In autumn 2017, the OWASP project has published the updated Top 10 list of web apps vulnerabilities. The Top 10 is produced with the goal of empowering webdevs, security testing teams, and web product owners to ensure the apps they build are secure against the most critical flaws. This time, the data for the Top was submitted by 23 contributors covering 114,000 applications of all kinds, which makes the Top 10 impartial source of AppSec information.

As security testing is one of a1qa most in-demand services, we couldn’t pass the Top 10 release by. After analyzing the changes and novelties, we offer you to go through the main changes and learn what they mean in terms of the state of information security.

If you develop apps, ensure their quality, run penetration tests, or own the web app to run business – keep reading.

How has the OWASP Top 10 changed?

In general, OWASP Top 10 has welcomed three novelties and retired two that pose no such a severe threat. Aleksey Abramovich, Head of a1qa Security Testing Department, has commented on the recent changes.

New entries on the Top

XML External Entity, Insecure Deserialization, and Insufficient Logging and Monitoring – are the newcomers to the list.

“Together with the growing complexity of web solutions, there is constant growth in the variety of data and servers that generate it. Nevertheless, it’s not a rare case when new solutions are based on legacy principles that not always go in hand with the best practices. A good and illustrative example is simple server commands to extract critical data. An insecure XML processor may process the command without suspecting an authorized access:

<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM “file:///etc/passwd” >]>
<foo>&xxe;</foo>

In such an easy way, the intruder may gain access to the users list. The next possible step is the attempt to dig up passwords and get information from databases to gain control over the app,” comments Aleksey.

Another obvious change that took place since 2013 is the Insecure Direct Object References category merged with Missing Function Level Access Control into Broken Access Control category that occupied the fifth spot in the release version.

“I guess the two itmes have been merged as exploiting any of them the attacker has one goal in mind – gain unauthorized access to the system, private accounts and manipulate the system as desired. That’s why they were merged into one category”, Aleksey assumes.

What vulnerabilities have left the top?

Two of the vulnerbilities – CSRF and Unvalidated Redirects and Forwards – found no place on the list. Based on the OWASP data, they have dropped to the 13th and 25th spots respectively. What does it mean?

“Correct redirects and cross-site scripting plays a very important role when using advertisement, or there are complex, multi domain web sites. Today, online ads are crucial for millions of web businesses. That’s why testing redirects security is vital. The owner of the resource should be sure that the users data will be secured and they won’t get redirected to a maliciously crafted link or third-party web page. Today, the developers take serious measures to make users stay within their domain or redirected correctly.”

Injections are still No.1

Despite the changes mentioned above (three new vulnerabilities and two retirements), some vulnerabilities have stayed on Top 10 since 2010 and for the second year in a row Injection is the Top leader. How comes it that with the development of security practices there are still gaps that can be used by the abusers? Aleksey Abramovich answers the question.

“Since 2013, the security awareness has really got on the rise. Numerous secure coding best practices, data cleansing tools, and web tokens to secure their apps have been introduced. Unfortunately, all this didn’t make the app safer for users and most common security flaws remain the same.

Injection is still ranked No.1 and it’s easy to explain. There are many types of injections, SQL are probably the most common, but all of them are highly destructive, easy to perform, and therefore are responsible for a large number of public disclosures and security breaches.

Any injection attack occurs when unvalidated input comes from outside of the system and is embedded into the input stream. The variety of entry points is huge. Again, this type of attack is rather easy to exploit, it can be done from any kind of query. More often injections are found in legacy code, but at times developers generate them when coding, and the consequences can be very dramatic for the app owner.” 

Penetration testing as a way to identify vulnerabilities

Certainly, the weaknesses on the list are only the most common ones. Secutiy checks should stretch far beyond them. However, checking the app against them is a good way to find the most common flaws that have to be fixed and improve the security of the app.

Will your website pass the OWASP Top 10 test? Order vulnerability scan by a1qa security experts.

For any company data confidentiality is a matter of high importance. Leak of clients’ usernames and passwords or loss of system files may result in great financial expenses and destroy the reputation of the most trustworthy organization. The article by Vadim Kulish, security testing engineer.

Considering all potential risks, companies spend big money to embed latest security technologies to prevent unauthorized access to the valuable data.

But have you ever given a thought that besides sophisticated hacking attacks there are simple ways to uncover the files that weren’t effectively protected. In this article we’ll focus on Google search operators that can be used to get more specific search results or to detect sensitive information.

Let’s start from the beginning.

One can hardly imagine Internet surfing without search systems as Google, Bing and others alike. Search engines index vast amount of web pages to make them available for surfing.

Google search operators

When you search in Google, you can include search operators in the entry field to narrow or broaden your search. The most commonly used of them are the following:

* site: returns results from certain sites or domains

E.g.: If you enter site:example.com you’ll get all info in Google related to the example.com website.

* filetype: searches for exact file type

E.g.: The entry filetype:php site:example.com will provide you with the list of php-files from the website example.com.

* inurl: searches for specific text in the indexed URL

E.g.: The entry site:example.com inurl:admin will search for the administration panel on the website.

* intitle: searches for query terms in the page’s title

E.g.: The entry example.com intitle:”Index of” will return documents from the website example.com that mention the word “index of” in their titles.

* cache: searches in Google cache

E.g.: cache:example.com will show Google’s cached version of the page instead of the current one.

Unfortunately, web crawlers are not able to determine the type and degree of information confidentiality. Therefore, they equally treat blog articles, which are published for wide audience, and database backup copy stored in the web server root directory and not intended for third parties view.

Thanks to this feature and using the search operators, hackers manage to detect vulnerabilities of web resources, information leaks (backup copies and text of the web applications errors), hidden resources, such as opened administration panel without authentication and authorization mechanisms embedded.

Types of information that can be detected by search engines and may be potentially interesting to hackers include the following:

* Third-level domains of the explored resource

Third-level domains can be found using the keyword “site:”. For example, the query site:. * example.com will return all domains of the third level of the website example.com. Such requests enable to detect hidden management resources, release management systems, as well as other applications with the web interface.

* Hidden files on a web server

When searching, you may happen to view various parts of the web application. To find them, use the query filetype:php site:example.com. It will return previously unavailable functionality in the application, as well as other information about the app.

* Backup copies

Backup copies may be found with the filetype: keyword. Usually backup copies are stored using the following file extensions: bak, tar.gz, sql. For instance: site:. * example.com filetype:sql. Backup copies often contain logins and passwords of the admin interfaces, as well as user data and source code of your website.

* Errors of the web application

The text of the error may contain various data about the app’s system components (web server, database, web application platform). This information is always very interesting to hackers because it allows to find out more about the target system and to enhance the attack. For instance: site: example.com “warning” “error”.

* Login and password

Web application cracking may reveal big amount of users’ sensitive data. The request filetype:txt “login” “password” will allow you to find files with usernames and passwords. Likewise, you can check whether your email or any account has been hacked. Just make a request filetype:txt “user_name_or_email”.

The combinations of keywords and search strings used to detect confidential information are commonly named Google Dorks.

Google has collected them in the public Google Hacking Database. Now any company representative, whether CEO, a developer or a webmaster, may learn about what type of sensitive data was detected with this or that query. All dorks are broken down by categories to make the search more comfortable.

Google Dorks leaving mark in the history of hacking

Finally, learn about the cases of how Google Dorks helped the attackers to get access to sensitive but poorly protected information:

#1. Leakage of confidential documents on the bank’s website

During the official bank site security analysis a large number of pdf-documents was detected. All documents were found with a query “site:bank-site filetype:pdf“. Interestingly, it turned out that the contents of documents represented plans of the bank branch premises across the country. For sure, that information would be very interesting to bank robbers.

#2. Cardholders’ data search

Very often breaking online stores attackers gain access to the users payment data. To make this info public, violators use public services that are indexed by Google. Sample query: “Card Number” “Expiration Date” “Card Type” filetype:txt.

With all this in mind, we recommend that you check the security of your website to prevent dubious activities related to your resource.

But we advise you to look beyond the basic checks. Address security testing specialists to conduct comprehensive analysis of your software product. After all, it’s better and cheaper to prevent data loss than repair the damage incurred.

Windows 10 is currently considered to be the most protected Windows. This new operating system has a variety of built-in features to protect from viruses, spyware, or malware. All the security tools can be automatically updated and maintain the ability to withdraw the latest threats. Let’s review these tools and their implications for security testers.

Multi-factor authentication

One of the most interesting solutions to ensure the account’s security is the multi-factor authentication. It presupposes that you need to pass several stages to access information. In Windows 10 the first factor is the device itself.

The second factor is your personal identification number or biometrics. If your devise is hacked, your credentials would not be enough for attackers to get the access to your data. They will need your physical device (mobile phone, computer, tablet, etc.) as well.

Access tokens protection

Access tokens, which are generated when you have authenticated, are becoming the attacks’ target more and more frequently. When hackers obtain these markers, they can access your information even without your credentials. Windows 10 will ensure the access tokens security due to the architectural solution that stores tokens in the safe container working on Hyper-V technology.

Windows Hello

How often do you need to enter a password? We bet that very often. Windows Hello uses your biometrics (iris, face, or fingerprints) instead of passwords. You can instantly get secure access to Windows 10. Windows obtains and finds your biometrics using a fingerprint scanner or camera that supports this feature. When you sign in, Windows welcomes you by name. It is a quick and safe way to use your device without any passwords. Thanks to the automatic and free updates, you will have all new features as long as your device is supported.

Microsoft Edge

What do you usually do after signing in? Most people open a browser. Microsoft Edge is an absolutely new browser that will enable you to surf the Internet easier and safer. Microsoft Edge provides a browsing sandbox that allows you to stay isolated from private information and data. Read the detailed Microsoft Edge review here.

SmartScreen filter and Windows Defender

SmartScreen protects you from phishing sites that are aimed at stealing your passwords and sensitive information. SmartScreen analyzes all visited sites and blocks potentially dangerous ones. This technology also protects you from downloading malware.

Microsoft SmartScreen provides perimeter protection while Windows Defender fights against advanced malware. Windows Defender does not require complicated settings and protects your software from the latest threats. Windows Defender instantly analyzes the information and responds to threats in a moment.

Parental control

Windows 10 allows you to connect your PC to your children’s local or Microsoft account and take care of their security. Parental control blocks websites, applications and games for adults, regulates the time when the device is used, and provides activity reports.

Data protection

Most of us need to access corporate applications and documents when being on a business trip or at home. Remote access involves the risks associated with the VPN connection, especially if you use your own device. Windows 10 provides IT specialists with a possibility to manage VPN permissions. Thanks to this possibility administrators will be able to define access to specified applications and manage them with Master Data Management solutions.

Windows 10 goes back to Windows 7 and borrows some elements from competitors. Windows 10 has remained functional, but became easier to use.

Windows 10 will influence the following testing activities:

• Installation testing (a new operating system presupposes some peculiarities).
• Compatibility testing (an upgraded application programming interface can affect desktop applications; web applications are not likely to be affected).
• Security testing (new features involve new vulnerabilities).

Application security is the most critical point for any business regardless of its sphere. Even if you have no relation to web application testing in any way, it is useful to know the most common vulnerabilities and security problems an application can have. Moreover, it is vital to be able to prevent or deal with them.

Open Web Application Security Project (OWASP) is an open project to ensure web applications security. The organization is not affiliated with any company involved in the software development and supports the thoughtful use of security technologies.

TOP 10 most significant vulnerabilities

• A1 – Injection
• A2 – Broken Authentication and Session Management
• A3 – Cross-Site Scripting (XSS)
• A4 – Insecure Direct Object References
• A5 – Security Misconfiguration
• A6 – Sensitive Data Exposure
• A7 – Missing Function Level Access Control
• A8 – Cross-Site Request Forgery (CSRF)
• A9 – Using Components with Known Vulnerabilities
• A10 – Unvalidated Redirects and Forwards

OWASP has compiled a comprehensive Top Ten list that contains the most dangerous Web application vulnerabilities and provides recommendations for handling those flaws. Here’s list of 10 most critical vulnerabilities.

The purpose of the Top Ten list is to increase the awareness of application security by determining the most critical risks to organizations. The Top Ten list refers to the set of standards, tools and organizations, including MITRE, PCI DSS, DISA, FTC, and many others.

The article by Aleksey Abramovich was published in Pipeline Magazine. 

According to the Ponemon Institute, on average, one denial-of-service (DoS) attack costs the owner of a website, including those associated with telecom organizations, more than 166 thousand dollars.

Every year, DoS attacks are becoming more expensive as site owners increasingly intensify protection against them. But who is implementing these DoS attacks and for what reason? And what is the best way to be prepared to protect your website?

The birth of DoS attacks

The first DoS attack was registered in September 1996. The attack was addressed to the site Panix.com – the first Internet provider in New York.

However, this first DoS attack was not as impressive as one carried out by a 15-year-old Canadian using the handle ”MafiaBoy,” who attacked a range of commercial sites in 2000. One by one, he caused the collapse of the largest American portals – eBay.com, Amazon.com and Yahoo.com – thus demonstrating the vulnerability of those websites at that time.

The next wave of popularity in DoS attacks occurred in 2010 when hackers began to break, one by one, the largest e-commerce systems: PayPal, Visa, and MasterCard. Every year DoS attacks continue to gain power. To provide an idea, in 2005, the “strength” of an average DoS attack was no more than 100 Gbit/sec; this year’s most powerful attack has already reached 400 Gbps per second.

Both attacking and defending sides spend billions of dollars on this ongoing “virtual war.” In order to understand how to defend against DoS attacks, you must first be aware of their nature.

DoS attacks: types and possible protection

We have established that a DoS attack is a malicious activity that blocks the site for the use of legitimate users. A subset of this is distributed denial of service (DdoS) attacks, which involve multiple computers under single management. DoS attacks usually addresses one of three resources, which we’ll cover below.

Channel attacks – a traffic emergency

The most complicated and expensive DoS attacks for hackers and, thus, the most dangerous for the site owner, are attacks on the server network connection. Using a botnet or vulnerable servers, an attacker can generate a huge stream of malicious traffic to the website of the chosen victim.

Because of the large amount of “extra” load in the channel, legitimate users have problems while connecting, or can even be blocked. This situation can be compared to a traffic emergency where cars are stuck in a jam; the traffic is being caused by the DoS attack, and those “stuck in traffic” are the users trying to connect to the site.

The prevention of such attacks is quite expensive because of the need to purchase special equipment for detection and blocking. Otherwise, third parties, such as providers and data centers, should be engaged. The most effective solution is to create a “black hole” outside the server (onsite at the provider) to “catch” the traffic; imagine additional road lanes, which are consigned to offload the traffic jam. This is how black holes are activated at the start of a DoS attack. While all traffic is routed into the black hole, the owner of the website buys time to move the application to another IP address.

Attack on the CPU time – confused pupil

When attacking the CPU time, the maximum CPU load of the server becomes the target of such criminal attack. Imagine a student who is given 10 tasks to solve instead of one during a limited amount of time allocated for a lesson. Unable to concentrate on one, they eventually cannot do what is required.

The best way to defend against this type of attack is with a special software (for example, web application firewall of “WAF”), which is set on the server and filters out potentially dangerous requests.

Read the full article here. 

The goal of attacks on CPU time is to reach a 100% load of CPU server. One of the options is to process a large amount of information from a database, which takes a lot of effort.

A great example of an attack on CPU time is a SSL Renegatiation DoS attack. To perform it a client repeatedly connects with the server applying SSL protocol, whereas the server needs 15 times more processing power than a client to process the request.

How to protect the server from this attack?

For security testers, the first step is to turn off SSL Renegatiation mechanism. Attacks on CPU time are very dangerous for all kind of services and result in serious damage. A software installed on you server and operating as a filter against potentially dangerous request can be a good security measure.

The goal of attacks on server`s memory is to fill the internal memory or a hard disk, or a critical part of memory completely. When the goal is reached the server is unavailable. The classic example of the attack is a TCP SYN flood attack. It`s main objective is to create multiple half open-connections to limit the access to the server. To reach the goal the attacker sends a number of TCP – segments with mounted SYN flash.

If your set up is correct, the information about new connection will be stored in the server`s response, that sends to the initiator of connection. When the server gets the client`s response it checks the information about the connection in the package. This security technology is called syncookies. It extracts the IP-address and the port from the income package, transforms the data into numbers and adds them to the Sequence Number + 1 field.

TCP FIN flood attack is similar to SYN flood attack but creates a number of half-open connections. In case like this, when the connection is established, a TCP-segment with FIN flag is sent to complete it. The server responds with FIN + ACK flagged segment and waits for the approval. If the approval is not send and the memory is filled. To fix the problem you need a patch from a product owner.

“Slow” attacks on HTTP protocol are performed in a bit different way. Apache web-server is most vulnerable to them.

The attacker acts in the following way: connects to a server and starts accepting and sending the data. He performs multiple connections to reach Denial-of-Service. As a result, server`s memory is filled due to the great number of data streams from the Apache server.

To protect the server you need to define the minimal and maximum time limit for sending the request and accepting the answer. If the client exceeds the limit the connection stops. Use specially created modules to set up the protection.

In the end, I would like to say that automatic systems are really important today. They manage various critical processes. Denial-of-Service attacks can lead to unexpected results, thus the issues of protection against DoS/DDoS attacks are as critical as never before and won`t be minor in future.

Today everyone knows about DDoS/DoS attacks. The buzz has long spread beyond security testing and is now everywhere: on the internet, TV, etc. You don’t have to be an experienced user to face the consequences of these attacks, when you visit, for example, a favorite news portal and see the “service is unavailable” message, here it is – the DDoS/DoS attack.

Even knowing what the letters DDoS/DoS stand for, do you understand what they mean? DoS means Denial of Service, which is a malicious activity aimed at a web-site to make it unavailable for legitimate users. DDoS means Distributed Denial of Service, which is an attack performed by several computers.

The most often motives for carrying out DDoS/DoS attacks are:

• Political protest
• Unfair competition
• Blackmailing
• Personal issues

The first DoS attack was registered in September 1996. A few days after the first attack – on September 19th – Carnegie Mellon University computer team of fast response to information security incidents published a brochure about DDoS/DoS attacks. In 1999-2000 when the largest portals like Ebay, Amazon and Yahoo couldn’t handle the attacks the information about them spread around the world. Several years later in 2010 DDoS attacks became notorious again. Hackers started applying them for political protests and attacked the biggest e-commerce systems, like Paypal, Visa and MasteCard. Recently attacks have become more powerful, for example, in 2013 hackers performed a 300 Gbps attack, while in 2014 they reached a record of 400 Gbps.

DoS attack: behind the scenes

Today all attacks can be divided into three big categories depending on the target:

• Server network connection attacks
• Server CPU time attacks
• Server memory attacks

Server’s network connection attacks are aimed at server bandwidth. Hackers generate a huge stream of spurious traffic towards the goals, applying botnet or vulnerable internet servers. The attack can be compared with a traffic jam with stuck ambulance; ambulance here means connections of legitimate clients. On the scheme below you can see how the attacks with vulnerable DNS servers are performed.

From the technical viewpoint channel attacks are very difficult. They shouldn’t run for a long period, otherwise they can harm the hacker’s system itself. Protection against these attacks is very pricey. A company has to buy expensive equipment to detect and block the attacks, or it addresses a 3rd party security provider.

Still, users should understand that this kind of attacks cannot be aimed at a blog, because the cost of the attack performance and the result are not equal.

In the next blog post we’ll cover the topics of server CPU time and server memory attacks.