Skip to content

Akhlaken07/WASCaseStudy1

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

55 Commits

README.md

README.md

 
 

Repository files navigation

WASCaseStudy1

Group Name

AWASP

Group Members

  • Muhammad Azhad (2015905)

  • Qoys Al Hanif (2016863)

  • Saufi (2018781)

    Assigned Tasks

  • Muhammad Azhad (2015905)

    • Server OS and Server-Side Scripting used
    • Hash Disclosure
    • CSRF (Cross-Site Request Forgery)
    • Secured Cookies

  • Qoys Al Hanif (2016863)

    • CSP
    • JS Library
    • HTTPS implentation (TLS/SSL)

  • Saufi (2018781)

    • Cookie Poisoning
    • Potential XSS
    • Information Disclosure

Table of Contents

Description of Case Study

The Malaysia Board of Technology (MBOT) website, located at https://www.mbot.org.my, is the designated web application. In this case study, our team will use OWASP ZAP to manually and automatically scan the website in order to find any vulnerabilities in the web application. The vast number of webpages on the site means that we will primarily be concentrating on automated scanning. The table of contents lists the alerts that were observed. We will also indicate the level of risk associated with each alert and provide further details regarding the threat classification (CWE or CVE).

Observation Result

  • Screenshot 2024-05-13 at 8 22 43 PM

Muhammad Azhad (2015905)

1. Server OS and Server-Side Scripting

2. Hash Disclosure

3. CSRF (Cross-Site Request Forgery)

  • No alert for this category

4. Secured Cookies

  • Cookie with Samesite Attribute None

    • Identify:
    • Evaluate:
      • A cookie has been set with its SameSite attribute set to "none", which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks
    • Prevention:
      • Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
    • Reference

  • Cookie without Samesite Attribute

    • Identify:
    • Evaluate:
      • A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.
    • Prevention:
      • Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.
    • References

Qoys Al Hanif (2016863)

5. Content Security Policy (CSP)

  • Identify:

    • Risk level: medium

    • Confidence: high

    • CWE ID: 693

    • Content Security Policy (CSP) Header Not Set in 553 files

    • image

    • One of them is the main file: https://www.mbot.org.my/

    • image

    • Attackers can inject malicious scripts into web pages viewed by other users when the loaded script sources are revealed in the script tags. This is why CSP often disallows inline JavaScript within HTML/PHP

  • Evaluate:

    Content Security Policy (CSP) acts as a robust security tool that helps websites detect and prevent various threats, such as Cross-Site Scripting (XSS) attacks and data injection vulnerabilities. Essentially, CSP serves as a protective barrier for websites, identifying and blocking potentially harmful content. For example, in XSS attacks, hackers exploit the trustworthiness of websites to insert malicious code, which browsers then unwittingly execute alongside legitimate content from trusted sources.

    CWE-693, known as "protection mechanism failure," refers to situations where a web application either lacks or inadequately implements protective measures against targeted attacks. This failure can occur in three different scenarios: a "missing" protection mechanism indicates a complete absence of defenses against specific attack methods, an "insufficient" mechanism provides only partial protection against common threats, leaving vulnerabilities, and an "ignored" mechanism implies that although the protective measure exists, developers have not applied it in certain parts of the codebase.

  • Prevent:

    • Configure the webserver to return the Content-Security-Policy HTTP Header with values controlling which resources the browser can load for the page
    • Writing JavaScript and CSS with CSP in mind
      • Because it constantly executes in the current context, inline code is a major injection vector that cannot be restricted. When CSP is enabled, it, by default, blocks all inline code. This implies no inline styles or scripts, including inline event handlers or javascript: URLs. Thus any new code should adhere to best practices and only utilize external script and style files.
    • Page-level CSP directives
      • Use the sandbox directive to treat the page as if inside a sandboxed iframe. To increase security on older websites with many legacy HTTP pages, use the upgrade-unsafe-requests directive to rewrite insecure URLs. This directs user agents to transition HTTP to HTTPS in URL schemes and is useful when still having various HTTP URLs.

References:

6. JavaScript Libraries

  • Identify:

  • Evaluate:

    A JS library that is missing security patches can make the website extremely vulnerable to various attacks. Third-party JS libraries can draw a variety of DOM-based vulnerabilities, including DOM-XSS, which can be exploited to hijack user accounts. Popular JS libraries typically have the advantage of being heavily audited. This also means that the flaws are quickly recognized and patched, resulting in a steady stream of security updates. Using a library with missing security patches can make the website exceptionally easy to abuse, making it crucial to ensure that any available security updates are to be applied immediately.

    Related:

    • CVE-2019-8331: In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
    • CVE-2022-24785: Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates. A path traversal vulnerability impacts npm (server) users of Moment.js between versions 1.0.1 and 2.29.1, especially if a user-provided locale string is directly used to switch moment locale.
    • CVE-2020-11023: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    • CVE-2020-11022: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
    • CVE-2015-9251: jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
    • CVSS Score 4.3
    • This vulnerability is related with cross site scripting.

  • Prevent:

    • Upgrade to the latest version of bootstrap, moment.js, and jquery.
    • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
    • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
    • For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602 (Client-Side Enforcement of Server-Side Security). Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

References:

7. HTTPS implementation (TLS/SSL)

  • Identify:

    • There is no alert found on OWASP ZAP and no risk level and CWE ID can be identified.

  • Evaluate:

    • Not available since there is https implementation for this website that can be seen at the URL of the website.

  • Prevent:

    • Not available for the website. However, the solution for this alert is ensure that the web server, application server, load balancer, etc. is configured to only serve such content via HTTPS. Consider implementing HTTP Strict Transport Security.

Saufi (2018781)

8. Cookie Poisoning

  • Identify: Reliance on Cookies without Validation and Integrity Checking

  • Evaluate:

    When carrying out security-critical tasks, the website depends on the usage or values of cookies, but it does not appropriately verify that the setting is valid for the corresponding user. Attackers may modify cookies by executing client-side code outside of the browser or from within the browser. If cookies are used without thorough validation and integrity testing, attackers may be able to perform injection attacks like SQL injection and cross-site scripting, bypass authentication, and alter inputs in other unanticipated ways.

    In this case, An attacker may be able to poison cookie values through POST parameters. To test if this is a more serious issue, try resending that request as a GET, with the POST parameter included as a query string parameter.

  • Prevent:

    • Do not allow user input to control cookie names and values. Ensure that semicolons, which can function as name/value pair delimiters, are filtered out if any query string parameters need to be placed in cookie values.
    • Limiting multipurpose cookies, limiting each cookie to a specific activity is crucial since multipurpose cookies pose many safety risks.

References:

9. Potential XSS (Cross-Site Scripting)

  • Identify: Protection Mechanism Failure

    • CWE ID: 693
    • Risk: Medium
    • Source: Passive (10038 - Content Security Policy (CSP) Header Not Set)
    • Content Security Policy (CSP) was not set for https://www.mbot.org.my/mbot.com

  • Evaluate:

    The website isn't provided with a protection mechanism, or it uses one improperly, which leaves it vulnerable to directed attacks. In this case, the Content Security Policy (CSP) Header Not Set) Content Security Policy (CSP) is an extra security layer that helps in the identification and prevention of specific attack types, such as data injection and Cross Site Scripting (XSS) attacks. Such attacks are used for a variety of purposes, including as malware transmission, site defacement, and data theft. With the help of a set of standard HTTP headers called CSP, website owners can specify which content sources—JavaScript, CSS, HTML frames, fonts, images, and embeddable objects like Java applets, ActiveX, audio, and video files—browsers are permitted to load on their page.

Related Attack Patterns: attackpattern

  • Prevent:

    • Make that the Content-Security-Policy header is set on web server, application server, load balancer, etc. through configuration. for example: the meta element can be used to configure a policy csp

References:

  • https://cwe.mitre.org/data/definitions/693.html

  • https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Introducing_Content_Security_Policy

  • Identify: Improper Input Validation

  • Evaluate:

    When the web server receives input or data, it either fails to validate or validates the data improperly that the input does not contain the necessary attributes for processing the data in a safe and accurate manner.

    A commonly used method for ensuring that potentially hazardous inputs are safe for processing within the code or for connecting with other components is input validation. An attacker can manipulate input into a format that is not anticipated by the rest of the program when software fails to properly validate input. Unintended input will enter the system as a result, changing control flow, allowing arbitrary control over resources, or causing arbitrary code execution.

    In this case, at user-supplied input in query string parameters and POST data to identify where certain HTML attribute values might be controlled. This provides hot-spot detection for XSS (cross-site scripting) that will require further review by a security analyst to determine exploitability. injecting special characters might be possible. The page at the following URL: https://www.mbot.org.my/registration/mbot-professional-member appears to include user input in:

    a(n) [input] tag [value] attribute

    The user input found was: lng=en-US

  • Prevent:

    • Validate all input and sanitize output it before writing to any HTML attributes

References:

10. Information disclosure

  • Identify: Exposure of Sensitive Information to an Unauthorized Actor

    • CWE ID: 200
    • WASC ID: 13 (information leakage)
    • Risk:low
    • Source: Passive (10027 - Information Disclosure - Suspicious Comments)
    • The response appears to contain suspicious comments which may help an attacker.

  • Evaluate:

    Exposure of sensetive information to an unauthorized actor mean when a user of the web server accesses sensitive information, they are not granted express authorization to do so. Errors can in many different forms and can lead to information exposures. Depending on the environment in which the product functions, the kind of private information that is disclosed, and the advantages it can offer an attacker, the error's severity could differ significantly.

    Some kinds of sensitive information include:

    • private, personal information, such as personal messages, financial data, health records, geographic location, or contact details
    • system status and environment, such as the operating system and installed packages
    • business secrets and intellectual property
    • network status and configuration
    • the product's own code or internal state
    • metadata, e.g. logging of connections or message headers
    • indirect information, such as a discrepancy between two internal operations that can be observed by an outsider

    In this case, a bug is found which the response appears to contain suspicious comments which may help an attacker. The following pattern was used: \bBUG\b and was detected in the element starting with: "<script src="/CMSPages/GetResource.ashx?scriptfile=%7e%2fCMSScripts%2fCustom%2fMBOT%2fie10-viewport-bug-workaround.js" type="tex", see evidence field for the suspicious comment/snippet.

  • Related info

    • CWE-200 is commonly misused to represent the loss of confidentiality in a vulnerability, but confidentiality loss is a technical impact - not a root cause error. As of CWE 4.9, over 400 CWE entries can lead to a loss of confidentiality. observer

  • Prevent:

    • Eliminate any comments that go back to information that could aid an attacker and fix any underlying issues they bring up.
    • Disable directory listing to prevent exposure of web site structure and potentially sensitive files
    • Disable error reporting output into the client's browser
    • Use custom error pages that prevent from displaying excessive system information

References:

Weekly Progress

  • Screenshot 2024-05-13 at 2 05 26 PM
  • Screenshot 2024-05-13 at 2 05 39 PM

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •