OWASP Top 10

Task 17 [Severity 5] Broken Access Control

• Broken access control occurs when a website visitor can access protected pages they are not authorized to view.
• This can lead to viewing sensitive information or accessing unauthorized functions.
• OWASP lists scenarios demonstrating access control weaknesses.
• Scenario 1: Application uses unverified data in a SQL call accessing account information. Attackers can modify the account parameter to access any user’s account.
• Scenario 2: Attackers force browse to target URLs. If an unauthenticated user can access either page, or a non-admin can access the admin page, it’s a flaw.
• Essentially, broken access control allows attackers to bypass authorization, view sensitive data, or perform tasks as a privileged user.

Task 18 [Severity 5] Broken Access Control (IDOR Challenge)

• IDOR (Insecure Direct Object Reference) is an access control vulnerability.
• It allows unauthorized access to resources through misconfigured user input handling.
• If misconfigured, changing the “account_number” parameter can provide access to different users’ data.

Look at other users notes. What is the flag?

change the note value to 0

ans: flag{fivefourthree}

Task 19 [Severity 6] Security Misconfiguration

• Security misconfigurations occur when security could have been correctly configured but was not.
• Examples include poorly configured permissions, unnecessary enabled features, default accounts with unchanged passwords, overly detailed error messages, and misuse of HTTP security headers.
• Default passwords are a specific example of a security misconfiguration and are common in embedded and Internet of Things devices.
• The Mirai malware attack in 2016, which took many large websites offline, exploited default passwords to take over systems.

Hack into the webapp, and find the flag!

when I search about pensive app i reached it’s github page where i read read.me file it contained the default credentials, tried logging in with them and boom!! I got my flag.

Ans: thm{4b9513968fd564a87b28aa1f9d672e17}

Task 20 [Severity 7] Cross-site Scripting

• Cross-site scripting (XSS) is a web application vulnerability that allows attackers to execute malicious scripts on a victim’s machine.
• XSS occurs when a website uses unsanitized user input.
• XSS is possible in Javascript, VBScript, Flash, and CSS.
• Types of XSS: Stored, Reflected, and DOM-Based.
• Stored XSS: Occurs when a malicious string from the website’s database is used, often due to unsanitized user input.
• Reflected XSS: The malicious payload is part of the victim’s request to the website, and the website includes this payload in its response.
• DOM-Based XSS: Exploits the structure, style, and content of HTML and XML documents.
• Common XSS payloads: Popup’s, Writing HTML, XSS Keylogger, and Port scanning.

Task 23 [Severity 8] Insecure Deserialization — Deserialization

• Serialization is the process of converting complex objects into a simpler, compatible format for transmission or storage.
• Deserialization is the reverse process, converting serialized data back into its complex form.
• Insecure deserialization occurs when unfiltered or unvalidated data from an untrusted source is executed.
• An example is a password “password123” being converted to binary for transmission, then being deserialized back to “password123” for storage.
• If the system does not filter or validate this input, it can lead to security vulnerabilities.