Who are OWASP?
OWASP (Online Web Application Security Project) is an organisation providing unbiased information and advice surrounding computer and internet applications. They achieve this via operating a number of "projects", each focused on a different remit.
OWASP are perhaps best known for their flagship "OWASP Top 10 Web Application Security Risks" project, commonly known as the "OWASP Top 10". However OWASP acts as an umbrella for dozens of projects, listed at https://owasp.org/projects/
What is the OWASP Top 10?
Every few years the OWASP community come together to review the ten most critical web application security risks by analysing vulnerability data spanning hundreds of organisations and over 100,000 real world applications.
These vulnerabilities are assessed using a number of factors such as detectability, exploitability and potential impact to create the final list, published as the OWASP Top 10 Web Application Security Risks", commonly known simply as the "OWASP Top 10" (https://owasp.org/www-project-top-ten/)
Does AppCheck test for examples of the OWASP Top 10?
Yes, these areas are all covered in AppCheck's Standard Scan Profile. Let’s take a look at what’s included and why AppCheck incorporates these vulnerabilities into it’s standard scan templates, reporting, dashboards and more…
A1:2017-Injection
Injection attacks are the most common type of fault found in web applications, they are usually the result of unfiltered user input being directly included into command executions or database queries.
What AppCheck Does
AppCheck performs a number of checks for a large variety of injection attacks to build up a rationale as to why it thinks an application in vulnerable, where it is vulnerable and provides an example of the payload it used to confirm the vulnerability. Browser and application frameworks evolve constantly and new techniques and vectors are discovered all the time.
A2:2017-Broken Authentication
Sometimes authentication can be implemented incorrectly or an application can contain routes to sensitive data that haven't been correctly protected by an authentication barrier. In other cases it can be the session token that is vulnerable either to enumeration or not expi## What AppCheck Doesring, this can allow an attacker to guess the session token of another user (e.g. an administrator) and take control of their session to steal data.
What AppCheck Does
While crawling an application AppCheck analyses the session for the possibility of enumeration by activating many sessions and examining the tokens. It will also look out for weakly implemented authentication, for example long response 302 redirects, which usually happens when the application serves up the content of a restricted view in the response of the page but then sends a redirect in the header.
A3:2017-Sensitive Data Exposure
This is usually the accidental exposure of file or folders that should not be publicly accessible, for instance a hidden folder called invoices provided for the convenience of remote workers or a hidden ".git" directory accidentally served up from the root directory of the web server which contains all the source code for the application.
What AppCheck Does
AppCheck performs "Brute Force" discovery, meaning we try thousands of paths that we have discovered in the wild through manual pentesting that are likely to exist. Such paths would not be found by a regular crawl as there is no link within the application to discover them. But by trying them and seeing how the application responds AppCheck can make you aware of these.
A4:2017-XML External Entities (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
What AppCheck Does
AppCheck attempts to inject various XXE payloads to exploit mis-configured XML parsing, including for the harder case of a blind channel, where out-of-band feedback is required to detect a vulnerability.
A5:2017-Broken Access Control
Similar to "Broken Authentication and Session Management" this is where routes / views within the application are not properly protected. For example it's not uncommon to see that admin controls are just just hidden from the application menu and that the function is not actually restricted from an average user, the application is just relying on it not being visible.
What AppCheck Does
AppCheck attempts all routes it discovers during a crawl, both as an authorised user and an unauthorised user, and reports back on this. Unfortunately due to the custom nature of applications AppCheck is unable to rule on if this is expected behaviour or not as it lacks context, it does present this list in its report however for review.
A6:2017-Security Misconfiguration
This is often out of date or un-patched frameworks or the stack on which the framework sits, often it can be a case of changing the settings within the stack to harden the security of the setup. For instance many default web server SSL setups make ciphers available with known vulnerabilities.
What AppCheck Does
AppCheck maintains a database of common configuration faults and out of date and un-patched frameworks and will flag these if detected.
A7:2017-Cross-Site Scripting (XSS)
Cross site scripting is a type of injection attack where by an attacker is able to inject JavaScript content into an application that runs in a user's browser. Often thought of as an attack against the users of an application rather than the application itself, some more complicated XSS attacks target the administration and backend systems of an application (2nd order attacks).
What AppCheck Does
Like other injection attacks AppCheck uses reasoning to determine if an application is vulnerable and presents its case within the vulnerability details. In the best case scenario AppCheck will present the vulnerability as "confirmed", meaning that it has been successfully able to execute the injected JavaScript in real browsers. AppCheck can also detect complicated 2nd order injection attacks using our "Sentinel" service. Sentinel listens out for a number of things to assist AppCheck in attacking an application, but one of the things it listens out for is our 2nd order injection payloads calling home. Sometimes these can take weeks to show up after a scan has completed due to various back office processes being triggered, so if a 2nd order injection is detected then AppCheck will send you a notification to make you aware of it.
A8:2017-Insecure Deserialization
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
What AppCheck Does
As part of the injection checks, AppCheck will attempt to exploit both generic and specific deserialization vulnerabilities across a wide variety of frameworks and libraries.
A9:2017-Using Components with Known Vulnerabilities
With the rise of the huge number of 3rd party components freely available on the internet for inclusion in applications, it's not uncommon for a developer to find a component or library and include it in an application to solve a problem or provide a widget. However vulnerabilities are often discovered in these components and either newer versions are released or they have been abandoned.
What AppCheck Does
AppCheck looks at the libraries and JavaScript components used within an application using real browsers for confirmation of the existence and where possible to get the version. This is then compared to a database of known vulnerable components and reported back. In some cases static analysis of the code of the component will be performed and any suspect areas will be highlighted in the vulnerability.
A10:2017-Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
What AppCheck Does
Through creating a realistic attack scenario, AppCheck helps to flex monitoring and logging solutions and so can highlight weaknesses and omissions in current processes, for which our security team are always on hand to offer advice on best practice.
Comments
0 comments
Please sign in to leave a comment.