In a previous article, we reviewed the most critical and widespread vulnerability in web applications according to the OWASP Top 10: broken access control. Today, we tackle the common vulnerabilities and exploits related to the lack or absence of encryption in applications.
Recently, one of our clients asked us to review their Continuous Integration and Continuous Deployment (CI/CD) pipeline, deployed on an AWS infrastructure.
In this article, we will show how a developer with limited access to GitLab could have escalated his privileges and gained access to sensitive information to take control of the AWS infrastructure and cause significant damage to the organisation. We will also detail good practices and measures to implement to counter this type of risk.
In a previous article, we saw why it was important to store passwords in a database with robust hash functions such as Bcrypt and Argon2. This helps to render brute force or dictionary attacks completely ineffective.
However, a problem is regularly noted on already existing applications: how to use the latest recommendations on password storage on an existing database?
Access control is a central element in ensuring the security of web applications. It must be based on robust authentication and session management that takes into account various security risks, such as session hijacking.
XSS exploitation, session fixation, lack of encryption, MFA bypass, etc., there are many techniques to hijack a user’s session. In this article, we present the main attacks and exploits.
The Open Web Application Security Project (OWASP) is a community working to improve the security of information systems and more specifically applications (web, mobile, APIs).
This organisation produces numerous resources, in particular guides and standards for application security, including the OWASP Top 10. It also develops open source tools such as ZAP (an interception proxy, an alternative to BURP), or Amass (to map its attack surface).
During a web application penetration test, we came across the following situation:
Multifactor authentication (MFA) is a central and widely used mechanism for strengthening the security of user accounts and access to a system.
Indeed, it is an authentication method that prevents many malicious attacks and exploits aimed at compromising data: brute force, session hijacking, privilege escalation, etc.
What is data pseudonymisation?
Pseudonymisation is a data protection technique, which consists of processing data in such a way that it is not possible to attribute them to a specific person without the use of additional information. More specifically, it involves replacing real personal identifiers ( last names, first names, emails, addresses, telephone numbers, etc.) with pseudonyms.
IDORs (Insecure Direct Object References) are widespread vulnerabilities in web applications in the same way as XSS or SQL injections. Affiliated with broken access control, IDOR vulnerabilities are indeed among those we most commonly discover and exploit during our web application penetration tests.
Principles, attack scenarios and exploits, we present in this article an overview of IDORs, as well as the best security practices and rights control tests to be carried out to prevent the risks.
What is privilege escalation?
Privilege escalation is a key concept for attackers seeking access to sensitive information or restricted functionality on an information system. Typically, this involves exploiting security weaknesses in a given system to escalate from a limited level of access, with standard permissions, to a higher level of access, with greater rights.
On Linux, there are several techniques for escalating a user’s privileges. Exploitation of configuration weaknesses, vulnerabilities in programs and broken access control are the main ones.