Timeline: 11th - 17th Due: 17th February 11pm
This is the end of the second sprint of researching about web application security.
This week’s content was presented by Larry and Darsh to research bug bounties and responsible disclosure policies and with the help of Luke who is currently working for a company called ‘Sense of Security’ whom talked about web pentesting.
Quite reformed in the field, Luke offered us an extensive range of knowledge of web application especially about basic networking of which ports we should remember and how cross-site scripting (XSS) functions.
From Amit Klein, the definitions of 3 types of XSS follows (OWASP 2017):
Reflected Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, or any other response that includes some or all the input provided by the user as part of the request without that data being made safe to render in the browser, and without permanently storing the user provided data. In some cases, the user provided data may never even leave the browser (see DOM Based XSS next).
Stored Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc. And then a victim can retrieve the stored data from the web application without that data being made safe to render in the browser. With the advent of HTML5, and other browser technologies, we can envision the attack payload being permanently stored in the victim’s browser, such as an HTML5 database, and never being sent to the server at all.
DOM-based DOM Based XSS is a form of XSS where the entire tainted data flow from source to sink takes place in the browser, i.e., the source of the data is in the DOM, the sink is also in the DOM, and the data flow never leaves the browser. For example, the source (where malicious data is read) could be the URL of the page (e.g., document.location.href), or it could be an element of the HTML, and the sink is a sensitive method call that causes the execution of the malicious data (e.g., document.write).”
This section was used for Luke’s homework on Wednesday to find example of real life vulnerability either through CTFs, bug bounties or some means. I had found a HackerOne XSS vulnerability about using DOM-based XSS to inject a .gif file into ‘send-payment’ functionality into a crypto website. I had discussed this XSS injection with Panda and Johnwei who were really intrigued by the thought by inserting a funny gif into the client website. More details.
Over the week we have been given the opportunity to research a particular problem statement with web application security. Mine was, ‘In a 24⁄7 hr economy, how does one viabily protect their application against common vulnerabilities?’. The word ‘common’ is defined by how easy and quickly is it to research a web application vulnerability and attack any web application as you please. I tested this theory by using a quick google and youtube search, ‘easy xss attack’, and applied my knowledge on out-of-date website.
Although bigger organisation such the big 4 banks; CBA, Westpac, ANZ and NAB; have protected their web applications against such threats, what about smaller businesses who do not have a team dedicated to maintaining their assets. Smaller organisations are more susceptible to such attacks as their budget maybe limited to maintain their web application security.
Out-of-dates systems and web application which run older softwares can be exploited by any hacker who can install malware such as ransomware. Malware can be install through insecure web applications that may accept input from client-side browser. It can also be installed by human error by those who aren’t knowledgable about how to spot fake links from websites or phishing emails.
There are a wide range of solutions but are categorised up by how affordable and cost effective it is for an organisation. The main solution to is problem is that should everyone have access free training or knowledge of how to mitigate an issue if there was an attack. By providing knowledge like updating your system regularly and research if your current web application software has any software vulnerabilities, it is a great start in securing any web applications.
Screenshot of my code in Visual Studio code of the problem.
Screenshot of inspect feature and that full screen yields a big problem with the css.
Screenshot of the same problem but the navbar is in mobile mode and the css is still broken.
Screenshot of my code in Visual Studio Code of the problem fixed.
A snippet of Jesus injected into the send payment function.
Friday Presentation I have done a lot of research of web application security how a hacker can use simple vulnerabilities from google search and can exploit them and install malwares which potentially can encrypt any file they wish in exchange of a untraceable payment. This research can be read through this link about web application security.
Natas This is not my first time of trying to break into web application security by this will be first completing a write-up hopefully up to level 15. Write-ups are great method to understand and validate your solutions. It’s great way to build a bank of knowledge to build of up the knowledge to quickly recognise vulnerabilities. This write up can be read by clicking this link about natas.
Bandit Currently in progress.
For the last couple of years, time management hasn’t been a major problem however this studio has shown me how important it is to be diligent and discipline in following a schedule. Everyone has their own personal life with family, work and school, so that means we all make compromises to meet to deadlines and expectations.
This week I handled things differently and viewed it from it another perspective. Compared to last week where I was perceiving the task as a whole, this week I cut the task into manageable sections that I can complete over the scheduled days. This approach was great for myself as I did not get too overwhelmed with completing the homework and extra web application technical practice during my own time. I also found that it was much more effective of trying to put key points into statement rather than trying to bolster it up with security jargon.
I believe for me to get the most out of this subject is that not be the top of the class however at the technical skills and high language level I can reciprocate what I have learnt during this time to those who did not have the opportunity to enrol in this studio.
In comparison to last week, my health has really took a toll by unable to get a good quality of sleep and enough food to eat. I tend to sell myself short by misleading myself that I am not up to everyone’s skill level in technically and knowledge and that I need to push myself further to catch up. Since I can become very meticulous and a bit of perfectionist this does not make my situation any better. To fix tiring out my mental capacity, I have to take frequent breaks and review what I need to complete in the next hour before my next break so I can slowly develop a better method of studying.
Next week will be the big challenge for everyone and especially myself. This will be the next step in reaching my goal of working in the cyber security industry. Although I may not have the expertise I desire, I know I have developed a good design thinking methodology which I can use to slowly progress myself throughout the week.
The last two weeks the tutors have been quite lenient on us and I believe week they should start become a bit more strict. Taking advantages of their leniency I can quickly fall back into a path where I can become complacent and unmotivated to do better. However, I do appreciate the level of transparency they have provided through the last two weeks every day. I am lucky to be enrolled in this subject as it is not often that tutors will go out of their way to help myself find where I am currently and if I need any help to guide me. If the tutors keep giving their 110% each day we cannot disappoint them by not putting in our own effort as well. At the end of the day, it is a subject of self-learning.
Every week has been increasingly becoming more challenging and invigorating. The habit to create and to follow a timeline has been very difficult for me validated by staying up late trying to improve myself every day to put in the 35hrs of effort. However, this is stepping stone for myself to lead to create and achieve bigger goals if I keep working on it during my own time. By giving it my best every week, my struggles will yield positive outcomes.
Using UTS Harvard Referencing.OWASP 2017, ‘Types of Cross-Site Scripting’, OWASP, viewed 17 February 2019, https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting UTS 2018, ‘Interactive Harvard UTS Referencing Guide’, UTS, viewed 17 February 2019, http://www.lib.uts.edu.au/sites/default/files/attachments/page/InteractiveHarvardUTSGuide.pdf OverTheWire n.d, ‘Natas’, OverTheWire, viewed 17 February 2019, http://overthewire.org/wargames/natas WebAppSec 2005, ‘DOM Based Cross Site Scripting or XSS of the Third Kind, Amit Klein, viewed 17 February 2019, http://www.webappsec.org/projects/articles/071105.shtml GitHub 2017, ‘Markdown Cheatsheet’, Adam P, viewed 17 February 2019, https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet Github 2012, ‘What’s the difference between a web site and a web application? [closed] ‘, Prusrus, viewed 17 February 2019, https://stackoverflow.com/questions/8694922/whats-the-difference-between-a-web-site-and-a-web-application