[Latest Case Study] tiket.com & Its Compliance Journey To ISO 27001 and PCI-DSS Certification
logo
Cyber Threats

Real Life Examples of Web Vulnerabilities (OWASP Top 10)

Knowing the common web vulnerabilities is great, but specific examples help demonstrate the relevance of these cybersecurity issues. Let’s take the approach of following the OWASP Top 10 list.

Knowing common web vulnerabilities and common cyber threats are great, but often it is hard to think of specific examples that appear in popular day-to-day news to showcase the relevance of these issues.

Let’s take the approach of following the OWASP Top 10 list (The Open Web Application Security Project), last updated in 2017.

OWASP Top 10 Web Vulnerabilities Infographic

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

A1. Injection/Using Components with Known Vulnerabilities 

The Panama Papers incident (Apr 2016)

The Panama Papers are a collection of 11.5 million records from Mossack Fonseca, originally leaked to German journalist Bastian Obermyer in 2015. Due to the sheer size of the data, the International Consortium of Investigative Journalists were approached.

Why was this significant?

Many public figures, present and past, had their financial dealings exposed, linking them to terrorists, drug cartels and tax havens. Some public figures had their careers affected, and in some instances, the information directly led to public unrest.

Headlines of the Panama Papers story

AFP/Getty images, The Indian Express, The Guardian, Daily Mail, whoar.co.nz

This is also significant from the cybersecurity point of view as it brought to attention the potential vulnerability and relative ease of attacking law firms, compared to the value of the information they carry. Fortune magazine wrote a commentary piece “The Panama Papers Signal A New Kind of Cyber Attack”, citing hacktivism as the motive, with income inequality as the reason. While not (actually) new, the incident did bring this to the public spotlight.

 

How does this relate to injection/using components with known vulnerabilities?

The documents were leaked in parts, and the site was hosted on outdated software, open to a large number of vulnerabilities. Unfortunately, due to the large number of possible attack vectors, it is hard to pin down the actual method used by the subject(s) who leaked the data.

  • WordPress 4.1 (Released December 18, 2014) — various vulnerabilities
  • Revolution Slider Plugin — unauthenticated remote file upload via ‘upload_plugin’
  • WP SMTP Plugin — mail server login information stored in plaintext
  • ALO EasyMail Newsletter plugin — mail server login information stored in plaintext
  • Drupal 7.23 (Released August 8, 2013) — 23 vulnerabilities, including code execution and privilege escalation via SQL injection of the Drupalgeddon fame
  • Apache 2.2.15, Oracle fork (March 6, 2010) — various vulnerabilities
  • Microsoft Exchange / Outlook Web Access (2009) — various vulnerabilities
  • A SQL injection flaw was discovered by 1×0123(Twitter) in their payment system

Vulnerabilities related to the Panama Papers story

Both the revolution slider’s unauthenticated file upload, which could lead to execution of PHP code, and the code execution via SQL injection on Drupal are trivial to exploit have been pretty thoroughly taken advantage of in the wild.

A2. Broken Authentication and Session Management / Sensitive Data Exposure 

Department of Revenue Hack (2012)

A foreign hacker was reported to have stolen 387,000 credit card numbers and 3.6 million Social Security numbers from the South Carolina Department of Revenue.

Why was this significant?

IRS was hacked again in 2015, exposing people’s social security numbers, address, incomes to more than 700,000 people. This information was then further used to authenticate themselves to get transcripts of their victims, resulting in more exposed data.

Even though in the first instance credit card data was encrypted, social security numbers and other personally identifiable data were not.

Direct consequences of this incident would be the exposure of these people to identity fraud. The 2017 Identity Fraud Study found that $16 billion was stolen from 15.4 million U.S. consumers in 2016, and in the past six years identity thieves have stolen over $107 billion.

How does this relate to broken authentication and session management / sensitive data exposure?

The first breach in 2012 resulted from the default password set in the authentication layer. In addition, the lack of encryption on some sensitive data fields including the social security numbers increased the impact of this incident.

A3. Sensitive Data Exposure 

Cloudbleed (2017)

Google’s Project Zero found an issue in Cloudflare’s edge servers made it possible to dump memory potentially containing sensitive data, some of which were cached by search engines. This security bug was named Cloudbleed.

Why was this significant?

Cloudflare had acknowledged the leak could have started as early as 22 September 2016, and a private key between Cloudflare machines had leaked. As nearly 6 million websites uses Cloudflare’s services, and many web application defenses are built with the assumption of a secure TLS communication channel, the impact could be large. Estimates from Cloudflare state that between 22 September 2016 and 18 February 2017, the bug was triggered 1,242,071 times.

Cloudflare did a small sample study, with a confidence level of 99% and a margin of error of 2.5%, which showed a limited amount of sensitive data exposed.

  • 67.54 Internal Cloudflare Headers
  • 0.44 Cookies
  • 0.04 Authorization Headers / Tokens
  • 0 Passwords
  • 0 Credit Cards / Bitcoin Addresses
  • 0 Health Records
  • 0 Social Security Numbers
  • 0 Customer Encryption Keys

How does this relate to Sensitive Data Exposure?

This should be clear intuitively. The original flaw was due to the way broken html tags were parsed, causing information from a random portion of the server’s memory to be returned.

A4. XML External Entities (XXE)

Android Studio, Eclipse, IntelliJ IDEA, APKTool (2017)

Check Point’s research team found vulnerabilities in popular Android development and reverse engineering tools used by developers, engineers and researchers. The issues found could lead to data exposure, as well as malicious users taking over the devices running APKTool.

The proof-of-concept attack allowed showed that a malicious user could inject the malicious code into shared online repositories such as those on github, and allow the malicious user to obtain files available on the device reading the code. Similarly, the popular compiler APKTool has a vulnerability in the configuration yml file, allowing files to extracted anywhere on the system running it.

Why was this significant?

This vulnerabilities could be used to target developer’s machines and servers attempting to load, run, or decompile code.

In the development community, code or libraries are often shared in open source repositories, and a attack like this could result in sensitive documents such as credentials and source code to be exposed. Developers using these popular IDEs could be led to leak sensitive files in this manner.

In the second scenario, the APKTool exploit can lead to Remote Code Execution and allowing a remote malicious user to take control of the machine. For example, extracting a PHP exploit and calling the web server to run it.

How does this relate to XML External Entities (XXE)?

Both attacks are due to the way XML and YML(a similar human-readable data format) is parsed/read. The external reference contained in the XML is processed without further checks, leading to the above issues.

A5. Broken Access Control 

Snapchat / Facebook Business (Jan 2014 / Aug 2015)

Snapchat

Gibson Security detailed vulnerabilities in the snapchat service, which was dismissed as a purely theoretical attack. A week later, brute force enumeration had revealed 4.6 million usernames and phone numbers.

Why was this significant?

The attack seems to be motivated at least partly by Snapchat’s assertion that the attack was theoretical, and they had not taken any action. This resulted in a data leakage of phone numbers and users details that could be valuable for various uses.

Facebook Business Pages

Laxman Muthiyah found that it was possible for a malicious user to use a request to assign admin permissions to himself for a particular Facebook page. A sample request can be seen below:

Request :-

POST /<page_id>/userpermissions HTTP/1.1

Host : graph.facebook.com

Content-Length: 245

role=MANAGER&user=<target_user_id>&business=<associated_business_id>&access_token=<application_access_token>

Response :-

true

Why was this significant?

Business pages are a widely used function, and by executing this attack, a malicious user could add himself as an administrator and deny access to the actual manager or administrator.

How does this relate to Broken Access Control?

Both issues arose due to the lack of access control measures with a specific function provided.

A6. Security Misconfiguration 

Amazon S3/Mirai (Now / Aug 2016)

Amazon S3

Notably, in recent years, there has been numerous organizations who failed to protect their Amazon S3 storage instance:

  • Australian Broadcasting Corporation (Nov 2017) — Leakage of hashed passwords, keys and internal resources.
  • United States Army Intelligence and Security Command (Nov 2017) — Various files, including Oracle Virtual Appliance (.ova). volumes with portions marked top secret.
  • Accenture (Sept 2017) — Authentication information, including certificates, keys, plaintext passwords, as well as sensitive customer information.

There is an extremely high likelihood that similar issues will continue to be found.

Why was this significant?

A large number of organizations rely on Amazon’s S3 data storage technology, including governments and military organizations. From past examples found, this is a pervasive problem and the information leaked often has a high impact on the organization affected. Having a CSPM solution when you have cloud infrastructure will help monitor common cloud misconfigurations.

Mirai(未来)

Mirai was a botnet utilising IoT devices, managing to execute several high profile attacks after discovery, with the creator going to ground after releasing the code as open source (Anna-senpai).

Why was this significant?

Mirai ran from CCTV cameras, DVRs and routers. Essentially worked by trying common passwords, something that can be easily avoided. The entirety of the password list used is included below:

With such a simple method, the Mirai botnet produced 280 Gbps and 130 Mpps in DDOS capability, attacking DNS provider Dyn, leading to inaccessibility of sites such as GitHub, Twitter, Reddit, Netflix and Airbnb.

How does this relate to Security Misconfiguration?

Security misconfiguration can range from something as simple as allowing excessive permissions to a user account, to failing to restrict resource access to external addresses. In the cases mentioned above, they were caused by misconfiguration of the passwords protecting the systems.

A7. Cross Site Scripting (XSS) 

Steam Profile Hack (Feb 2017)

This was a simple XSS hack that was discovered on the Steam platform, on user’s profile pages.

XSS Steam Profile Hack

Why was this significant?

While the Steam profile page feature has existed for many years now, this relatively easy to execute hack was only discovered after a long period of time. The potential impact of this hack is well summarised by Reddit commenter “R3TR1X” and Moderator “DirtDiglett”:

  • Redirecting a user to a website to phish their login.
  • Utilizing CSS trickery to change your profile to trick users.
  • Loading larger payloads
  • Silently draining your Steam Wallet funds.
  • Spreading Malware via an auto-download.

How does this relate to Cross Site Scripting (XSS)?

The vulnerability is a simple XSS flaw, where javascript can be input by a user to the profile page, and be executed on the viewer’s browser. This situation is the perfect example of how an innocuous function can hide a potentially damaging flaw for many years due to a minor mistake by a developer or security tester. A simple encoding of user input and display could have prevented this.

 

A8. Insecure Deserialisation

Apache Struts 2 (Sep 2017)

Apache Struts 2, a popular framework used by many enterprise applications, was found to have a Remote Code Execution vulnerability, which could lead to malicious users gaining control over machines running these applications.

Why was this significant?

This issue affects every version of Struts using the REST plugin since 2008, and can be exploited by sending a crafted request remotely. This would allow a remote attacker to run arbitrary code on the machine. Java, and specifically the Struts framework, is popular within the enterprise environment, and this exploit could lead to high risk issues to the companies involved.

How does this relate to Insecure Deserialisation?

The vulnerability is due to the XStreamHandler in the REST plugin, and the failure to filter file types from information sent from untrusted source.

 

A9. Using Components with Known Vulnerabilities 

Wordpress REST API (Jan 2017)

1.5 million web pages were defaced through an unauthenticated REST API flaw that allows malicious users to modify Wordpress content.

Why was this significant?

In the normal course of software development, patching and enchantments are continuously released, with the exceptions of software at end-of-life. Part of this is fuelled by new vulnerabilities or exploits discovered.

If public exploits are available, the difficulty in exploiting these vulnerable components often boils down to enumeration and discovery, which can be easily done with scripts or applications such as “Wappalyzer”, which identifies metadata about the application or device.

Many studies have been done showing that despite the publicity zero day exploits get, many attacks come from old vulnerabilities. For example, the HPE Security Research Cyber Risk Report 2015 found that 44% of breaches come from vulnerabilities 2–4 years old.

While some vulnerabilities can be mitigated by security settings, the benefits of updating these components often outweigh the cost, and the mitigation might not be as effective as the patch. For example, in this case some web hosting companies had put in place firewall rules, but these were bypassed anyway.

How does this relate to Using Components with Known Vulnerabilities?

The actual vulnerability was not announced by Wordpress until one week after the relevant patch was released, to give them time to patch their Wordpress instance. The number of affected webpages is testament to the ineffectiveness of their efforts.

A10. Insufficient Logging and Monitoring

Insufficient Logging and Monitoring is a new entry for 2017, and reflects the rise in popularity of the term DevSecOps. Logging and monitoring are essential components in ensuring that any suspicious activity can be detected close to real time, or diagnosed after the fact.

Unfortunately, this is an extremely common issue, and one that often does not come to attention unless the company experiences an incident and is unable to triage or diagnose it.

OWASP 2020

As part of the OWASP Top 10 2020 Data Analysis Plan, OWASP is working to collect comprehensive dataset related to identified application vulnerabilities to-date to enable an updated analysis for 2020. We will update this post when that has been released.

Final thoughts

Cybersecurity affects all of us, and given the prevalence of technology in today's world, we should all have an awareness of the potential harm to our digital lives.

If your organization need of a cybersecurity partner to help secure your business critical assets, contact us for a discussion.

Originally written by QuanHeng Lim

QuanHeng Lim
QuanHeng Lim

QuanHeng “Q” Lim was the Chief of Staff to the CTO at Horangi.

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.