Part 2: Oh wasp!

This content is based on the H2 tasks of Data Security by Mr. Karvinen. We will have a look at some hot OWASP topics and other interesting things.

OWASP 10: 2021.

OWASP stands for Open Web Application Security Project. It is a nonprofit foundation that focuses on the improvement of software security. Among the the multitude of useful information that is published by OWASP, there is also a yearly list of the to ten web application security risks. We will have a quick look at some of the most popular ones.

A05:2021-Security Misconfiguration

Compared to the previous year, security misconfiguration has moved up one rank to number five. This is due to the increasing amount of highly configurable software. These vulnerabilities often arise from improper permissions, unnecessary active features, error handling, outdated or misconfigured security, etc.

Secure installation processes can be a significant preventive element. It is crucial to have a repeatable hardening process and identical configurations for all environments. Skipping any unnecessary features and components reduces amount of potential risk, and reviewing and updating configurations and permissions according to security notes and patches will ensure further hardening.

Further information and details can be found in the link below

A06:2021-Vulnerable and Outdated Components

Vulnerable and Outdated Components are a long-standing issue, since many components, dependencies and nested libraries in production environments are outdated, insecure, or their versions might even be unknown to the host. This becomes especially problematic if one doesn't keep an eye on published vulnerabilities and patches them in a timely manner.

The best prevention is to implement a proper patch management process and remove unnecessary dependencies and components, as well as maintaining an up to date inventory to simplify the monitoring and tracking of said elements.

Further information and details can be found in the link below

A03:2021-Injection

Injection has decreased in frequency to the third rank. This may be due to to the fact that most solutions are stronger hardened against it out of the box. Nevertheless, it is still a very highly ranked category and we keep seeing situations where user-supplied data is not properly sanitized before processing. This includes the omission of context-aware escaping, usage of hostile data within ORM search parameters, etc. High up on the list of injection categories are SQL, NoSQL, Object Relation Mapping (ORM), OS command, LDAP, Expression Language (EL) and the Object Graph Navigation Library (OGNL). The easiest way to prevent such injections is the separation of data from queries and commands, as well as LIMIT and other SQL controls.

Further information and details can be found in the link below

Darknet Diaries #67

Darknet Diaries is a popular podcast that covers topics around hacking, security, breaches, cybercrime and the like. I highly recommend it as an informative source for everybody that is interested in security. We will have a quick look at some stories of episode 67: The Big House, which interviews penetration tester John Strand and shows the importance of not just digital but physical security.

Story 1: Classified facility

This story focuses on breeching a classified military facility. While the perimeter security was strong and difficult to overcome in a traditional way, John took a less obvious approach. His plan was to get arrested at the base and taken to an interrogation room where he might be able to access the network. This way he would basically be guided straight to his goal by the target itself. The plan itself worked somewhat and he ended up in a room with a network jack which belonged to a classified network, but due to injuries in the arrest the plan had to be aborted. This highlights how some security processes can be very flawed, someone probably spent millions for the physical perimeter defence and then forgot about a simple thing like unprotected network ports in a room where most likely unauthorized people are held. Now we did of course not find out how the story would have went if he he would have plugged something in, and how successful he would have been. I wonder if some social engineering would have offered an easier approach.

Story 2: The easy way in

An older story John has was a contract to breach into a building and take over computer systems. He found an easy way in through an unlocked window, and started running malware off usb sticks. He made a mistake by using a flashlight and someone called the police. While he explained the police what he was doing and that he was hired to do so, they simply accepted the fact without checking if it is true. This shows how some social skills and weak physical security can be a real issue. Obviously this company needs to invest seriously into security, but they can't be blamed for police officers which just let John stay there and keep doing his thing. This is just another reason to take physical security serious.

Story 3: The prison

For a job to get remote access to a system within prison, John sent his mother to infiltrate the facility under the disguise of a food service inspector. She had a lot of background knowledge of the food service industry and successfully managed to get access and run payload from a usb drive on the prison directors computer. All it took was her telling at the gate that she is with the health department and she was granted access no questions asked. By telling that she needs to check the employee workstations to check that there are no food and drinks there she was given unsupervised access to the computers and the network operation center.

A very common weakness in many such stories is the human factor. Even if procedures are in place not everybody follows them, and while some companies might have a strongly hardened digital security, you might be able to just walk into the server room and start uploading payloads if you dress up as an inspector and carry a clipboard.

CVE-2021-36934: HiveNightmare / SeriousSAM

Among some of the most troublesome CVEs from last year is one that concerns the Windows Elevation of Privilege. This vulnerability allows non-admin users to have access to certain sensitive registry hive files including the Security Accounts Manager database. Attackers can leverage to extract stored credentials, encryption keys, elevate account access and privileges within the network or on a local machine, and so on.

If we combine this attack with some active directory certificate service relay attack, an attacker can potentially take over a complete active directory environment. Plenty of nightmares to go around for every Sysadmin out there. For a detailed explanation of this attack combo please checkout the Black Hills link below where Steve Borosh walks you through the details, or watch his video below.

Sequel. SQL Zoo basics

SQL injections are a very common class of attack. To get a basic foundation we lets quickly refresh some of the essentials of SQL by solving some tasks in SQL Zoo.

0 - SELECT BASICS

The first tasks wants us to modify the query to show the population of Germany. In this case it is as simple as changing SELECT population FROM world WHERE name = 'France' to SELECT population FROM world WHERE name = 'Germany' If we did everything correctly we should be given a population of 80716000.

The second task wants us to show the population for Sweden, Norway and Denmark. This is again pretty simple, we just change the country-list from SELECT name, population FROM world WHERE name IN ('Brazil', 'Russia', 'India', 'China'); to SELECT name, population FROM world WHERE name IN ('Sweden', 'Norway', 'Denmark');

The third task asks us to show the countries which have a population that matches a certain range. This is again a rather straight forward modification where we change SELECT name, area FROM world WHERE area BETWEEN 250000 AND 300000 to SELECT name, area FROM world WHERE area BETWEEN 200000 AND 250000

2 - SELECT from World

The first task in this chapter is to simply observe the output of the following SQL command SELECT name, continent, population FROM world which shows the name, continent and population of all countries.

The second task asks us to show the name of countries which have a population of at least 200 million. We can simply change the operator and value in the existing query from SELECT name FROM world WHERE population = 64105700 to SELECT name FROM world WHERE population >= 200000000

In the third task we are asked to show name and per capita GDP of the countries with a population of at least 200 million. We can utilize the previous query and modify field names after the SELECT keyword. We will have to divide GDP by Population to output the desired value. The final query will look like this SELECT name, (gdp/population) AS 'per capita GDP' FROM world WHERE population >= 200000000

Task four wants us to show the name and population in millions for all countries on the continent of South America. We can take a similar approach as in the previous task and create a custom field. The final result should look something like this SELECT name, (population/1000000) AS 'population (M)' FROM world WHERE continent = 'South America'

Task five requires the name and population of France, Germany, and Italy. This requires a similar query as an earlier task, the solution will look like this SELECT name, population FROM world WHERE name IN ('France', 'Germany', 'Italy')

Task six needs us to show all countries which contain the word "United" in their name. We can do this with the following query SELECT name from world WHERE name LIKE '%United%'.

in task seven we need to list the countries that are larger than 3M sq km or have a population of over 250M. Lets use an OR statement in our query to easily check for either of those parameters. The solution will look like this SELECT name, population, area FROM world WHERE population > 250000000 OR area > 3000000

Task eight requires an exclusive OR structure to show countries of more than 3M sq km or a population of over 250M, but not both. We can solve this with same statement as the previous task but we have to change out the OR for XOR SELECT name, population, area FROM world WHERE population > 250000000 XOR area > 3000000.

In task nine we have to apply rounding to 2 decimal places for the GDP and population in millions (for countries in South America). We can use some of the earlier queries as a starting point and make use of the ROUND function for the rounding. The solution will look something like this SELECT name, ROUND(population/1000000,2) AS 'population (M)', ROUND(gdp/1000000000, 2) AS 'GDP (B)' FROM world WHERE continent='South America'.

Task ten wants the name and per-capita GDP for countries with a GDP of at least one trillion, but the GDP has to be rounded to the nearest 1000. We can do this with the following statement SELECT name, ROUND(gdp/population,-3) AS 'per-capita GDP' FROM world WHERE gdp >= 1000000000000. This is not very different from previous solutions, especially since we can use a negative parameter in the ROUND function.

Task 11 requires for us to show the name and capital where the name and the capital have the same number of characters. With the help of the LENGTH function we can create the following query to solve this problem SELECT name, capital FROM world WHERE LENGTH(name) = LENGTH(capital)

Task 12 wants us to show the name and the capital where the first letters of each match. We shall not include countries where the name and the capital are the same word. With the help of LEFT we can easily grab the first letter, and the <> operator can be used as NOT EQUALS. The final statement will look like this SELECT name, capital FROM world WHERE LEFT(name,1) = LEFT(capital,1) AND name <> capital

Task 13 is the final task and asks us to find the countries which have all the vowels (a e i o u) and no spaces in their name. The previous tasks provided us with all the knowledge and tools we need. The solution can be achieved with the following statement SELECT name FROM world WHERE name LIKE '%a%' AND name LIKE '%e%' AND name LIKE '%i%' AND name LIKE '%o%' AND name LIKE '%u%' AND name NOT LIKE '% %'. We could also use REGEX to solve this.

Webgoat A1: SQL Injection(intro)

In part one we did the setup of WebGoat, including some warmup exercises. This time we will proceed a bit further and have a crack at the A1 - SQL Injection(intro) lesson. The lesson itself guides us through basics of SQL Injections. This includes not only the basic understanding of SQL and SQL Injections, but also some hands on challenges. While I highly recommend to run through the theoretical part first, we will for the purpose of this summary purely focus on the practical stuff. SQL injections can be used to pretty much do whatever we want with a database if no precautions are taken, since it allows us to directly inject SQL queries.

2: A simple SQL query

In step 2 of the lesson we are asked to retrieve the department of employee Bob Franco. If we paid attention earlier in the SQLZoo section this should be no issue. Lets try the following query SELECT department FROM Employees WHERE last_name = 'Franco' AND first_name = 'Bob'. Looks like we passed that without any issue. The department of Bob Franco is "Marketing".

3: Modifying an entry

Step 3 asks us to change the department of Tobi Barnett to 'Sales'. We know that the userID is 89762 so lets try UPDATE employees SET department = 'Sales' WHERE userid = 89762. Looks like we successfully changed the department to Sales.

4: Modifying the scheme

We have to modify the scheme with an SQL query to add a new column to the table employees. Lets try the following ALTER TABLE employees ADD phone varchar(20). It appears we succeeded and completed the assignment.

5: Granting privileges

This assignment asks us to grant a usergroup to alter tables. We should be able to do this with GRANT. The following query should do the job GRANT ALTER TABLE TO UnauthorizedUser. We succeeded and can proceed.

9: String SQL injection

In this assignment we use the given form to try form a injection query to retrieve all users from a table. The following solution gave us the desired results.

10: Numeric SQL injection

Next up we have a task that builds on the previous example. Here we take advantage of a code that builds a query by concatenating a number. This will allow us to retrieve all the data from the user table. We fill the field login_count with any number, and in the User_Id field we enter 0 OR 1=1

11: Defeating confidentiality with String SQL injection

In this situation we want to bypass account specific authentication to look at data of all other accounts. It is time again for String SQL injection. All we need to enter in the employee name field is ' OR 1=1 -- With -- we initiate a comment and skip the rest of the intended query.

12: Defeating integrity with Query chaining

With query chaining we append one or multiple queries at the end of the actual one. This can be easily done with the ; symbol which ends the current query and starts a new one. The assignment itself wants us to change our own salary. Lets enter the following in the employee name field '; UPDATE employees SET salary = 9000000 WHERE userid = 37648 As mentioned before we use ; to end the current query and start a new one. With -- we comment out the rest so we don't need to deal with the tan field.

13: Compromising Availability

The last assignment deals with compromising availability. While this category encompasses everything that impacts the availability, we focus on the task at hand to delete the access_log, since we left traces there that we modified our salary. We wouldn't want that. Lets inject the following code in the text field '; DROP TABLE access_log. And voila we delete the log table and deleted our traces.