Learn about top vulnerabilities such as improper access controls, open ports, and outdated components.
35 
Learn how to avoid authentication errors, ensure data integrity, and set up effective monitoring in your system. Protect your business from cyber threats!
Помилки ідентифікації та автентифікації – це проблеми в процесах перевірки особи користувача, що можуть дозволити несанкціонований доступ.
Description: Using weak or predictable passwords and storing them insecurely.
Example: Passwords without sufficient complexity or storing passwords in plain text format.
Description: Insufficient verification of user identity.
Example: Lack of two-factor authentication or use of unreliable authentication mechanisms.
Description: Issues that allow attackers to bypass or compromise login mechanisms.
Example: Attacks on the login process, such as brute-forcing or attacks on password reset mechanisms.
Set the minimum password length to 8 characters or more. Be sure to check passwords for weak combinations using lists of common weak passwords such as SecLists. To improve security, instead of the standard requirements (uppercase and lowercase letters, numbers or special characters), you should increase the minimum length to 12 characters without limiting the composition. The system checks weak passwords against lists of common untrustworthy combinations.
Use modern brute-force tools that can perform simple password transformations, such as replacing letters with similar numbers or special characters (P@ssword1). Use lists of weak combinations from SecLists to select passwords. Tools such as Hydra or John the Ripper allow you to automate the process of selecting passwords from these lists, which significantly speeds up the attack.
Specialized solutions: Use protection services against DDoS and brute-force attacks, such as Cloudflare, to protect against excessive requests to the system.
Request Limiters: Implement request limiters using frameworks such as Symfony, Laravel, or Yii2. This will limit the number of login attempts in a short period of time.
Captcha or secret question: After several failed login attempts, require the user to complete a captcha or answer a secret question. It is important that the question is not easy to guess.
Random Delay: Add a random delay (1-2 seconds) after a failed login attempt. This will greatly complicate a brute force attack without causing discomfort to legitimate users.
Use tools like Hydra, Burp Suite Intruder, or OWASP ZAP to perform automated attacks on login pages. Check how efficiently the request limits are working and whether it is possible to bypass them by using different IP addresses or proxy servers.
Explore the options for automating the passage of captchas or involving external services to solve them, which can significantly simplify an attack on protected systems.
The ffuf.md documentation provides several examples of traversing paths and parameters using the ffuf tool that illustrate how an attacker can perform a brute force attack on a web application.
To protect against such attacks, use request limits, captchas, blocking access by IP addresses, and random delays between requests. This will help effectively prevent brute force attacks on your web application.
Using ffuf: A well-known tool for carrying out brute force attacks:
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ
Looping through possible URLs or parameters to reveal hidden paths or vulnerabilities on the server. Using ffuf to attack various URLs and check if the protection is a captcha:
ffuf -w /path/to/wordlist.txt -u https://target.com/FUZZ -H “User-Agent: ffuf-agent”
Software and data integrity errors are problems that affect trust in software and data.
Description: Storage of data without proper protection or verification.
Example: Data stored in unencrypted form, which may be accessible to attackers.
Description: Vulnerabilities in software that allow modification or compromise of its integrity.
Example: Insecure management of code updates or modifications, which could allow attackers to inject malicious code.
Description: Using data from untrusted or unsecured sources.
Example: Using data from unverified or unreliable sources that may lead to abuse or errors.
Checksums are small segments of data created from other digital data that are used to verify the integrity of files. They help ensure that data has not been altered or corrupted.
Checksums are usually provided as hashes. Thanks to them, you can check whether the file remained unchanged during download or transfer.
Example:
Using this command, we can compare the generated checksum with the official checksum to verify the integrity of the downloaded file.
Checksums can be bypassed if an attacker is able to modify both the file and its checksum, such as in a MITM (man-in-the-middle) attack.
In this case, the attacker replaces the file and creates a new checksum for this modified file. After that, it can replace the checksum in the verification system to hide the fact that the file has been replaced.
APT (Advanced Package Tool) and Brew
APT is a package management system for Debian-based distributions such as Ubuntu. Some software may require you to update the source list for apt, others may require you to download and install a .deb package, and some may come as archives with already compiled binaries. Make sure you download everything from official sources.
Brew (for macOS) works in a similar way, providing easy software installation and updates.
Composer – is a PHP dependency management tool. Packages may not always be available on Packagist. In this case, you can add additional sources in the Composer settings, if you are sure that they are reliable. It is also recommended to use shasum for integrity checking.
NPM (Node Package Manager) and Yarn – are tools for managing dependencies in Node.js. They make it easy to install, update, and remove packages.
Check for SRI usage: Determine if integrity attributes are used in your web application’s resources. Use your browser’s developer tools to check the <script> and <link> tags for this attribute.
Attacking resources without SRI: If you find that a web application does not use SRI for critical resources, try to change the resources (for example, through CDN attacks) and see if malicious code can be executed.
Security logging and monitoring errors are deficiencies in security event monitoring and recording systems.
Description: Logging does not provide a sufficient level of detail for incident detection and investigation.
Example: Failure to record important events or insufficient detail in event logs.
Description: Lack of continuous monitoring to detect abnormal or dangerous events.
Example: A web application has no monitoring configured to detect suspicious requests or access attempts.
Description: Untrusted access to event logs, which allows attackers to manipulate or delete entries.
Example: Logs are stored in open access without proper protection, which allows attackers to modify or delete them.
Logging must be enabled to monitor events and anomalies in the system. To do this, configure logging in Nginx by making sure access and error logging is enabled in the /etc/nginx/nginx.conf configuration file. This will allow recording all important events and help identify potential threats.
Attackers may try to disable or delete logs to cover their tracks. It is worth checking whether there is an option to disable logging in the system. To do this, use commands to change the configuration files and observe how the system reacts to these changes. This will reveal potential weaknesses in logging.
Error messages should be clear and useful for diagnosing problems. Configure Sentry to handle PHP errors:
Configure Sentry or similar tools to monitor and alert errors, provide detailed messages.
Testing the system for the possibility of generating vague or generic error messages. Use invalid queries to check if the system generates common errors:
Observe errors and test their clarity and usefulness to attackers.
Logs should be stored in a centralized system to prevent them from being deleted during an attack. Configuring ELK Stack (Elasticsearch, Logstash, Kibana) for centralized log storage.
Testing for the possibility of deleting local logs or affecting their storage. Try deleting or modifying local logs:
35 
446