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
5th LF Energy Power Grid Model Meet-up Slides
5th Power Grid Model Meet-up
It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology.
Power Grid Model
The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services.
Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability.
Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization.
What to expect
For the upcoming meetup we are organizing, we have an exciting lineup of activities planned:
-Insightful presentations covering two practical applications of the Power Grid Model.
-An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024.
-An interactive brainstorming session to discuss and propose new feature requests.
-An opportunity to connect with fellow Power Grid Model enthusiasts and users.
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Best 20 SEO Techniques To Improve Website Visibility In SERP
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Recently uploaded (20)
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Deep Dive: Getting Funded with Jason Jason Lemkin Founder & CEO @ SaaStr
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
IDOR Know-How.pdf
- 2. Hello world! I am Bhashit Pandya 2 - Security consultant - Community person - Part-time brawlstar player You can find me at: https://bhashit.in @x30r_
- 3. 1 What it is? Let’s start with what IDORs are.. 3
- 4. Web Objects are unique property values such as IDs, tag names, usernames, files, etc. 4
- 5. Insecure Objects - Are the vuln that allows an attacker to access restricted pages and functionalities - It is a part of access control issues. - They are generally Cyclable, Predictable, Unpredictable. 5
- 6. 2 How are the objs vuln? Lets consider some examples here.. 6
- 7. They are vuln when used directly to.. ▪ Get db records (user.jsp?getUserId=12) ▪ Perform ops (changepass/user/164935) ▪ Get fs resources (getImg?img=IMG_01.jpg) ▪ Access application functionality (SideNav?menuitem=3) Replacing the expected input value with a legit unexpected value for the application that might lead to unauthorized access to data. 7
- 8. 3 How to IDOR? Demo Time! 8
- 9. OWASP.org Moving up from 5th position, it now holds 1st position in OWASP Top – 10 list. It falls under access control’s umbrella. Is it the part of OWASP Standards? Yap! 9
- 10. - Able to temper cookie with role flag. Ex: admin=0, admin=1 - Response Manipulation. - Force Browsing. - Accessing internal applications. - Privilege escalations in general. Etc.. Access Control Issues look like this: 10
- 11. 4 Whats happening behind? Let’s dive bit into the back-end code 11
- 12. Example: 12 Target: api.example.com In the profile section, following http req is triggered: GET /userinfo?employeeid=20224872&deptid=IT HTTP/2 Host: api.example.com - Observe the employeeid. - Attacker can cycle 4872 in the same param and create a script or use intruder to get the entire database.
- 13. Under the hood (Non-Compliant): 13 GET /userinfo?employeeid=20224872&deptid=IT HTTP/2 Host: api.example.com app.get('/userinfo', (req, res) => { const lookup = {} lookup.employeeID = req.query.employeeid lookup.deptID = req.query.deptid const user = getUser(lookup) res.json(user) }) function getUser(user) { const fromDB = lookupGradeInDB(user) return fromDB }
- 14. Under the hood (Compliant): 14 GET /userinfo?employeeid=20224872&deptid=IT HTTP/2 Host: api.example.com app.get('/userinfo', (req, res) => { res.setHeader('Content-Type', 'application/json') // Access Control in place! ;) if (getCurrentUser().employeeID != req.query.employeeid) { var response = {} response.message = "Access Denied" res.json(response) return false } else ({...}) })
- 15. 5 Do we have test cases? Yop! Check the next slide! 15
- 16. A checklist to go through 16
- 17. Thanks! ANY QUESTIONS? You can find me at: @x30r_ linkedin.com/in/bhashit-pandya 17
- 18. CREDITS Special thanks to all the people who made and released these awesome resources for free: ▪ Presentation template by SlidesCarnival 18