OWASP Top 10 part 4: Insecure Design

21 October 2024 6 minutes Author: Lady Liberty

Insecure designs are problems in the architecture and design of an application that can lead to security vulnerabilities.

Unreliable architectural solutions

  • Description: Ignoring security during the design or development phase of an application.

  • Example: Necessary security measures are not included in the planning and implementation of the application, resulting in vulnerabilities.

Lack of security in development processes

  • Description: Ignoring security during the design or development phase of an application.

  • Example: Necessary security measures are not included in the planning and implementation of the application, resulting in vulnerabilities.

Improper access management

  • Description: Improper management of access to functions and data.

  • Example: Lack of access segmentation or protection of sensitive data, allowing unauthorized users to gain access to critical functions.

 Single entry point (aka Front Controller)

 Blue Team

Single Entry Point, or Front Controller, is an architectural pattern where all requests to a web application go through a single access point. This provides centralized processing of requests, simplifying security and routing controls.

In frameworks like Symfony, Laravel, and Yii2, this pattern is implemented through a single file, such as index.php, that handles all requests to the application.

Red team

1. Attack on Single Entry Point:

If the Front Controller is configured incorrectly or contains vulnerabilities, attackers can try to bypass it or use it for attacks. This can cause them to gain access to files or directories, bypassing the main control mechanism. Such situations arise due to an incorrect configuration of the server, when direct access to files that should be protected is allowed.

  • curl http://target-site.com/config.php

2. Using incorrect routing settings

If there are errors in the routing, attackers can try to manipulate the routes to access unwanted parts of the application.

  • curl http://target-site.com/index.php?controller=Admin&action=editUser&id=1

3. Abuse of the ability to transfer parameters

It is possible to use query parameters for manipulation or performing unwanted actions.

  • curl http://target-site.com/index.php?module=User&action=delete&id=1

4. Attack attempts due to vulnerabilities in the code

Attackers can look for vulnerabilities in the code that handles requests through the Front Controller, such as SQL injection or other input-based attacks.

  • curl http://target-site.com/index.php?search=’ OR ‘1’=’1

 Publicly open ports

Blue team

Publicly Open Ports is a key element of network security, and only a minimal set of ports should be accessible to external users. Having extra open ports can create vulnerabilities that can be used by attackers to launch attacks.

Basic principles:

  1. Minimize open ports: Only necessary ports should be available to users. For example, the ports for the web server (80/443 for HTTP/HTTPS) or the port for the database (if needed).

  2. Limit access to critical ports: Some ports, such as port 22 for SSH, should be open only on demand or accessible only from an isolated environment, such as through a VPN or from specific IP addresses.

  3. Monitoring and auditing: Continuous monitoring of open ports and auditing of settings help to detect and close unnecessary ports in time.

  4. Firewall application: Use firewall rules to restrict access to ports, allowing access only for certain services and from certain IP addresses.

 Red team

1. Port scanning

Using tools such as Nmap to scan the network and detect open ports. This is the first step in attacks on open ports.

  • nmap -p- target-ip

2. Exploitation of vulnerabilities on open ports

After detecting open ports, attackers can try to exploit vulnerabilities in the corresponding services.

  • hydra -l username -P password_list.txt ssh://target-ip

3. Using open ports for DDoS attacks

Open ports can be used to carry out Denial of Service (DDoS) attacks aimed at overloading the resource.

4. Port forwarding

An attacker can use an open port to create a tunnel and access internal resources that are not normally accessible from the outside.

  • ssh -L 8080:localhost:80 user@target-ip

Deny by Default, Fail Early

Blue team

Deny by Default and Fail Early — are principles of application development and security that involve the system automatically blocking access or execution of actions if necessary conditions are not met, and stopping code at early stages when errors or problems are detected. This helps minimize risks and increases system reliability.

Deny by Default:

All actions and accesses should be denied by default, and only after the necessary checks have been successfully passed are actions or access allowed. This approach minimizes the risk of accidental or unauthorized access. Principle of Fail Early:

When an error or incorrect state is detected, the system must stop further execution immediately to avoid further problems or possible attacks.

Red team

Attacks on systems with incorrect implementation of these principles

1. Bypassing access checks

If the system has hidden routes or functions that do not have explicit access checks, an attacker can gain access to them using a direct request.

  • curl -X POST https://target-app.com/hidden-route

2. Use of logic that does not take into account “Fail Early”

If authentication is not performed properly at all stages of the process, an attacker can leave the session open and use it for an attack.

3. Use of elevated privileges

An attacker can attempt to perform administrative actions through the standard user interface if the system does not validate roles and permissions properly.

Whitelist, Blacklist

Blue team

Whitelist and Blacklist are important methods for managing access and restricting actions in systems.

Whitelist: Includes only those items that are allowed. Everything else is automatically prohibited. This is an approach that provides a higher level of security because it clearly defines what can be done.

Blacklist: Includes only those items that are prohibited. Everything else is automatically allowed. This is a less reliable approach because it does not cover all possible threats.

Red team

1. Bypassing the Blacklist

If only certain extensions are disallowed in the blacklist (e.g. .php), an attacker can download a file with other extensions that can still be executed on the server (e.g. .phtml, .php5).

2. Injections through authorized files

If the system allows certain types of files to be uploaded (such as images), an attacker can embed malicious code in the file’s metadata. Embedding malicious JavaScript in images via an XSS attack.

3. Bypassing the Whitelist through non-standard extensions

An attacker can try to use non-standard or new extensions that are not included in the whitelist, but can be executed on the server. Downloading a file with a .phar extension, which can also be done on some servers.

Other related articles
OWASP Top 10
Read more
OWASP Top 10 part 1: Broken Access Control
Broken Access Control is one of the most dangerous vulnerabilities in the OWASP Top 10 list, which allows attackers to bypass access control mechanisms, gain access to sensitive data, and perform unauthorized operations.
225
Found an error?
If you find an error, take a screenshot and send it to the bot.