Alright then, we’re half way through OWASP 10 and I would like to take a break. Let’s talk about different kinds of pentest. What if I tell you that you can penteset … a person? Wait, what? Let’s take a look.
XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.
In the last article I suggested that my reader knows how SQL works in detail, as well as the mechanism of the HTTP protocol . But usually it’s not the case. And I immediately remembered the story described in one of my favorite books «Suspicious minds: Why we believe conspiracy theories» by Rob Brotherton. It describes the following experiment – psychologist Rebecca Lawson asked the group of test subjects if they ride a bicycle in their lives at least once? The majority replied positively. Then she asked if they knew how the bicycle works. There were little less positive answers, but still the vast majority. And then she proposed the following image and asked to finish the picture so it would be possible to ride this bicycle.
And then the most amazing thing happened – more than half of people could not do it. This deceptively simple task shows that most people have no idea how the bicycle works. But the most interesting thing is that they do not understand that they do not know it, and begin to understand it only at the moment when they have to demonstrate this knowledge.
It’s pretty much the same thing with HTTP and SQL. More than 90% IT specialists wrote SQL requests at least once in the lab or university. People work with HTTP every day as regular users, and as IT professionals they occasionally configure web servers that actually works with HTTP. But when one has to answer a specific question … well, you’ve got the idea.
The vulnerability description is one thing, but trying to find a vulnerability and deal with it is a whole different matter. There are dozens, if not hundreds, special deliberately vulnerable web applications. If you search for “Purposely Vulnerable App» in you favorite search engine, you will find more than a dozen links.
In the following series of articles we will learn about vulnerabilities in OWASP Top 10, and as a polygon I will also use such deliberately vulnerable application. In my case it will be OWASP Mutillidae II. It’s not the best option out there, but the vulnerabilities are structured exactly as we need for educational purposes. Plus I’m very used to it.
HTTP for the win!
About 10 years ago a very observant man formulated a new mantra – HTTP Is new TCP. Say what? Of course, not in the sense that the man decided to put HTTP to the transport level. No way! The key here is that in modern communications HTTP performs the same function as TCP on its level in vast majority of modern applications, including mobile apps, that use HTTP as a transport. And with rise of HTTP 2.0 this situation will not change in nearest future. The protocol has become a content delivery standard de facto, and HTTP is no longer viewed as a web protocol.
One of Us
So you’ve forgot your password. Congratulations! There’s nothing wrong with it and it happens way more often than you think. Of course, you could take care of everything in advance and set up one of the password managers so it could do everything for you, but you’re too busy for this, right?
I use Lastpass for many years now, but regularly I have to create temporary passwords for lab virtual machines, lab routers or even applications that I do not plan to use later anyway.
Well, it looks like we don’t have a choice here – let’s guess or simply crack our own password.