A5: 2017 – Broken Access Control (Part 1)

Access control is easily confused with authentication. But in fact, access control is about dealing with already authenticated users. «Ok, I see that you’re John123, let’s see where you can go and where you can’t». You might have a decent authentication mechanism, but if access control is broken you can’t really distinct one user from another. Or even worse …


Continue reading “A5: 2017 – Broken Access Control (Part 1)”

A4: 2017 – XML External Entities (XXE)

XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.


Continue reading “A4: 2017 – XML External Entities (XXE)”

A3: 2017 – Sensitive Data Exposure

This vulnerability is … well, not a vulnerability in a general sense. It is an application design flaw. It occurs when the developer does not really understand information flows in his application. Or even worse, what data the application is working with and how to protect it.
It’s time to blow dust off your CISSP certificate and remember how much time you spent reading the sections about data classification and access model. Biba, Clark–Wilson, Bell-LaPadula, sounds familiar? Why, of course!


Continue reading “A3: 2017 – Sensitive Data Exposure”

A2: 2017 – Broken authentication and session management (Part 2)

Om nom nom
Do you remember this classic episode where Tom Hiddleston teaches Cookie Monster a lesson in delayed gratification? I’m with Cookie Monster on this – can’t wait, let’s get to cookies right now!


Continue reading “A2: 2017 – Broken authentication and session management (Part 2)”

A2: 2017 – Broken authentication and session management (Part 1)

Let’s move on and look at the next vulnerabilities class, the one with a silver medal. This is A2:2017 – «Broken Authentication and Session Management».
This vulnerability occurs when the user chooses a very strong password, passes it through a secure channel and accesses only the appropriate area of a web site, but it is for nothing, because website logic is broken, and a user session can be intercepted after successful authentication.

Continue reading “A2: 2017 – Broken authentication and session management (Part 1)”

A1: 2017 – Injections (Part 3)

In my favorite computer game «Quest for Glory 2: Trial by Fire», when the world is once again on a brink of destruction, our hero gets to the Wizard’s Institute of Technocery. After successfully passing the exams wise magicians offer you to enter this University because, having finished it, our hero will understand all subtleties of magic, study all the possible spells and then save all his friends and the whole world. The problem is that the study will take about 15-20 years, and during this time forces of evil will win once and for all.
I recall this episode each time when I have another thick book or pile of whitepapers in front of me. There are tons of books about time management, but for me it all boils down to the simple formula: get used with the basics, study a lot of examples and automate everything else.

Continue reading “A1: 2017 – Injections (Part 3)”

A1: 2017 – Injections (Part 2)

Bicycle syndrome
In the last article I suggested that my reader knows how SQL works in detail, as well as the mechanism of the HTTP protocol . But usually it’s not the case. And I immediately remembered the story described in one of my favorite books «Suspicious minds: Why we believe conspiracy theories» by Rob Brotherton. It describes the following experiment –  psychologist Rebecca Lawson asked the group of test subjects if they ride a bicycle in their lives at least once? The majority replied positively. Then she asked if they knew how the bicycle works. There were little less positive answers, but still the vast majority. And then she proposed the following image and asked to finish the picture so it would be possible to ride this bicycle.


And then the most amazing thing happened – more than half of people could not do it. This deceptively simple task shows that most people have no idea how the bicycle works. But the most interesting thing is that they do not understand that they do not know it, and begin to understand it only at the moment when they have to demonstrate this knowledge.
It’s pretty much the same thing with HTTP and SQL. More than 90% IT specialists wrote SQL requests at least once in the lab or university. People work with HTTP every day as regular users, and as IT professionals they occasionally configure web servers that actually works with HTTP. But when one has to answer a specific question … well, you’ve got the idea.

Continue reading “A1: 2017 – Injections (Part 2)”

A1: 2017 – Injections (Part 1)

The vulnerability description is one thing, but trying to find a vulnerability and deal with it is a whole different matter. There are dozens, if not hundreds, special deliberately vulnerable web applications. If you search for “Purposely Vulnerable App» in you favorite search engine, you will find more than a dozen links.
In the following series of articles we will learn about vulnerabilities in OWASP Top 10, and as a polygon I will also use such deliberately vulnerable application. In my case it will be OWASP Mutillidae II. It’s not the best option out there, but the vulnerabilities are structured exactly as we need for educational purposes. Plus I’m very used to it.

Continue reading “A1: 2017 – Injections (Part 1)”