From a72e0a55f7245af5188a96b973b39b8a36bf27e6 Mon Sep 17 00:00:00 2001 From: Ryan Rudder <96507400+RRudder@users.noreply.github.com> Date: Thu, 23 Nov 2023 16:56:18 +1000 Subject: [PATCH] Added Colon after every H2 heading --- .../app_crash/malformed_android_intents/template.md | 8 ++++---- .../app_crash/malformed_ios_url_schemes/template.md | 8 ++++---- .../app_crash/template.md | 8 ++++---- .../critical_impact_and_or_easy_difficulty/template.md | 8 ++++---- .../high_impact_and_or_medium_difficulty/template.md | 8 ++++---- .../application_level_denial_of_service_dos/template.md | 8 ++++---- .../GNSS GPS/template.md | 8 ++++---- .../can/injection_disallowed_messages/template.md | 8 ++++---- .../can/injection_dos/template.md | 8 ++++---- .../automotive_security_misconfiguration/can/template.md | 8 ++++---- .../code_execution_can_bus_pivot/template.md | 8 ++++---- .../code_execution_no_can_bus_pivot/template.md | 8 ++++---- .../default_credentials/template.md | 8 ++++---- .../infotainment_radio_head_unit/dos_brick/template.md | 8 ++++---- .../ota_firmware_manipulation/template.md | 8 ++++---- .../sensitive_data_leakage_exposure/template.md | 8 ++++---- .../source_code_dump/template.md | 8 ++++---- .../infotainment_radio_head_unit/template.md | 8 ++++---- .../unauthorized_access_to_services/template.md | 8 ++++---- .../rf_hub/can_injection_interaction/template.md | 8 ++++---- .../data_leakage_pull_encryption_mechanism/template.md | 8 ++++---- .../rf_hub/key_fob_cloning/template.md | 8 ++++---- .../rf_hub/template.md | 8 ++++---- .../rf_hub/unauthorized_access_turn_on/template.md | 8 ++++---- .../exposed_sensitive_android_intent/template.md | 8 ++++---- .../exposed_sensitive_ios_url_scheme/template.md | 8 ++++---- .../template.md | 8 ++++---- .../template.md | 8 ++++---- .../template.md | 8 ++++---- .../template.md | 8 ++++---- .../template.md | 8 ++++---- .../description/broken_access_control/idor/template.md | 8 ++++---- submissions/description/broken_access_control/template.md | 8 ++++---- .../username_enumeration/non_brute_force/template.md | 8 ++++---- .../username_enumeration/template.md | 8 ++++---- .../authentication_bypass/template.md | 8 ++++---- .../cleartext_transmission_of_session_token/template.md | 8 ++++---- .../concurrent_logins/template.md | 8 ++++---- .../all_sessions/template.md | 8 ++++---- .../long_timeout/template.md | 8 ++++---- .../on_email_change/template.md | 8 ++++---- .../failure_to_invalidate_session/on_logout/template.md | 8 ++++---- .../on_logout_server_side_only/template.md | 8 ++++---- .../on_two_fa_activation_change/template.md | 8 ++++---- .../failure_to_invalidate_session/template.md | 8 ++++---- .../privilege_escalation/template.md | 8 ++++---- .../session_fixation/local_attack_vector/template.md | 8 ++++---- .../session_fixation/remote_attack_vector/template.md | 8 ++++---- .../session_fixation/template.md | 8 ++++---- .../template.md | 8 ++++---- .../two_fa_bypass/template.md | 8 ++++---- .../http_and_https_available/template.md | 8 ++++---- .../https_not_available_or_http_by_default/template.md | 8 ++++---- .../weak_login_function/lan_only/template.md | 8 ++++---- .../weak_login_function/not_operational/template.md | 8 ++++---- .../template.md | 8 ++++---- .../weak_login_function/over_http/template.md | 8 ++++---- .../weak_login_function/template.md | 8 ++++---- .../over_http/template.md | 8 ++++---- .../weak_registration_implementation/template.md | 8 ++++---- .../action_specific/authenticated_action/template.md | 8 ++++---- .../action_specific/logout/template.md | 8 ++++---- .../action_specific/template.md | 8 ++++---- .../action_specific/unauthenticated_action/template.md | 8 ++++---- .../application_wide/template.md | 8 ++++---- .../csrf_token_not_unique_per_request/template.md | 8 ++++---- .../flash_based/high_impact/template.md | 8 ++++---- .../flash_based/low_impact/template.md | 8 ++++---- .../flash_based/template.md | 8 ++++---- .../cross_site_request_forgery_csrf/template.md | 8 ++++---- .../binary_planting/no_privilege_escalation/template.md | 8 ++++---- .../non_default_folder_privilege_escalation/template.md | 8 ++++---- .../binary_planting/privilege_escalation/template.md | 8 ++++---- .../client_side_injection/binary_planting/template.md | 8 ++++---- .../client_side_injection/template.md | 8 ++++---- .../cross_site_scripting_xss/cookie_based/template.md | 8 ++++---- .../cross_site_scripting_xss/flash_based/template.md | 8 ++++---- .../cross_site_scripting_xss/ie_only/template.md | 8 ++++---- .../off_domain/data_uri/template.md | 8 ++++---- .../cross_site_scripting_xss/off_domain/template.md | 8 ++++---- .../cross_site_scripting_xss/referer/template.md | 8 ++++---- .../reflected/non_self/template.md | 8 ++++---- .../cross_site_scripting_xss/reflected/self/template.md | 8 ++++---- .../cross_site_scripting_xss/reflected/template.md | 8 ++++---- .../stored/non_admin_to_anyone/template.md | 8 ++++---- .../privileged_user_to_no_privilege_elevation/template.md | 8 ++++---- .../privileged_user_to_privilege_elevation/template.md | 8 ++++---- .../cross_site_scripting_xss/stored/self/template.md | 8 ++++---- .../cross_site_scripting_xss/stored/template.md | 8 ++++---- .../cross_site_scripting_xss/stored/url_based/template.md | 8 ++++---- .../description/cross_site_scripting_xss/template.md | 8 ++++---- .../cross_site_scripting_xss/trace_method/template.md | 8 ++++---- .../cross_site_scripting_xss/universal_uxss/template.md | 8 ++++---- .../broken_cryptography/template.md | 8 ++++---- .../use_of_broken_cryptographic_primitive/template.md | 8 ++++---- .../use_of_vulnerable_cryptographic_library/template.md | 8 ++++---- .../incomplete_cleanup_of_keying_material/template.md | 8 ++++---- .../improper_following_of_specification/template.md | 8 ++++---- .../missing_cryptographic_step/template.md | 8 ++++---- .../insecure_implementation/template.md | 8 ++++---- .../improper_asymmetric_exponent_selection/template.md | 8 ++++---- .../improper_asymmetric_prime_selection/template.md | 8 ++++---- .../insufficient_key_space/template.md | 8 ++++---- .../insufficient_key_stretching/template.md | 8 ++++---- .../template_ea.md | 8 ++++---- .../insecure_key_generation/template.md | 8 ++++---- .../initialization_vector_reuse/template.md | 8 ++++---- .../limited_rng_entropy_source/template.md | 8 ++++---- .../predictable_initialization_vector/template.md | 8 ++++---- .../predictable_prng_seed/template.md | 8 ++++---- .../insufficient_entropy/prng_seed_reuse/template.md | 8 ++++---- .../small_seed_space_in_prng/template.md | 8 ++++---- .../insufficient_entropy/template.md | 8 ++++---- .../use_of_trng_for_nonsecurity_purpose/template.md | 8 ++++---- .../cryptographic_signature/template.md | 8 ++++---- .../identity_check_value/template.md | 8 ++++---- .../template.md | 8 ++++---- .../key_reuse/inter_environment/template.md | 8 ++++---- .../key_reuse/intra_environment/template.md | 8 ++++---- .../key_reuse/lack_of_perfect_forward_secrecy/template.md | 8 ++++---- .../cryptographic_weakness/key_reuse/template.md | 8 ++++---- .../differential_fault_analysis/template.md | 8 ++++---- .../side_channel_attack/emanations_attack/template.md | 8 ++++---- .../side_channel_attack/padding_oracle_attack/template.md | 8 ++++---- .../side_channel_attack/power_analysis_attack/template.md | 8 ++++---- .../side_channel_attack/template.md | 8 ++++---- .../side_channel_attack/timing_attack/template.md | 8 ++++---- .../use_of_expired_cryptographic_key_or_cert/template.md | 8 ++++---- .../weak_hash/lack_of_salt/template.md | 8 ++++---- .../weak_hash/predictable_hash_collision/template.md | 8 ++++---- .../cryptographic_weakness/weak_hash/template.md | 8 ++++---- .../weak_hash/use_of_predictable_salt/template.md | 8 ++++---- .../aggressive_offline_caching/template.md | 8 ++++---- .../browser_feature/autocomplete_enabled/template.md | 8 ++++---- .../browser_feature/autocorrect_enabled/template.md | 8 ++++---- .../browser_feature/plaintext_password_field/template.md | 8 ++++---- .../browser_feature/save_password/template.md | 8 ++++---- .../external_behavior/browser_feature/template.md | 8 ++++---- .../captcha_bypass/crowdsourcing/template.md | 8 ++++---- .../external_behavior/captcha_bypass/template.md | 8 ++++---- .../external_behavior/csv_injection/template.md | 8 ++++---- .../system_clipboard_leak/shared_links/template.md | 8 ++++---- .../external_behavior/system_clipboard_leak/template.md | 8 ++++---- submissions/description/external_behavior/template.md | 8 ++++---- .../user_password_persisted_in_memory/template.md | 8 ++++---- .../template.md | 8 ++++---- .../screen_caching_enabled/template.md | 8 ++++---- .../on_external_storage/template.md | 8 ++++---- .../on_internal_storage/template.md | 8 ++++---- .../template.md | 8 ++++---- .../server_side_credentials_storage/plaintext/template.md | 8 ++++---- .../server_side_credentials_storage/template.md | 8 ++++---- submissions/description/insecure_data_storage/template.md | 8 ++++---- .../cleartext_transmission_of_sensitive_data/template.md | 8 ++++---- .../no_secure_integrity_check/template.md | 8 ++++---- .../secure_integrity_check/template.md | 8 ++++---- .../executable_download/template.md | 8 ++++---- .../description/insecure_data_transport/template.md | 8 ++++---- .../insecure_os_firmware/command_injection/template.md | 8 ++++---- .../hardcoded_password/non_privileged_user/template.md | 8 ++++---- .../hardcoded_password/privileged_user/template.md | 8 ++++---- .../insecure_os_firmware/hardcoded_password/template.md | 8 ++++---- submissions/description/insecure_os_firmware/template.md | 8 ++++---- .../lack_of_notification_email/template.md | 8 ++++---- .../no_password_policy/template.md | 8 ++++---- .../password_policy_bypass/template.md | 8 ++++---- .../template.md | 8 ++++---- .../weak_password_policy/template.md | 8 ++++---- .../weak_password_reset_implementation/template.md | 8 ++++---- .../token_has_long_timed_expiry/template.md | 8 ++++---- .../template.md | 8 ++++---- .../token_is_not_invalidated_after_login/template.md | 8 ++++---- .../template.md | 8 ++++---- .../template.md | 8 ++++---- .../token_is_not_invalidated_after_use/template.md | 8 ++++---- .../allows_disposable_email_addresses/template.md | 8 ++++---- .../weak_registration_implementation/template.md | 8 ++++---- .../missing_failsafe/template.md | 8 ++++---- .../template.md | 8 ++++---- .../weak_two_fa_implementation/template.md | 8 ++++---- .../template.md | 8 ++++---- .../two_fa_secret_cannot_be_rotated/template.md | 8 ++++---- .../template.md | 8 ++++---- .../lack_of_exploit_mitigations/template.md | 8 ++++---- .../lack_of_jailbreak_detection/template.md | 8 ++++---- .../lack_of_obfuscation/template.md | 8 ++++---- .../runtime_instrumentation_based/template.md | 8 ++++---- .../description/lack_of_binary_hardening/template.md | 8 ++++---- .../auto_backup_allowed_by_default/template.md | 8 ++++---- .../clipboard_enabled/template.md | 8 ++++---- .../ssl_certificate_pinning/absent/template.md | 8 ++++---- .../ssl_certificate_pinning/defeatable/template.md | 8 ++++---- .../ssl_certificate_pinning/template.md | 8 ++++---- .../tapjacking/template.md | 8 ++++---- .../mobile_security_misconfiguration/template.md | 8 ++++---- .../telnet_enabled/template.md | 8 ++++---- submissions/description/privacy_concerns/template.md | 8 ++++---- .../unnecessary_data_collection/template.md | 8 ++++---- .../wifi_ssid_password/template.md | 8 ++++---- .../password_disclosure/template.md | 8 ++++---- .../private_api_keys/template.md | 8 ++++---- .../critically_sensitive_data/template.md | 8 ++++---- .../disclosure_of_known_public_information/template.md | 8 ++++---- .../disclosure_of_secrets/data_traffic_spam/template.md | 8 ++++---- .../disclosure_of_secrets/for_internal_asset/template.md | 8 ++++---- .../for_publicly_accessible_asset/template.md | 8 ++++---- .../intentionally_public_sample_or_invalid/template.md | 8 ++++---- .../disclosure_of_secrets/non_corporate_user/template.md | 8 ++++---- .../disclosure_of_secrets/pay_per_use_abuse/template.md | 8 ++++---- .../disclosure_of_secrets/template.md | 8 ++++---- .../automatic_user_enumeration/template.md | 8 ++++---- .../manual_user_enumeration/template.md | 8 ++++---- .../template.md | 8 ++++---- .../internal_ip_disclosure/template.md | 8 ++++---- .../sensitive_data_exposure/json_hijacking/template.md | 8 ++++---- .../sensitive_data_exposure/mixed_content/template.md | 8 ++++---- .../non_sensitive_token_in_url/template.md | 8 ++++---- .../pii_leakage_exposure/template.md | 8 ++++---- .../sensitive_data_hardcoded/file_paths/template.md | 8 ++++---- .../sensitive_data_hardcoded/oauth_secret/template.md | 8 ++++---- .../sensitive_data_hardcoded/template.md | 8 ++++---- .../sensitive_token_in_url/in_the_background/template.md | 8 ++++---- .../sensitive_token_in_url/on_password_reset/template.md | 8 ++++---- .../sensitive_token_in_url/template.md | 8 ++++---- .../sensitive_token_in_url/user_facing/template.md | 8 ++++---- .../description/sensitive_data_exposure/template.md | 8 ++++---- .../token_leakage_via_referer/over_http/template.md | 8 ++++---- .../token_leakage_via_referer/template.md | 8 ++++---- .../trusted_third_party/template.md | 8 ++++---- .../untrusted_third_party/template.md | 8 ++++---- .../non_sensitive_token/template.md | 8 ++++---- .../sensitive_token/template.md | 8 ++++---- .../via_localstorage_sessionstorage/template.md | 8 ++++---- .../descriptive_stack_trace/template.md | 8 ++++---- .../detailed_server_configuration/template.md | 8 ++++---- .../visible_detailed_error_page/template.md | 8 ++++---- .../password_reset_token_sent_over_http/template.md | 8 ++++---- .../weak_password_reset_implementation/template.md | 8 ++++---- .../token_leakage_via_host_header_poisoning/template.md | 8 ++++---- .../description/sensitive_data_exposure/xssi/template.md | 8 ++++---- .../bitsquatting/template.md | 8 ++++---- .../cache_poisoning/template.md | 8 ++++---- .../captcha/brute_force/template.md | 8 ++++---- .../captcha/implementation_vulnerability/template.md | 8 ++++---- .../captcha/missing/template.md | 8 ++++---- .../server_security_misconfiguration/captcha/template.md | 8 ++++---- .../clickjacking/form_input/template.md | 8 ++++---- .../clickjacking/non_sensitive_action/template.md | 8 ++++---- .../clickjacking/sensitive_action/template.md | 8 ++++---- .../clickjacking/template.md | 8 ++++---- .../cookie_scoped_to_parent_domain/template.md | 8 ++++---- .../excessively_privileged_user_dba/template.md | 8 ++++---- .../dbms_misconfiguration/template.md | 8 ++++---- .../non_sensitive_data_exposure/template.md | 8 ++++---- .../sensitive_data_exposure/template.md | 8 ++++---- .../directory_listing_enabled/template.md | 8 ++++---- .../exposed_admin_portal/template.md | 8 ++++---- .../exposed_admin_portal/to_internet/template.md | 8 ++++---- .../fingerprinting_banner_disclosure/template.md | 8 ++++---- .../insecure_ssl/certificate_error/template.md | 8 ++++---- .../insecure_ssl/insecure_cipher_suite/template.md | 8 ++++---- .../insecure_ssl/lack_of_forward_secrecy/template.md | 8 ++++---- .../insecure_ssl/template.md | 8 ++++---- .../change_email_address/template.md | 8 ++++---- .../change_password/template.md | 8 ++++---- .../delete_account/template.md | 8 ++++---- .../manage_two_fa/template.md | 8 ++++---- .../lack_of_password_confirmation/template.md | 8 ++++---- .../cache_control_for_a_non_sensitive_page/template.md | 8 ++++---- .../cache_control_for_a_sensitive_page/template.md | 8 ++++---- .../content_security_policy/template.md | 8 ++++---- .../content_security_policy_report_only/template.md | 8 ++++---- .../lack_of_security_headers/public_key_pins/template.md | 8 ++++---- .../strict_transport_security/template.md | 8 ++++---- .../lack_of_security_headers/template.md | 8 ++++---- .../x_content_security_policy/template.md | 8 ++++---- .../x_content_type_options/template.md | 8 ++++---- .../lack_of_security_headers/x_frame_options/template.md | 8 ++++---- .../lack_of_security_headers/x_webkit_csp/template.md | 8 ++++---- .../lack_of_security_headers/x_xss_protection/template.md | 8 ++++---- .../email_spoofing_on_non_email_domain/template.md | 8 ++++---- .../template.md | 8 ++++---- .../email_spoofing_to_spam_folder/template.md | 8 ++++---- .../missing_or_misconfigured_spf_and_or_dkim/template.md | 8 ++++---- .../no_spoofing_protection_on_email_domain/template.md | 8 ++++---- .../mail_server_misconfiguration/template.md | 8 ++++---- .../basic_subdomain_takeover/template.md | 8 ++++---- .../high_impact_subdomain_takeover/template.md | 8 ++++---- .../misconfigured_dns/missing_caa_record/template.md | 8 ++++---- .../misconfigured_dns/template.md | 8 ++++---- .../misconfigured_dns/zone_transfer/template.md | 8 ++++---- .../missing_dnssec/template.md | 8 ++++---- .../non_session_cookie/template.md | 8 ++++---- .../session_token/template.md | 8 ++++---- .../missing_secure_or_httponly_cookie_flag/template.md | 8 ++++---- .../no_rate_limiting_on_form/change_password/template.md | 6 +++--- .../no_rate_limiting_on_form/email_triggering/template.md | 6 +++--- .../no_rate_limiting_on_form/login/template.md | 6 +++--- .../no_rate_limiting_on_form/registration/template.md | 6 +++--- .../no_rate_limiting_on_form/sms_triggering/template.md | 6 +++--- .../no_rate_limiting_on_form/template.md | 6 +++--- .../oauth_misconfiguration/account_squatting/template.md | 8 ++++---- .../oauth_misconfiguration/account_takeover/template.md | 8 ++++---- .../insecure_redirect_uri/template.md | 8 ++++---- .../missing_state_parameter/template.md | 8 ++++---- .../oauth_misconfiguration/template.md | 8 ++++---- .../path_traversal/template.md | 8 ++++---- .../options/template.md | 8 ++++---- .../potentially_unsafe_http_method_enabled/template.md | 8 ++++---- .../trace/template.md | 8 ++++---- .../race_condition/template.md | 8 ++++---- .../request_smuggling/template.md | 8 ++++---- .../server_security_misconfiguration/rfd/template.md | 8 ++++---- .../same_site_scripting/template.md | 8 ++++---- .../external_dns_query_only/template.md | 8 ++++---- .../external_low_impact/template.md | 8 ++++---- .../internal_high_impact/template.md | 8 ++++---- .../internal_scan_and_or_medium_impact/template.md | 8 ++++---- .../server_side_request_forgery_ssrf/template.md | 8 ++++---- .../ssl_attack_breach_poodle_etc/template.md | 8 ++++---- .../server_security_misconfiguration/template.md | 8 ++++---- .../unsafe_cross_origin_resource_sharing/template.md | 8 ++++---- .../file_extension_filter_bypass/template.md | 8 ++++---- .../unsafe_file_upload/no_antivirus/template.md | 8 ++++---- .../unsafe_file_upload/no_size_limit/template.md | 8 ++++---- .../unsafe_file_upload/template.md | 8 ++++---- .../username_enumeration/brute_force/template.md | 8 ++++---- .../username_enumeration/template.md | 8 ++++---- .../using_default_credentials/template.md | 8 ++++---- .../waf_bypass/direct_server_access/template.md | 8 ++++---- .../waf_bypass/template.md | 8 ++++---- .../content_spoofing/email_html_injection/template.md | 8 ++++---- .../template.md | 8 ++++---- .../external_authentication_injection/template.md | 8 ++++---- .../template.md | 8 ++++---- .../content_spoofing/homograph_idn_based/template.md | 8 ++++---- .../content_spoofing/html_content_injection/template.md | 8 ++++---- .../content_spoofing/iframe_injection/template.md | 8 ++++---- .../impersonation_via_broken_link_hijacking/template.md | 8 ++++---- .../content_spoofing/rtlo/template.md | 8 ++++---- .../server_side_injection/content_spoofing/template.md | 8 ++++---- .../content_spoofing/text_injection/template.md | 8 ++++---- .../file_inclusion/local/template.md | 8 ++++---- .../server_side_injection/file_inclusion/template.md | 8 ++++---- .../response_splitting_crlf/template.md | 8 ++++---- .../http_response_manipulation/template.md | 8 ++++---- .../social_media_sharing_buttons/template.md | 8 ++++---- .../server_side_injection/parameter_pollution/template.md | 8 ++++---- .../remote_code_execution_rce/template.md | 6 +++--- .../server_side_injection/ssti/basic/template.md | 8 ++++---- .../server_side_injection/ssti/custom/template.md | 8 ++++---- .../description/server_side_injection/ssti/template.md | 8 ++++---- .../xml_external_entity_injection_xxe/template.md | 8 ++++---- .../lack_of_security_speed_bump_page/template.md | 8 ++++---- .../open_redirect/flash_based/template.md | 8 ++++---- .../open_redirect/get_based/template.md | 8 ++++---- .../open_redirect/header_based/template.md | 8 ++++---- .../open_redirect/post_based/template.md | 8 ++++---- .../open_redirect/template.md | 8 ++++---- .../tabnabbing/template.md | 8 ++++---- .../unvalidated_redirects_and_forwards/template.md | 8 ++++---- .../ocr_optical_character_recognition/template.md | 8 ++++---- .../captcha_bypass/template.md | 8 ++++---- .../outdated_software_version/template.md | 8 ++++---- .../rosetta_flash/template.md | 8 ++++---- .../template.md | 8 ++++---- 366 files changed, 1457 insertions(+), 1457 deletions(-) diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md index 5b15d057..4e4e2365 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service Causes Application to Crash via Malformed Android Intents -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is a local application-level DoS vulnerability within this Android application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via the Intent binding mechanism, crashing the application and making it unavailable for its designed purpose to legitimate users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md index b4da8a6d..c7e76c8e 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service Causes Application to Crash via Malformed iOS URL Schemes -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is a local application-level DoS vulnerability within this iOS application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via a URL scheme, crashing the application and making it unavailable for its designed purpose to legitimate users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md index cef20be5..7c68ae07 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service Causes Application to Crash -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this iOS or Android application that causes it to crash. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service that has high impact or medium difficulty to be performed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md index f8a83c5d..22736c2e 100644 --- a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service: Critical Impact or Easy Difficulty -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that has critical impact or is easily performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service that has critical impact or is easy to perform -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md index 1a4c4107..37badb07 100644 --- a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service: High Impact or Medium Difficulty -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that has high impact or medium difficulty to be performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users, but not take down the application for all users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service that has high impact or medium difficulty to be performed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/application_level_denial_of_service_dos/template.md b/submissions/description/application_level_denial_of_service_dos/template.md index 2e41ac8a..9ce84548 100644 --- a/submissions/description/application_level_denial_of_service_dos/template.md +++ b/submissions/description/application_level_denial_of_service_dos/template.md @@ -1,16 +1,16 @@ # Application-Level Denial of Service -## Overview of the Vulnerability +## Overview of the Vulnerability: Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +## Business Impact: Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to {{url}} 1. Use the following payload: @@ -23,7 +23,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a denial of service -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the denial of service: diff --git a/submissions/description/automotive_security_misconfiguration/GNSS GPS/template.md b/submissions/description/automotive_security_misconfiguration/GNSS GPS/template.md index f02deb3c..88855da6 100644 --- a/submissions/description/automotive_security_misconfiguration/GNSS GPS/template.md +++ b/submissions/description/automotive_security_misconfiguration/GNSS GPS/template.md @@ -1,14 +1,14 @@ # GNSS/GPS Spoofing -## Overview of the Vulnerability +## Overview of the Vulnerability: Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position. -## Business Impact +## Business Impact: This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This vulnerability can result in reputational damage and indirect financial loss 1. Observe that the GNSS/GPS signal has been spoofed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing: diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md index d4bda030..94a9a2de 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md @@ -1,14 +1,14 @@ # CAN Injection Disallowed Messages -## Overview of the Vulnerability +## Overview of the Vulnerability: The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send messages to the system that are otherwise not allowed. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +## Business Impact: This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result on {{target}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md index f254993d..fbcc3bdd 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md @@ -1,14 +1,14 @@ # CAN Injection Denial of Service -## Overview of the Vulnerability +## Overview of the Vulnerability: The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send multiple messages to the system at a rate which can cause a Denial of Service (DOS) condition. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +## Business Impact: This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that a DoS condition has been created -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s) recursively causing a DoS condition: diff --git a/submissions/description/automotive_security_misconfiguration/can/template.md b/submissions/description/automotive_security_misconfiguration/can/template.md index feeb06e7..fd082a0d 100644 --- a/submissions/description/automotive_security_misconfiguration/can/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/template.md @@ -1,14 +1,14 @@ # CAN Misconfiguration -## Overview of the Vulnerability +## Overview of the Vulnerability: The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +## Business Impact: This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md index 9526cd1a..1158156e 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md @@ -1,14 +1,14 @@ # Infotainment Code Execution CAN Bus Pivot -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can pivot into the CAN bus system and execute code by taking advantage of an IVI misconfiguration, causing the system to not behave as intended. -## Business Impact +## Business Impact: This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The IVI system {{application}} uses this feature to {{action}}, exploited by {{action}} 1. Pivot into the CAN bus using this vulnerability by {{action}} @@ -18,7 +18,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the CAN bus, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md index 48f3f1ec..38df3f3a 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md @@ -1,14 +1,14 @@ # Infotainment Code Execution No CAN Bus Pivot -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can execute code on the IVI unit by taking advantage of a misconfiguration in the system, causing the system to not behave as intended. -## Business Impact +## Business Impact: This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -18,7 +18,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md index 15f9bdd7..2ed49821 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md @@ -1,21 +1,21 @@ # Infotainment Default Credentials -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Default credentials in the IVI unit can be leveraged by an attacker to gain developer access to the system. From here, the attacker can cause the system to behave not as intended. -## Business Impact +## Business Impact: Default credentials in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Port scan the IVI unit by leveraging {{application}} and {{hardware}} 1. Bruteforce default credentials on exposed service(s) 1. Login to service(s) and run {{action}} 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the default password successfully authenticating an attacker into the infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md index c86acd88..2c14eaf1 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md @@ -1,14 +1,14 @@ # Infotainment Denial of Service -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of an IVI misconfiguration and inject format strings into the IVI system, causing a Denial of Service (DoS) condition to the system. -## Business Impact +## Business Impact: DoS in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -18,7 +18,7 @@ DoS in the IVI system can result in reputational damage and indirect financial l 1. Observe the inserted payload from infotainment system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates theDoS from injected format strings on the target infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md index a4e97904..59d90b2b 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md @@ -1,14 +1,14 @@ # OTA Firmware Manipulation -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -## Business Impact +## Business Impact: This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md index 0087ab80..88a72979 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md @@ -1,19 +1,19 @@ # Sensitive Data Leakage Exposure -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system is a the central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. The IVI system leaks sensitive data, allowing an attacker to collect this sensitive data via logs and user configurations within the underlying IVI interface. -## Business Impact +## Business Impact: Sensitive data that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. Additionally, the impact is further enhanced by the impact of the business having to respond, notify, and recover from a potential data breach if an attacker is successful in exfiltrating PII. -## Steps to Reproduce +## Steps to Reproduce: 1. Power on {{target}} by {{action}} 1. Use {{application}} and notice that the data is stored/transmitted by {{application}} in an insecure manner -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates how and where to find the sensitive data on the vulnerable system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md index 632e2feb..dbea2735 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md @@ -1,20 +1,20 @@ # Source Code Dump -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Source code can be dumped in the target IVI system, allowing an attacker to read, release, and exploit code that should otherwise be hidden from users on the IVI unit. An attacker is able to dump firmware code online which also allows others to view, share, or exploit proprietary code. -## Business Impact +## Business Impact: Source code that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Acquire a bin or firmware file for {{target}} 1. Unzip the firmware using {{software}} 1. Unsquare file system using {{software}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the extracted firmware folder and snippets of exposed source code: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md index f6b29ea7..49a34805 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md @@ -1,14 +1,14 @@ # In-Vehicle Infotainment Misconfiguration -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -## Business Impact +## Business Impact: This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +18,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md index 7085f5c0..82279591 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md @@ -1,19 +1,19 @@ # Unauthorized Access To Services -## Overview of the Vulnerability +## Overview of the Vulnerability: The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Unauthorized access to services in the IVI system can originate from wireless protocols, in-vehicle applications, and physical inputs that communicate with the vehicle’s IVI unit. An attacker can leverage the unauthorized service(s) to escalate privileges on the IVI unit, and compromise internal and external communications. -## Business Impact +## Business Impact: Exposed services that are accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Scan the {{target}} and find that {{application}} is exposed 1. Access application by {{action}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates that the IVI system is exposed to attackers: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md index 09545db3..0b74a55c 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md @@ -1,22 +1,22 @@ # Radio Frequency Can Injection Interaction -## Overview of the Vulnerability +## Overview of the Vulnerability: The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target and can interact and send messages to the CAN bus, disrupting the communication between the vehicle’s electronic devices and control units. -## Business Impact +## Business Impact: This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md index 522e7c90..30eb2927 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md @@ -1,22 +1,22 @@ # Radio Frequency Data Leakage Pull Encryption Mechanism -## Overview of the Vulnerability +## Overview of the Vulnerability: The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target to decode the data sent Over the Air (OTA) or On-Vehicle as they are sent insecurely. Through this, an attacker can uncover PII or confidential data from encrypted communications. -## Business Impact +## Business Impact: This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Perform a Person-in-the-Middle (PitM) attack by doing {{action}}, using {{hardware}} and {{software}} 1. Attempt to bypass the encryption by {{action}} or using meta data from the intercepted messages to decode/decrypt the communication -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md index cbfb7690..2b36b025 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md @@ -1,22 +1,22 @@ # Radio Frequency Key Fob Cloning -## Overview of the Vulnerability +## Overview of the Vulnerability: The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit the target system by creating a permanent clone of the key fob, giving permanent access to any vehicle of the same make/model. -## Business Impact +## Business Impact: This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Use the {{application}} on {{target}} to clone key fob by {{action}} 1. Use the original key fob to roll the nonce, then unlock {{target}} using spoofed {{hardware}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md index c1412aab..5669bf2e 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md @@ -1,20 +1,20 @@ # Radio Frequency Hub -## Overview of the Vulnerability +## Overview of the Vulnerability: The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +## Business Impact: RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md index cceb1563..996ea18d 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md @@ -1,21 +1,21 @@ # Radio Frequency Unauthorized Access To Turn On Vehicle -## Overview of the Vulnerability +## Overview of the Vulnerability: The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can control the power state of a device via radio frequency. They could exploit this by performing a Denial of Service (DoS) attack, preventing the owner of the vehicle from turning their vehicle on or off, as well as allowing for remote control of the vehicle during use. -## Business Impact +## Business Impact: This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Turn on {{target}} using {{hardware}} and/or {{software}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md index c42ccacf..27a94f43 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md @@ -1,15 +1,15 @@ # Exposed Sensitive Android Intent -## Overview of the Vulnerability +## Overview of the Vulnerability: An `Intent` is a messaging object used within an Android application to request action from a different component of the application. When a request occurs and information is retrieved, a lack of validation can result in access controls being bypassed and sensitive information being leaked. The application has an exposed sensitive Android `Intent` which an attacker can query to gather sensitive information from the application which they could use to perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +22,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md index d492545e..5f80f896 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md @@ -1,16 +1,16 @@ # Exposed Sensitive iOS URL Scheme -## Overview of the Vulnerability +## Overview of the Vulnerability: A URL Scheme helps facilitate the transfer of a limited amount of data between iOS applications on Apple mobile devices. iOS applications operate in separate sandboxes to limit the access and transfer of data between applications. However, it is possible to perform an App-in-the-Middle (AitM) attack where a malicious application sends a manipulated URL Scheme to trick a legitimate application into sharing a user’s sensitive data, bypassing access controls of the legitimate application. The application has an exposed sensitive iOS URL Scheme, which an attacker can take advantage of to perform an AitM attack, bypass the access controls of the application, and gather sensitive user data. This data could be used to perform further attacks on the application, the business, or its users, including account takeover. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md index bcf20d08..91906681 100644 --- a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,14 @@ # Edit/Delete Sensitive Information/Iterable Object Identifiers -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to alter sensitive information by iterating through object identifiers. -## Business Impact +## Business Impact: IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md index dc2c1ca6..073b8e35 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md @@ -1,14 +1,14 @@ # Read/Edit/Delete Non-Sensitive Information -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to bypass access controls, manipulate and read non-sensitive information. -## Business Impact +## Business Impact: IDOR can result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can result in reputational damage for the business through the impact to cu {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md index 961e1a49..4c85d7d7 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md @@ -1,14 +1,14 @@ # Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application leads to unauthorized access to, and manipulation of, sensitive data. An attacker is able to bypass access controls, by retrieving another user's Globally Unique Identifier (GUID). -## Business Impact +## Business Impact: IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md index c652589e..ea0f3ea3 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,14 @@ # Read/Edit/Delete Sensitive Information/Iterable Object Identifiers -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read Personally Identifiable Information (PII) by iterating through object identifiers. -## Business Impact +## Business Impact: IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md index 569b05d0..40bdd493 100644 --- a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,14 @@ # Read Sensitive Information/Iterable Object Identifiers -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read sensitive information by iterating through object identifiers. -## Business Impact +## Business Impact: IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/template.md b/submissions/description/broken_access_control/idor/template.md index 0e4b6a9f..67351a79 100644 --- a/submissions/description/broken_access_control/idor/template.md +++ b/submissions/description/broken_access_control/idor/template.md @@ -1,14 +1,14 @@ # Insecure Direct Object Reference (IDOR) -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to manipulate, destroy, or disclose data through their ability to bypass access controls, horizontally or vertically escalate their privileges, and gain access to sensitive information or take over users' accounts. -## Business Impact +## Business Impact: IDOR can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +20,7 @@ IDOR can lead to indirect financial loss through an attacker accessing, deleting {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/template.md b/submissions/description/broken_access_control/template.md index 6cfbaaa2..db6a8f2d 100644 --- a/submissions/description/broken_access_control/template.md +++ b/submissions/description/broken_access_control/template.md @@ -1,14 +1,14 @@ # Generic Broken Access Control -## Overview of the Vulnerability +## Overview of the Vulnerability: When access controls are broken, users are able to perform functions outside of their intended user functionality within the application. Access controls help enforce users' access and how they interact with applications and APIs through authorization. There can be vertical, horizontal, and conditional access controls which give a user their intended permissions within an application. Broken access control in this application can be leveraged by an attacker to elevate privileges, or manipulate, destroy, or disclose data, depending on the type of access control vulnerability being exploited. -## Business Impact +## Business Impact: Broken access controls can lead to financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +21,7 @@ Broken access controls can lead to financial loss through an attacker accessing, 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md index c01d50bf..175098ad 100644 --- a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md +++ b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md @@ -1,20 +1,20 @@ # Username Enumeration (Non-Brute Force) -## Overview of the Vulnerability +## Overview of the Vulnerability: Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through a difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to identify the username or email of a user without brute forcing it, allowing an attacker to gain this user information for all users within the application in a short period of time. -## Business Impact +## Business Impact: Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the response from the server: diff --git a/submissions/description/broken_access_control/username_enumeration/template.md b/submissions/description/broken_access_control/username_enumeration/template.md index f4dd995d..0b05d39f 100644 --- a/submissions/description/broken_access_control/username_enumeration/template.md +++ b/submissions/description/broken_access_control/username_enumeration/template.md @@ -1,20 +1,20 @@ # Username Enumeration -## Overview of the Vulnerability +## Overview of the Vulnerability: Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through the difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to brute force passwords, stuff credentials, or for further attacks such as social engineering. -## Business Impact +## Business Impact: Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the response from the server: diff --git a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md index 033f210e..190c2ea6 100644 --- a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md @@ -1,22 +1,22 @@ # Authentication Bypass -## Overview of the Vulnerability +## Overview of the Vulnerability: Authentication bypass vulnerabilities allow an attacker to gain access to an account without having to go through the application's authentication procedure. Authentication bypass often occurs through logic flaws and incomplete implementation of authentication mechanisms. Bypassing the authentication mechanisms of this application allows an attacker to view or edit data or other user's permissions, take over user accounts, access unauthorized endpoints, or expose critical data, depending on the authorization of the account they gain access to. -## Business Impact +## Business Impact: Authentication bypass can lead to data loss or theft through an attacker's access to data. The severity of which is dependent on the sensitivity of the data within the application. It can also result in reputational damage to the application or the company due to legitimate users not trusting the security of the application if the application's data becomes publicly available. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to: {{URL}} and login as a regular user 1. In the URL, change the `/user` to `/user/administrator` 1. Observe that the application now allows the user to view other user's profile details. These actions are usually restricted to an authenticated user -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following image(s) show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md index 501ec921..cabb977e 100644 --- a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md +++ b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md @@ -1,14 +1,14 @@ # Cleartext Transmission of Session Token -## Overview of the Vulnerability +## Overview of the Vulnerability: Session tokens help a server trust that the requests it is receiving come from a specific authenticated user. When a session token is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. This application transmits the session token via a cleartext transmission which can allow an attacker to access the session token via a PitM attack and send requests to the server pretending to be the legitimate user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft through the attacker’s ability to manipulate data through their ability to make requests to the server through a legitimate session token. However, the attacker is limited by the legitimate user’s privileges within the application/ -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe the `Secure` flag is not set 1. Observe that cookies are sent in cleartext -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show the session token being transmitted via cleartext: diff --git a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md index 29fabdb4..c4dfd21f 100644 --- a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md +++ b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md @@ -1,21 +1,21 @@ # Concurrent Logins -## Overview of the Vulnerability +## Overview of the Vulnerability: Having multiple concurrent logins can allow an attacker to reuse stolen or acquired session tokens to hijack requests. Old sessions are commonly found in open source intelligence efforts or through sniffed requests via Person-in-The-Middle (PitM) attacks. An attacker can use previously acquired sessions to exploit the privacy of a user of this application by continually accessing their account. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login to the application 1. Using an incognito tab or another browser, login using the same credentials 1. Observe that both sessions remain valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show the concurrent logins: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md index ab2cf912..592a58bf 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md @@ -1,16 +1,16 @@ # Failure to Invalidate Sessions on All Sessions -## Overview of the Vulnerability +## Overview of the Vulnerability: Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md index 2c9fe4c8..c3787fa9 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md @@ -1,16 +1,16 @@ # Failure to Invalidate Sessions via Long Timeout -## Overview of the Vulnerability +## Overview of the Vulnerability: Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. Due to the application’s long timeout expiration on sessions, an attacker has a longer window of opportunity to use valid user sessions maliciously. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md index dd8f9b94..f7e5c4c3 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md @@ -1,16 +1,16 @@ # Failure to Invalidate Sessions via Email Change -## Overview of the Vulnerability +## Overview of the Vulnerability: Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user would not usually have access to. Even when a valid user changes their email address within the application, other user sessions are not invalidated. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +21,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md index 4a5944e2..8d604685 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md @@ -1,18 +1,18 @@ # Failure to Invalidate Session on Logout -## Overview of the Vulnerability +## Overview of the Vulnerability: Failure to invalidate a session when a user logs out is a vulnerability that increases the attack surface for session hijacking attacks, such as Cross-Site Scripting (XSS), session sniffing, and other client-side attacks. Most users have the expectation that when they logout, no one else can access their account. When sessions are not invalidated on logout, the user’s trust is broken. This application fails to invalidate a user’s session on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -27,7 +27,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md index d4d2035e..87501257 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md @@ -1,18 +1,18 @@ # Failure to Invalidate Session on Logout (Server-Side) -## Overview of the Vulnerability +## Overview of the Vulnerability: Failure to invalidate a session when a user logs out is a vulnerability that increases the attack surface for session hijacking attacks, such as Cross-Site Scripting (XSS), session sniffing, and other client-side attacks. Most users have the expectation that when they logout, no one else can access their account. When sessions are not invalidated on logout, the user’s trust is broken. This application fails to invalidate a user’s session server-side on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -27,7 +27,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md index c9d094a1..a179d93d 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md @@ -1,16 +1,16 @@ # Failure to Invalidate Session on Two-Factor Authentication Activation or Change -## Overview of the Vulnerability +## Overview of the Vulnerability: Failure to invalidate a session after a change in Two-Factor Authentication (2FA) can allow an attacker, who has access to the session cookies, full account access where they can perform actions that the user can. Most users have the expectation that when they reset, change, or activate 2FA, no one else can access their account. When sessions are not invalidated upon 2FA activation or change, the user’s trust is broken. Applications that fail to invalidate sessions when 2FA activated or changed are more susceptible to account takeover by an attacker who has gained a foothold in a legitimate user’s account. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password or set their own 2FA on the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) @@ -18,7 +18,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Using Browser B, perform an authenticated action, such as changing the profile name 1. Observe that the authenticated action is successful and that the user session is still valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show 2FA being set and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md index 5713227e..d7ddc9e3 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md @@ -1,22 +1,22 @@ # Failure to Invalidate Session -## Overview of the Vulnerability +## Overview of the Vulnerability: Failure to invalidate a session is a vulnerability which allows an attacker to maintain access to a service. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) 1. Observe that both user sessions are valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/privilege_escalation/template.md b/submissions/description/broken_authentication_and_session_management/privilege_escalation/template.md index 63ce6df1..0f57a308 100644 --- a/submissions/description/broken_authentication_and_session_management/privilege_escalation/template.md +++ b/submissions/description/broken_authentication_and_session_management/privilege_escalation/template.md @@ -1,14 +1,14 @@ # Privilege Escalation via Broken Authentication -## Overview of the Vulnerability +## Overview of the Vulnerability: Authentication and session management controls can be bypassed through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The authentication method for this application can be bypassed by an attacker which enables them to access a privileged user’s account and functionality, giving them access to more resources or functionality within the application. This could include viewing or editing sensitive customer data, and viewing or editing other user permissions. -## Business Impact +## Business Impact: The impact of privilege escalation through broken authentication controls can vary in severity depending on the degree of access to resources or functionality the malicious attacker is able to gain. An attacker with the ability to access, delete, or modify data from within the application could result in reputational damage for the business through the impact to customers’ trust. This can also result in indirect financial cost to the business through fines and regulatory bodies if sensitive data is accessed. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -30,7 +30,7 @@ The impact of privilege escalation through broken authentication controls can va 1. Forward the request then turn off interception in the prox 1. Observe that User Account A now has additional Administrator privileges and user functionality it was previously not authorized to access -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the authentication method being bypassed. diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md index e99a8926..8db1b706 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md @@ -1,14 +1,14 @@ # Session Fixation using Local Attack Vector -## Overview of the Vulnerability +## Overview of the Vulnerability: Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with local access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +## Business Impact: This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md index 6acebcf4..7ea4736a 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md @@ -1,14 +1,14 @@ # Session Fixation using Remote Attack Vector -## Overview of the Vulnerability +## Overview of the Vulnerability: Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with remote access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies.This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +## Business Impact: This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Perform {{action}} to send the request in an incognito browser and login using the same user credentials -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md index 6367a756..4a38f1b2 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md @@ -1,14 +1,14 @@ # Session Fixation -## Overview of the Vulnerability +## Overview of the Vulnerability: Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +## Business Impact: This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/template.md b/submissions/description/broken_authentication_and_session_management/template.md index 8ed6ab44..08a9e7b0 100644 --- a/submissions/description/broken_authentication_and_session_management/template.md +++ b/submissions/description/broken_authentication_and_session_management/template.md @@ -1,16 +1,16 @@ # Broken Authentication and Session Management -## Overview of the Vulnerability +## Overview of the Vulnerability: Broken authentication and session management vulnerabilities exist when a user is able to access resources or perform actions not intended for their user role. Identity and access controls can be bypassed through a variety of ways including but not limited to, calling an internal post authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. This application has authentication and session management controls which an attacker can bypass to access a user account. The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -## Business Impact +## Business Impact: Broken authentication and session management could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +22,7 @@ Broken authentication and session management could lead to data theft through th 1. Observe that the authentication method or session management has been compromised in some way -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the broken authentication and session management: diff --git a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md index b23cecba..9895e102 100644 --- a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md @@ -1,16 +1,16 @@ # Second Factor Authentication (2FA) Bypass -## Overview of the Vulnerability +## Overview of the Vulnerability: Incorrectly implemented Second Factor Authentication (2FA) mechanisms can be bypassed through manipulation of the form, modifying the given URL parameters, or by counterfeiting the session. The 2FA mechanism for this application can be bypassed by an attacker who can gain access to the application through a user’s account and impersonate users. The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -## Business Impact +## Business Impact: Bypassing 2FA mechanisms could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +24,7 @@ Bypassing 2FA mechanisms could lead to data theft through the attacker’s abili 1. Observe that the 2FA mechanism has been bypassed and a successful login has occurred -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates that 2FA has been bypassed: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md index adf08550..3efc8707 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md @@ -1,21 +1,21 @@ # Weak Login Function: HTTP and HTTPS Available -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the login page to load over both a HTTP and a HTTPS connection. This means that it is possible for web requests to be transmitted over HTTP in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted HTTPS, but are also accessible on HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md index a29d2a82..2d5dc385 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md @@ -1,21 +1,21 @@ # Weak Login Function: HTTPS Not Available or HTTP by Default -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP by default or doesn’t have HTTPS available, all web requests are transmitted over HTTP in plaintext. This allows any attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete or modify the users data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP by default -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md index 327754c4..0006cb4b 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md @@ -1,14 +1,14 @@ # Weak Login Function: via LAN Only -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as the login is only available via a LAN connection. A malicious attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the LAN to steal administrative credentials and login to the system using admin privileges. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. On the LAN, poison the DNS and ARP tables of the target: @@ -20,7 +20,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Forward the request to see that the requests are unencrypted in transit -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md index 96f6cddd..433cb934 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md @@ -1,14 +1,14 @@ # Weak Login Function on Non-Operational Endpoint -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows a login function to load on a non-operational endpoint that is not intended for public access. An attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the specified IP to steal administrative credentials and login to the system using admin privileges. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the vulnerable endpoint: {{URL or x.x.x.x}} @@ -20,7 +20,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the requests are unencrypted in transit -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md index def73ee8..c43b47f7 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md @@ -1,21 +1,21 @@ # Weak Login Function: Other Plaintext Protocol Does Not Implement Secure Alternative -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the authentication to be transmitted over a plaintext protocol and does not implement a secure alternative. This means that it is possible for user credentials to be transmitted in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over an unsecure protocol and there is no option for HTTPS -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md index ceccc40e..d58127b6 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md @@ -1,21 +1,21 @@ # Weak Login Function: Over HTTP -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP all web requests are transmitted in plaintext, allowing any attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md index 96a051f5..17afbd41 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md @@ -1,14 +1,14 @@ # Weak Login Function -## Overview of the Vulnerability +## Overview of the Vulnerability: Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This can lead to an attacker gaining access to user data and functionality of the application by taking advantage of the broken authentication and session management mechanisms. -## Business Impact +## Business Impact: Weak login function can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Observe in the HTTP interception proxy a 200 OK in the HTTP response indicating valid access -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md index ca4d7d92..8d87e3d0 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md @@ -1,20 +1,20 @@ # Weak Registration Implementation Over HTTP -## Overview of the Vulnerability +## Overview of the Vulnerability: When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application sends a registration or confirmation link over an unsecure HTTP connection. An attacker with local network access can intercept and read the content of the HTTP connection, allowing them to abuse the registration process and misuse user accounts. -## Business Impact +## Business Impact: Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Register a new user account 1. Observe that the registration implementation is connected over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak registration implementation: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md index 391b9263..537e5227 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md @@ -1,20 +1,20 @@ # Weak Registration Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -## Business Impact +## Business Impact: Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak registration implementation: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md index db4f6ef8..a400566f 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md @@ -1,16 +1,16 @@ # Cross-Site Request Forgery (Authenticated Action) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application for an authenticated user action, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +27,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md index e46142bf..ec97dc20 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md @@ -1,16 +1,16 @@ # Cross-Site Request Forgery For Logout Functionality -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible within this application, allowing an attacker to log-out a valid user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain, logging the user out of their session. An attacker can deny service to users using this CSRF vector to prevent access to the application and constantly logging users out. -## Business Impact +## Business Impact: CSRF could lead to reputational damage for the business through the impact to customers’ trust due to not being able to reliably access the application. This could also cause indirect financial impacts to the business. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +27,7 @@ and forward the request to the endpoint: 1. Observe the user was logged out, proving that the CSRF POC code was successful -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md index 7754026e..77187b58 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md @@ -1,6 +1,6 @@ # Cross-Site Request Forgery (Authenticated Action) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. @@ -8,11 +8,11 @@ CSRF is possible for this application for a specific action, such as a logout, l When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to the application at: {{URL}} @@ -32,7 +32,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md index bc222efb..b7a7cc65 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md @@ -1,16 +1,16 @@ # Cross-Site Request Forgery For Unauthenticated Action -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of a user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. CSRF is possible for this application for an unauthenticated user action, allowing an attacker to submit requests to the application on behalf of an unauthenticated user. This can include actions such as registration which can result in multiple fake accounts, or a login action which can login accounts uneccisarily. -## Business Impact +## Business Impact: CSRF could lead to reputational damage for the business through the impact to customers’ trust in the application. Not having CSRF protection on unauthenticated actions means the application is more susceptible to XSS attacks which can involve an attacker gaining access to user data. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +27,7 @@ CSRF could lead to reputational damage for the business through the impact to cu 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md index 43efc662..c5e1f4dc 100644 --- a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md @@ -1,16 +1,16 @@ # Cross-Site Request Forgery (Application-Wide) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. Application-wide CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user on multiple endpoints. This can include changing the password and email associated with the account, or deleting the user account. These actions can severely disrupt a user's experience and lead to account takeover. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -28,7 +28,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} 1. Repeat the above steps for every user action on the application, demonstrating that the lack of CSRF protection is an application-wide issue -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md index a9f9913b..d6e578bd 100644 --- a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md @@ -1,16 +1,16 @@ # Cross-Site Request Forgery Token is Not Unique Per Request -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application as the CSRF token is not unique per request, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -30,7 +30,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md index d42af775..7c759109 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md @@ -1,16 +1,16 @@ # Flash-Based Cross-Site Request Forgery (High Impact) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. A high impact flash-based CSRF is possible for this application allowing an attacker to submit requests to the application on behalf of an authenticated privileged user. An attacker is able to perform the actions of a privileged user through their account. This could include modifying, adding, or removing data from the application. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: High impact CSRF could lead to data modification or theft leading to indirect financial impact to the business. An attacker is also able to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate privileged user. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +27,7 @@ High impact CSRF could lead to data modification or theft leading to indirect fi 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md index e72d6a15..a1018d33 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md @@ -1,16 +1,16 @@ # Flash-Based Cross-Site Request Forgery (Low Impact) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. A low impact flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application for non-sensitive actions on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +27,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md index 98be434b..7c457c7e 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md @@ -1,16 +1,16 @@ # Flash-Based Cross-Site Request Forgery -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +27,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/template.md b/submissions/description/cross_site_request_forgery_csrf/template.md index d9c513cf..8d6aaeef 100644 --- a/submissions/description/cross_site_request_forgery_csrf/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/template.md @@ -1,6 +1,6 @@ # Cross-Site Request Forgery -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. @@ -8,11 +8,11 @@ CSRF is possible for this application, allowing an attacker to submit requests t When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -## Business Impact +## Business Impact: CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -32,7 +32,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/no_privilege_escalation/template.md b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/no_privilege_escalation/template.md index 4bb97356..deab55e7 100644 --- a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/no_privilege_escalation/template.md +++ b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/no_privilege_escalation/template.md @@ -1,14 +1,14 @@ # Client-Side Injection via Binary Planting (No Privilege Escalation) -## Overview of the Vulnerability +## Overview of the Vulnerability: Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md index 2c8ba6d6..9780c8f8 100644 --- a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md +++ b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md @@ -1,14 +1,14 @@ # Client-Side Injection via Binary Planting (Non-Default Folder Privilege Escalation) -## Overview of the Vulnerability +## Overview of the Vulnerability: Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/privilege_escalation/template.md b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/privilege_escalation/template.md index 00f89505..85f7ea66 100644 --- a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/privilege_escalation/template.md +++ b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/privilege_escalation/template.md @@ -1,14 +1,14 @@ # Client-Side Injection via Binary Planting (Default Folder Privilege Escalation) -## Overview of the Vulnerability +## Overview of the Vulnerability: Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to elevate their privileges in the default folder location. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/template.md b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/template.md index da6d339a..286356d9 100644 --- a/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/template.md +++ b/submissions/description/cross_site_scripting_xss/client_side_injection/binary_planting/template.md @@ -1,14 +1,14 @@ # Client-Side Injection via Binary Planting -## Overview of the Vulnerability +## Overview of the Vulnerability: Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/cross_site_scripting_xss/client_side_injection/template.md b/submissions/description/cross_site_scripting_xss/client_side_injection/template.md index 5c09dc05..1ee40805 100644 --- a/submissions/description/cross_site_scripting_xss/client_side_injection/template.md +++ b/submissions/description/cross_site_scripting_xss/client_side_injection/template.md @@ -1,20 +1,20 @@ # Client-Side Injection -## Overview of the Vulnerability +## Overview of the Vulnerability: Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of Javascript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} 1. Perform {{action}} to see the injected code executed by the system -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the client-side injection: diff --git a/submissions/description/cross_site_scripting_xss/cookie_based/template.md b/submissions/description/cross_site_scripting_xss/cookie_based/template.md index 12ecc4f9..e8b94c09 100644 --- a/submissions/description/cross_site_scripting_xss/cookie_based/template.md +++ b/submissions/description/cross_site_scripting_xss/cookie_based/template.md @@ -1,16 +1,16 @@ # Cookie-Based Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Cookie-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser in the context of this domain. This is possible as an attacker could chain this vulnerability with a Carrige Return Line Feed (CRLF) injection attack and split the HTTP response, allowing the attacker to write data into the HTTP response body. Alternatively, an attacker could socially engineer the user to add the cookie containing malicious JavaScript into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Refresh the page and observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/flash_based/template.md b/submissions/description/cross_site_scripting_xss/flash_based/template.md index a1b90a9c..a5be18bd 100644 --- a/submissions/description/cross_site_scripting_xss/flash_based/template.md +++ b/submissions/description/cross_site_scripting_xss/flash_based/template.md @@ -1,16 +1,16 @@ # Flash-Based Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Flash-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Flash-based XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -23,7 +23,7 @@ Flash-based XSS could lead to data theft through the attacker’s ability to man 1. Refresh the page and observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/ie_only/template.md b/submissions/description/cross_site_scripting_xss/ie_only/template.md index 0aa3e8c3..80c27d66 100644 --- a/submissions/description/cross_site_scripting_xss/ie_only/template.md +++ b/submissions/description/cross_site_scripting_xss/ie_only/template.md @@ -1,14 +1,14 @@ # Cross-Site Scripting (Internet Explorer Only) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -## Business Impact +## Business Impact: XSS could result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use an Internet Explorer browser to navigate to: {{URL}} @@ -21,7 +21,7 @@ XSS could result in reputational damage for the business through the impact to c 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md index c6f800c1..a2f556a2 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md @@ -1,16 +1,16 @@ # Cross-Site Scripting Off Domain via Data URI -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to input data into the URL that can be interpreted as a JavaScript payload. The data is then executed in the context of a domain which is off the primary domain. This carries the risk of an attacker being able to trigger an exploit on a seperate domain. By controlling code that is executed within a user’s browser, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +24,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/template.md b/submissions/description/cross_site_scripting_xss/off_domain/template.md index 80d34eaf..69305610 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/template.md @@ -1,16 +1,16 @@ # Cross-Site Scripting Off Domain -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to control code that is executed within a user’s browser in the context of a domain which is off the primary domain. This carries the risk of an attacker being able to trigger an exploit on a separate domain, where only cookies scoped for that domain are at risk. By controlling code that is executed within a user’s browser, an attacker could carry out any action that the user is able to perform. This could include accessing any of the user's data and modifying information within the user’s permissions, assuming that there is a misconfiguration of the scoping for cookies and Cross-Origin Resource Sharing (CORS). -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to: {{URL}} 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/referer/template.md b/submissions/description/cross_site_scripting_xss/referer/template.md index 1e6be3ad..0b2ef95a 100644 --- a/submissions/description/cross_site_scripting_xss/referer/template.md +++ b/submissions/description/cross_site_scripting_xss/referer/template.md @@ -1,16 +1,16 @@ # Referer-Based Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Referer-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This occurs as the referer HTTP header is vulnerable to manipulation. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md index 7aa9da55..54d18ebc 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md @@ -1,16 +1,16 @@ # Reflected Cross-Site Scripting (Non-self) -## Overview of the Vulnerability +## Overview of the Vulnerability: Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary Javascript within that user's browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +22,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/self/template.md b/submissions/description/cross_site_scripting_xss/reflected/self/template.md index 90c5105b..4e4844b8 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/self/template.md @@ -1,16 +1,16 @@ # Reflected Cross-Site Scripting (Self) -## Overview of the Vulnerability +## Overview of the Vulnerability: Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Self-reflected XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute temporarily within that user’s browser in the context of the domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Self-reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -22,7 +22,7 @@ Self-reflected XSS could lead to data theft through the attacker’s ability to 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/template.md b/submissions/description/cross_site_scripting_xss/reflected/template.md index 05a6d240..c5a4ceb8 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/template.md @@ -1,16 +1,16 @@ # Reflected Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL. When opened by a user, this URL will execute arbitrary Javascript within that user’s browser in the context of the domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +22,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md index 252a8ddc..a0d4ccea 100644 --- a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md @@ -1,6 +1,6 @@ # Stored Cross-Site Scripting (Non-Privileged User to Anyone) -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user. @@ -8,11 +8,11 @@ When an attacker can control code that is executed within a user’s browser, th to create a crafted JavaScript payload. When a user navigates to the page, the arbitrary Javascript executes within that user’s browser in the context of this domain. -## Business Impact +## Business Impact: Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Navigate to {{URL}} @@ -26,7 +26,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Observe the JavaScript payload being executed, capturing the cookies of User A 1. Logout of User A’s account -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md index 463e3c02..67457164 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md @@ -1,16 +1,16 @@ # Stored Cross-Site Scripting (Privileged User to No Privilege Elevation) -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and gain access to an account of a user with the same privilege level. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with an account (User A) @@ -26,7 +26,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of User B and log into the account of User A 1. Observe the account for User A has access to account information of User B -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md index 172e9946..054935fc 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md @@ -1,16 +1,16 @@ # Stored Cross-Site Scripting (Privileged User to Privilege Elevation) -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with the privileged user account (User B) @@ -26,7 +26,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of the higher-privileged account (User A) and log into the privileged account (User B) 1. Observe the privileged account (User B) has gained escalated privileges -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/self/template.md b/submissions/description/cross_site_scripting_xss/stored/self/template.md index d5f267ab..43723180 100644 --- a/submissions/description/cross_site_scripting_xss/stored/self/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/self/template.md @@ -1,16 +1,16 @@ # Stored Cross-Site Scripting (Self) -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Self-stored XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Self-stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -22,7 +22,7 @@ Self-stored XSS could lead to data theft through the attacker’s ability to man 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/template.md b/submissions/description/cross_site_scripting_xss/stored/template.md index d9ffb48f..f391f788 100644 --- a/submissions/description/cross_site_scripting_xss/stored/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/template.md @@ -1,16 +1,16 @@ # Stored Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md index bc2c2449..bf6b2e29 100644 --- a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md @@ -1,16 +1,16 @@ # URL-Based Stored Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/template.md b/submissions/description/cross_site_scripting_xss/template.md index 62013fa3..88ff5f91 100644 --- a/submissions/description/cross_site_scripting_xss/template.md +++ b/submissions/description/cross_site_scripting_xss/template.md @@ -1,16 +1,16 @@ # Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/trace_method/template.md b/submissions/description/cross_site_scripting_xss/trace_method/template.md index bd3557dc..bc19c86c 100644 --- a/submissions/description/cross_site_scripting_xss/trace_method/template.md +++ b/submissions/description/cross_site_scripting_xss/trace_method/template.md @@ -1,16 +1,16 @@ # Cross-Site Scripting via the TRACE Method -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This is possible in legacy browsers as an attacker is able to use the TRACE HTTP method to bypass the `HttpOnly` flag set on the authorisation cookie. From here, an attacker could hijack a user’s session and carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md index ddca723c..8cdeeea1 100644 --- a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md +++ b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md @@ -1,16 +1,16 @@ # Universal Cross-Site Scripting -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. An instance of Universal XSS can be found on this domain, this allows an attacker to create a crafted URL, which when opened by a user, executes arbitrary Javascript within that user’s browser affecting any user session opened or cached in the browser. From here, an attacker could carry out any actions that the user is able to perform in the context of the domain for this application, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +## Business Impact: XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/template.md index 67616363..b0feaf4b 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/template.md @@ -1,21 +1,21 @@ # Broken Cryptography -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses broken, weak, or otherwise flawed cryptography which can allow an attacker to decrypt sensitive information. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md index 139d0d8f..2c979185 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md @@ -1,21 +1,21 @@ # Use of Broken Cryptographic Primitive -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a broken cryptographic primitive which can allow an attacker to decrypt sensitive information. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md index 743a1232..83d9174b 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md @@ -1,21 +1,21 @@ # Use of Vulnerable Cryptographic Library -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a vulnerable cryptographic library which can allow an attacker to decrypt sensitive information. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md index 108e0d54..f62f6bf8 100644 --- a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md +++ b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md @@ -1,21 +1,21 @@ # Incomplete Cleanup of Keying Material -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cleanup of keying material is incomplete and it retains sensitive cryptographic data in memory longer than is necessary. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md index 4a351db7..7e55f6ec 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md @@ -1,21 +1,21 @@ # Improper Following of Specification (Other) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the implementation of cryptography improperly follows specifications, which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the improper following of specification: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md index 7433f6a2..2e75dd8c 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md @@ -1,21 +1,21 @@ # Missing Cryptographic Step -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Missing computational steps during the implementation of cryptography was identified which degrades security. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the missing cryptographic step: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/template.md index 7bd4509b..93a78f18 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/template.md @@ -1,21 +1,21 @@ # Insecure Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Insecure implementation of cryptography was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insecure implementation: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md index 6c474bb4..e173e0df 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md @@ -1,21 +1,21 @@ # Improper Asymmetric Exponent Selection -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure cryptographic keys that have improper asymmetric exponent selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the improper asymmetric exponent selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md index 086d0247..06c6736d 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md @@ -1,21 +1,21 @@ # Improper Asymmetric Prime Selection -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure cryptographic keys that have improper asymmetric prime selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the improper asymmetric prime selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md index 9d52e1ee..35c4a010 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md @@ -1,21 +1,21 @@ # Insufficient Key Space -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains insecure cryptographic keys that have insufficient key space. This can allow an attacker to use brute-force techniques to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient key space: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md index 1b6c62a5..b3af1f7e 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md @@ -1,21 +1,21 @@ # Insufficient Key Stretching -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains insecure cryptographic keys that have insufficient key stretching. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient key stretching: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template_ea.md b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template_ea.md index 8ab599eb..786fc599 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template_ea.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template_ea.md @@ -1,21 +1,21 @@ # Key Exchange Without Entity Authentication -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves key exchange without entity authentication. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the key exchange without entity authentication: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md index cf0577ca..5f4c5a3a 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md @@ -1,21 +1,21 @@ # Insecure Key Generation -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insecure key generation: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md index 443423bd..1cd50879 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md @@ -1,21 +1,21 @@ # Initialization Vector (IV) Reuse -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is reused for multiple encryptions, an attacker can identify the IV from the original data within the encryption. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the initialization vector reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md index 7b9aec93..df9e20ad 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md @@ -1,21 +1,21 @@ # Limited Random Number Generator (RNG) Entropy Source -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of a Random Number Generator (RNG) was identified which can create predictable random numbers. This can allow an attacker to guess the session ID or cryptographic key and gain access to restricted data or functionality. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient entropy of the RNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md index 5554ed73..f256aef8 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md @@ -1,21 +1,21 @@ # Predictable Initialization Vector (IV) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is predictable, an attacker can identify the IV from the original data within the encryption. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the predictability of the initialization vector: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md index e5a2d81e..47c3e077 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md @@ -1,21 +1,21 @@ # Predictable Pseudo-Random Number Generator (PRNG) Seed -## Overview of the Vulnerability +## Overview of the Vulnerability: A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is predictable in full or in part, it is possible to determine the random numbers produce by the PRNG. The PRNG seed value is predictable, allowing an attacker to guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md index 22bed27a..5cde2869 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md @@ -1,21 +1,21 @@ # Pseudo-Random Number Generator (PRNG) Seed Reuse -## Overview of the Vulnerability +## Overview of the Vulnerability: A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is known, it is possible to determine the random numbers produce by the PRNG. An attacker with access to the seed value can predict or guess the random numbers which can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md index a574b83c..fe3277f4 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md @@ -1,21 +1,21 @@ # Small Seed Space in Pseudo-Random Number Generator (PRNG) -## Overview of the Vulnerability +## Overview of the Vulnerability: A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is small in size, it is possible to bruteforce all possible seeed values. An attacker who can guess the seed value can predict or guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the small seed space in the PRNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md index d80d37dc..9730c5e4 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md @@ -1,21 +1,21 @@ # Insufficient Entropy -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of cryptographic algorithm generation was identified which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient entropy: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md index df7df0ac..70ee6d69 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md @@ -1,21 +1,21 @@ # Use of True Random Number Generator (TRNG) for Non-Security Purpose -## Overview of the Vulnerability +## Overview of the Vulnerability: Most True Random Number Generators (TRNG) have a finite limit to their random number generation rate. Therefore, a TRNG should only be used when entropy is required for security purposes. When an application draws from a TRNG for a non-security purpose, it depletes the entropy of the source, increasing the likelihood that an attacker would be able to predict of guess number generated. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the True Random Number Generator being used for a non-security purpose: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md index b61636a6..55bc52ef 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md @@ -1,21 +1,21 @@ # Cryptographic Signature -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application fails to verify the cryptographic signature. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient validation of the cryptographic signature: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md index 4b823ad5..bab33bf2 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md @@ -1,21 +1,21 @@ # Integrity Check Value (ICV) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the Integrity Check Value (ICV) is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient verification of the ICV: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md index f2064f49..632fb1b3 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md @@ -1,21 +1,21 @@ # Insufficient Verification of Data Authenticity -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the data used in the cryptographic processes is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the insufficient verification of data authenticity: diff --git a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md index a314185f..bf7bb86c 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md @@ -1,21 +1,21 @@ # Inter-Environment Key Reuse -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys across different environment (inter-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the inter-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md index f316ec50..a28c96a3 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md @@ -1,21 +1,21 @@ # Intra-Environment Key Reuse -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys within the same environment (intra-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the intra-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md index 29a3aac8..23518f5f 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md @@ -1,21 +1,21 @@ # Lack of Perfect Forward Secrecy -## Overview of the Vulnerability +## Overview of the Vulnerability: It was identified that the application's cryptographic mechanism lacks the use of Perfect Forward Secrecy (PFS). PFS involves the negotiation of an ephemeral key pair for each newly create session between two parties. Without PFS, an attacker would be able to compromise all past and future sessions based on a set of keys that they can decrypt. They can then leverage the keys to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the lack of PFS: diff --git a/submissions/description/cryptographic_weakness/key_reuse/template.md b/submissions/description/cryptographic_weakness/key_reuse/template.md index 35f9564d..f954fd0c 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/template.md @@ -1,21 +1,21 @@ # Key Reuse -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys. This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the key reuse: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md index 925eeeca..e8bb7d1b 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md @@ -1,21 +1,21 @@ # Differential Fault Analysis -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a differential fault analysis attack as there are changes to the system's response to specially crafted fault conditions during specific steps of cryptographic operations. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md index 1ce90a0c..f9f40101 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md @@ -1,21 +1,21 @@ # Emanations Attack -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a emanations attack as there are changes to the electromagnetic emanations across the physical system when it is performing different steps of cryptographic operations. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the power emanations attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md index 437e33a9..a16a8176 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md @@ -1,21 +1,21 @@ # Padding Oracle Attack -## Overview of the Vulnerability +## Overview of the Vulnerability: A cryptographic weakness was identified which can allow an attacker to use a padding oracle attack to derive the encryption key. This is due to the application revealing information during the decryption process about the validity of the padding data. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the padding oracle attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md index 9ef55158..f1f23b94 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md @@ -1,21 +1,21 @@ # Power Analysis Attack -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a power analysis attack as there is uneven power consumption across the system when performing different steps of cryptographic operations. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the power analysis attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/template.md index 7d8abc56..5cd1e050 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/template.md @@ -1,21 +1,21 @@ # Side-Channel Attack -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A cryptographic weakness was identified which can allow an attacker to use a side-channel attack to break the confidentiality and integrity of requests sent to and from the endpoint by deriving the encryption key through various methods. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the side-channel attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md index e5c1dafe..26d634a1 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md @@ -1,21 +1,21 @@ # Timing Attack -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a timing attack as the time it takes to complete a cryptographic operation directly relates to user-supplied data. This allows an attacker to use a timing attack to derive the encryption key. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the timing attack: diff --git a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md index ebd18946..f7a9a7d0 100644 --- a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md +++ b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md @@ -1,21 +1,21 @@ # Use of Expired Cryptographic Key (or Certificate) -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application uses an expired cryptographic key or certificate which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md index ec70bf99..f4469be7 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md @@ -1,21 +1,21 @@ # Lack of Salt -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the hash does not have a salt which can allow an attacker to use rainbow table attacks. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the lack of salt: diff --git a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md index d7f58f3e..96a4b460 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md @@ -1,21 +1,21 @@ # Predictable Hash Collision -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable hash collision was identified where the same hash value is generated by a hashing algorithm for different plaintext inputs. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the predictable hash collision: diff --git a/submissions/description/cryptographic_weakness/weak_hash/template.md b/submissions/description/cryptographic_weakness/weak_hash/template.md index cb93b17b..1f5064a0 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/template.md @@ -1,21 +1,21 @@ # Weak Hash -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A weak hash was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the weak hash: diff --git a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md index 28c57659..efc06184 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md @@ -1,21 +1,21 @@ # Use of Predictable Salt -## Overview of the Vulnerability +## Overview of the Vulnerability: Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable salt in the hashing mechanism was identified which can allow an attacker to use rainbow table attacks. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the predictable salt: diff --git a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md index fc55d726..89ec6583 100644 --- a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md +++ b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md @@ -1,19 +1,19 @@ # Aggressive Offline Caching -## Overview of the Vulnerability +## Overview of the Vulnerability: Browsers implement features such as service workers to offer offline features for an application. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these offline workers can cause issues like high CPU usage or overly aggressive offline caching, as seen in this instance. Depending on the implementation of the service worker, aggressive offline caching can act as a vector for Denial of Service (DoS) to regular application users by consuming compute to overly write to the offline cache. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ access to the application and its functions. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile when service worker is active and compare to when the server worker is not active -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the aggressive offline caching: diff --git a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md index 845877fe..07ee8fea 100644 --- a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md @@ -1,21 +1,21 @@ # Autocomplete Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: Browsers implement features such as autocomplete to offer form filling features for end users. Autocomplete is an HTML attribute that saves previously entered text within the input Document Object Model (DOM) fields. An attacker can leverage the cached input for this application locally to login as a user or expose critical pieces of data. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Enter text within the input field and submit the form 1. Use `Inspect` from the developer tools to verify the input parameter has `autocomplete=on` 1. {{action}} to see the text saved into the input field -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the autocomplete enabled: diff --git a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md index 8b952aa4..1abfbd3f 100644 --- a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md @@ -1,14 +1,14 @@ # Autocorrect Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: Browsers implement features such as autocorrect to offer predictive spelling and grammar features for end users. The applications implementation of autocorrect for sensitive fields can enable an attacker with local access to login as a user, or leverage critical pieces of information to impersonate the user or make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Fill and {{action}} to submit form @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the autocorrect enabled on a sensitive field: diff --git a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md index d5f4da87..c68b250c 100644 --- a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md +++ b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md @@ -1,14 +1,14 @@ # Plaintext Password Field -## Overview of the Vulnerability +## Overview of the Vulnerability: The password field for the login form of the application reveals the password in plaintext. An attacker with local access can shoulder surf or otherwise tailgate a user and watch them login to the application. From here, an attacker could login as a user to impersonate them or make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Enter text within the password field @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the password field rendering in plaintext: diff --git a/submissions/description/external_behavior/browser_feature/save_password/template.md b/submissions/description/external_behavior/browser_feature/save_password/template.md index 98ffdbdc..278ba71f 100644 --- a/submissions/description/external_behavior/browser_feature/save_password/template.md +++ b/submissions/description/external_behavior/browser_feature/save_password/template.md @@ -1,21 +1,21 @@ # Password is Saved in Input Field -## Overview of the Vulnerability +## Overview of the Vulnerability: Browsers implement features such as saving input field text to reduce the time it takes for a user to fill in forms. For this application, the password is saved in the input field. An attacker with local access to the application and computer can impersonate a user and make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Enter username and password within the login form and submit 1. Logout of application and navigate back to the login page 1. Observe that the username and password is saved -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the password saved in the input field: diff --git a/submissions/description/external_behavior/browser_feature/template.md b/submissions/description/external_behavior/browser_feature/template.md index c0236d60..4266f860 100644 --- a/submissions/description/external_behavior/browser_feature/template.md +++ b/submissions/description/external_behavior/browser_feature/template.md @@ -1,19 +1,19 @@ # Browser Feature -## Overview of the Vulnerability +## Overview of the Vulnerability: Browsers implement features to offer users both online and offline features to enhance the user experience of the browser and applications. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these browser features can cause security issues depending on their implementation. A local attacker can take advantage of the browser feature to impersonate a user and make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the browser feature that is showing sensitive user information -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the misconfigured browser feature: diff --git a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md index 7ac2e4f0..a9ca9a6f 100644 --- a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md +++ b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md @@ -1,19 +1,19 @@ # Captcha Bypass via Crowdsourcing -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. Powerful Optical Artificial Intelligence (OAI) enabled tools require a large amount of data to create models to break implementations of CAPTCHA. An attacker can leverage OAI tools to bypass captcha and make requests to critical functionality without rate limit. Forms that are often firewalled by a CAPTCHA can even be a vector for Denial of Service executing read and write from the database multiple times. -## Business Impact +## Business Impact: CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/captcha_bypass/template.md b/submissions/description/external_behavior/captcha_bypass/template.md index a5e4e719..86b2e99b 100644 --- a/submissions/description/external_behavior/captcha_bypass/template.md +++ b/submissions/description/external_behavior/captcha_bypass/template.md @@ -1,21 +1,21 @@ # CAPTCHA Bypass -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is improperly configured, or when software can be used to bypass the challenge. An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -## Business Impact +## Business Impact: CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/csv_injection/template.md b/submissions/description/external_behavior/csv_injection/template.md index 70415c5c..2d473e07 100644 --- a/submissions/description/external_behavior/csv_injection/template.md +++ b/submissions/description/external_behavior/csv_injection/template.md @@ -1,14 +1,14 @@ # Comma Separated Values (CSV) Injection -## Overview of the Vulnerability +## Overview of the Vulnerability: Applications will often embed unsafe input in exported spreadsheets targeting desktop applications such as Excel or LibreOffice, or their cloud application equivalents. A malicious attacker can leverage this unsafe input to exfiltrate data from users, or deliver malicious binary to users downloading their input controlled file. Unsafe CSV formulas in CSV files within the application allow malicious attackers to deliver payloads or exfiltrate data using specifically crafted input. -## Business Impact +## Business Impact: CSV injection can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business if an attacker is able to exfiltrate data. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint: {{value}} 1. {{action}} to export a CSV file @@ -22,7 +22,7 @@ CSV injection can lead to reputational damage for the business due to a loss in 1. Upload to publicly accessible endpoint -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CSV injection: diff --git a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md index aeeb4d58..1b9f0fb3 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md @@ -1,14 +1,14 @@ # System Clipboard Leak (Shared Link) -## Overview of the Vulnerability +## Overview of the Vulnerability: The system clipboard, used when performing a copy and paste function, leaks sensitive information. An attacker could abuse this clipboard leak to steal confidential shared links that a user created and copied to their clipboard within the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/system_clipboard_leak/template.md b/submissions/description/external_behavior/system_clipboard_leak/template.md index 3bb381ba..21d1151d 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/template.md @@ -1,14 +1,14 @@ # System Clipboard Leak -## Overview of the Vulnerability +## Overview of the Vulnerability: The system clipboard, used when performing a copy and paste function, leaks sensitive information. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/template.md b/submissions/description/external_behavior/template.md index 40535930..9e37f789 100644 --- a/submissions/description/external_behavior/template.md +++ b/submissions/description/external_behavior/template.md @@ -1,19 +1,19 @@ # External Behavior -## Overview of the Vulnerability +## Overview of the Vulnerability: Behavior external from the application is leaking user sensitive information due to misconfiguration errors of system or browser features. A local attacker can take advantage of these external behavior errors to gather sensitive user information and impersonate a user or make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the external behavior that is showing sensitive user information -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the misconfigured external behavior: diff --git a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md index 047be757..09519750 100644 --- a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md +++ b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md @@ -1,14 +1,14 @@ # User Password Persisted in Memory -## Overview of the Vulnerability +## Overview of the Vulnerability: The user’s password is kept in memory after the application has ceased utilizing it. An attacker can abuse this to read the user password in memory and login as the user, impersonate them, or make requests on their behalf. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Utilize some software that allows computer memory to be accessed in a human-readable format 1. Log in to the application @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Cease using the application 1. Using the computer memory viewer, view the password of the user that remained in memory after use -## Proof of Concept (PoC) +## Proof of Concept (PoC): You can observe the plaintext password that remained in memory after utilization below: diff --git a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md index 39e82811..3f810ab2 100644 --- a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md @@ -1,21 +1,21 @@ # Non-Sensitive Application Data Stored Unencrypted -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure data storage can occur in both the client and server sides of an application. Non-sensitive data from the application is stored unencrypted and is susceptible to being identified and used maliciously. An attacker with access to the unencrypted non-sensitive data can leverage the data to gather further information on users and the application, and use it to perform further attacks. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Navigate to {{url}} 1. Observe the application data that is stored unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md index 5b5c75a2..912f847d 100644 --- a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md +++ b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md @@ -1,20 +1,20 @@ # Screen Caching Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: Screen caching occurs when an application is sent to the background and a screenshot is taken in order to make it appear that the application is shrinking while moving between applications on the mobile screen. Personal information can be unknowingly captured in this screen cache and stored unencrypted on the phone. An attacker could abuse this screen caching being enabled to steal sensitive information that is captured and stored unencrypted when a user exits the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Log in to the mobile application and access a screen where sensitive information is displayed 1. Click the home button, and navigate to where the mobile operating system stores cached application screenshots 1. Observe the screenshot taken that captures sensitive information when the home button was clicked -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the screen caching displaying sensitive information: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md index 4ba7aabb..5c7c8ed8 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md @@ -1,20 +1,20 @@ # Sensitive Application Data Stored Unencrypted on External Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: When sensitive application data is stored insecurely on external storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md index d284292f..9ac7c7e1 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md @@ -1,20 +1,20 @@ # Sensitive Application Data Stored Unencrypted on Internal Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: When sensitive application data is stored insecurely on internal storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md index 811c65a3..8b99fc04 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md @@ -1,20 +1,20 @@ # Sensitive Application Data Stored Unencrypted -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure data storage can occur in both the client and server sides of an application. When sensitive application data is stored insecurely it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md index d51fabbb..d359817f 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md @@ -1,21 +1,21 @@ # Server-Side Plaintext Credential Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the plaintext credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server in plaintext -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md index dbeeefdb..1e8a41a9 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md @@ -1,21 +1,21 @@ # Server-Side Credential Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/template.md b/submissions/description/insecure_data_storage/template.md index a4dc69a2..e2f683c0 100644 --- a/submissions/description/insecure_data_storage/template.md +++ b/submissions/description/insecure_data_storage/template.md @@ -1,21 +1,21 @@ # Insecure Data Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: Insecure data storage can occur in both the client and server sides of an application. When data from the application is stored insecurely it is susceptible to being identified and used maliciously. An attacker with access to the insecurely stored data of this application can leverage the data to gather further information on users and the application, and use it to perform further attacks. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Navigate to {{url}} 1. Observe the application data that is stored unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md index fa9a8ecf..26a9eecf 100644 --- a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md +++ b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md @@ -1,14 +1,14 @@ # Cleartext Transmission of Sensitive Data -## Overview of the Vulnerability +## Overview of the Vulnerability: When sensitive data is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can send requests to the server pretending to be the legitimate user by using a PitM attack to access the sensitive data. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show sensitive data being transmitted via cleartext: diff --git a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md index 99de807c..ede04e09 100644 --- a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md @@ -1,21 +1,21 @@ # Executable File Download Without Secure Integrity Check -## Overview of the Vulnerability +## Overview of the Vulnerability: Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption or a secure integrity check, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted and does not go through an integrity check -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md index 45ecc1b0..d6052e5f 100644 --- a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md @@ -1,21 +1,21 @@ # Executable File Download with Secure Integrity Check -## Overview of the Vulnerability +## Overview of the Vulnerability: Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/template.md b/submissions/description/insecure_data_transport/executable_download/template.md index 5f2486b7..fb35a372 100644 --- a/submissions/description/insecure_data_transport/executable_download/template.md +++ b/submissions/description/insecure_data_transport/executable_download/template.md @@ -1,21 +1,21 @@ # Executable File Download -## Overview of the Vulnerability +## Overview of the Vulnerability: Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows that an executable file can be downloaded: diff --git a/submissions/description/insecure_data_transport/template.md b/submissions/description/insecure_data_transport/template.md index 6e8ae748..374f12c6 100644 --- a/submissions/description/insecure_data_transport/template.md +++ b/submissions/description/insecure_data_transport/template.md @@ -1,14 +1,14 @@ # Insecure Data Transport -## Overview of the Vulnerability +## Overview of the Vulnerability: When data is transmitted over unencrypted channels, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can then gather user data and potentially send requests to the server pretending to be the legitimate user, or otherwise collect sensitive user data. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show sensitive data being transmitted insecurely: diff --git a/submissions/description/insecure_os_firmware/command_injection/template.md b/submissions/description/insecure_os_firmware/command_injection/template.md index 6ecb0f07..9dbffc4e 100644 --- a/submissions/description/insecure_os_firmware/command_injection/template.md +++ b/submissions/description/insecure_os_firmware/command_injection/template.md @@ -1,15 +1,15 @@ # Insecure OS Firmware (Command Injection) -## Overview of the Vulnerability +## Overview of the Vulnerability: When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. An attacker could abuse this command injection vulnerability in the application to execute arbitrary commands on the user's operating system. -## Business Impact +## Business Impact: This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Start {{application}} on the operating system and navigate to {{url}} 1. Observe that the OS firmware is insecure by {{action}} @@ -17,7 +17,7 @@ This vulnerability can lead to direct financial loss to the company due to data {{Payload}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show the steps required to exploit the command injection: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md index c4a047ad..9bf839c1 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md @@ -1,21 +1,21 @@ # Insecure OS Firmware (Hard-Coded Password for Non-Privileged User) -## Overview of the Vulnerability +## Overview of the Vulnerability: When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. A hard-coded password for a non-privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a non-privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -## Business Impact +## Business Impact: This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md index 861aa566..4c3adc6e 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md @@ -1,21 +1,21 @@ # Insecure OS Firmware (Hard-Coded Password for Privileged User) -## Overview of the Vulnerability +## Overview of the Vulnerability: When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. A hard-coded password for a privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, or gather sensitive data from within the application. -## Business Impact +## Business Impact: This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/template.md index d25bd4a0..5edbb002 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/template.md @@ -1,21 +1,21 @@ # Insecure OS Firmware (Hard-Coded Password) -## Overview of the Vulnerability +## Overview of the Vulnerability: When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. Hard-coded passwords were identified in the source code of the application. An attacker could abuse the hard-coded passwords to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -## Business Impact +## Business Impact: This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/template.md b/submissions/description/insecure_os_firmware/template.md index 0c9adbc4..c45dfc1c 100644 --- a/submissions/description/insecure_os_firmware/template.md +++ b/submissions/description/insecure_os_firmware/template.md @@ -1,14 +1,14 @@ # Insecure OS Firmware -## Overview of the Vulnerability +## Overview of the Vulnerability: When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. -## Business Impact +## Business Impact: This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Start {{application}} on the operating system and navigate to {{url}} 1. Input the following payload into {{parameter}}: @@ -18,7 +18,7 @@ This vulnerability can lead to direct financial loss to the company due to data 1. Observe that the OS firmware is insecure -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows insecure OS firmware: diff --git a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md index 1c58ff98..d42d1338 100644 --- a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md +++ b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md @@ -1,20 +1,20 @@ # Lack of Notification Email -## Overview of the Vulnerability +## Overview of the Vulnerability: The overall security of an application is diminished when accounts are not properly configured to include a notification email upon important account changes, such as a password or email address change. A lack of notification email on account changes allows an attacker who has gained access to a user's account through other means to make changes without notifying the user. -## Business Impact +## Business Impact: A lack of a notification email upon important account changes as a single vulnerability does not have a strong impact. However, chained with other vulnerabilities, it could lead to data theft through the attacker’s ability to manipulate data via their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify an account variable, such as the password or username 1. Observe that no notification email is sent to the associated account email address to notify the owner of the change -## Proof of Concept (PoC) +## Proof of Concept (PoC): The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/no_password_policy/template.md b/submissions/description/insufficient_security_configurability/no_password_policy/template.md index cf18df16..292e414f 100644 --- a/submissions/description/insufficient_security_configurability/no_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/no_password_policy/template.md @@ -1,20 +1,20 @@ # No Password Policy -## Overview of the Vulnerability +## Overview of the Vulnerability: When there is no password policy set, the strength of the overall authentication process for an application is diminished. No password policy is present within this web application, allowing for weak passwords to be used by any user, including Administrator accounts. This makes it relatively easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -## Business Impact +## Business Impact: Having no password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords, such as `a` -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that there is no password policy: diff --git a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md index fdd01251..e0c01b8a 100644 --- a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md +++ b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md @@ -1,14 +1,14 @@ # Password Policy Bypass -## Overview of the Vulnerability +## Overview of the Vulnerability: When there is no password policy set, the strength of the overall authentication process for an application is diminished. A password policy bypass is present within this web application, allowing for weak passwords to be used by any user. This makes it easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -## Business Impact +## Business Impact: Having a password policy bypass present within the application can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Attempt to login @@ -16,7 +16,7 @@ Having a password policy bypass present within the application can result in rep ​​{{parameter}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the bypass of the password policy: diff --git a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md index bd3ab555..bb30adc8 100644 --- a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md +++ b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md @@ -1,20 +1,20 @@ # Verification of Contact Method Not Required -## Overview of the Vulnerability +## Overview of the Vulnerability: The overall security of an application is diminished when accounts are not properly verified upon creation of a new contact method, such as an email address. The lack of a verification email for a contact method allows an attacker to associate their account with an unvalidated method of contact. This allows them to perform phishing, or impersonation attacks, and can lead to attacks such as account squatting. -## Business Impact +## Business Impact: A lack of a verification email for an updated contact method can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify a contact method of the account, such as the phone number of email address 1. Observe that no verification email is sent to the new contact method before it is associated with the account -## Proof of Concept (PoC) +## Proof of Concept (PoC): The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md index f14e53be..8377b95c 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md @@ -1,20 +1,20 @@ # Weak Password Policy -## Overview of the Vulnerability +## Overview of the Vulnerability: When the password policy for an application is weak, the strength of the overall authentication process for the application is diminished. Not having complexity requirements for passwords, password history checks, or enforcing account lockouts, all weaken the password policy. This application’s weak password policy decreases the time it takes an attacker to successfully guess account passwords through manual or automated processes. This can lead to account take over for accounts with weak passwords set. -## Business Impact +## Business Impact: Having a weak password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak password policy: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md index 2b2218bb..d04b914f 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md @@ -1,14 +1,14 @@ # Weak Password Reset Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to intercept the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +## Business Impact: Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -16,7 +16,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md index b7172516..4197b159 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md @@ -1,23 +1,23 @@ # Weak Password Reset Implementation (Token Has Long Timed Expiry) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it has a long timed expiry, giving an attacker more time to discover an unexpired reset password token and use it to take over its account. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Initiate a password reset 1. Observe within the HTTP interception proxy that the password reset token has a long timed expiry -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot specifies the long timed expiry of the password reset token below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md index 91a356a6..19a97684 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md @@ -1,23 +1,23 @@ # Weak Password Reset Implementation (Token is Not Invalidated After Email Change) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it allows an email that is no longer associated with the account to perform a password reset. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Navigate to the following URL and modify the account email address 1. Observe that the password reset token that was received in the earlier step is still valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that the password reset token is not invalidated after email change below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md index 5a997736..5741f32f 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md @@ -1,25 +1,25 @@ # Weak Password Reset Implementation (Token is Not Invalidated After Login) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after the user successfully resets their password and login to the application. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Login to the application with the new password 1. Observe that the password reset token that was received in the earlier step is still valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that the password reset token is not invalidated after login below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md index 8d01fb2f..7765dd64 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md @@ -1,25 +1,25 @@ # Weak Password Reset Implementation (Token is Not Invalidated After New Token is Requested) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after a new token is requested. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset (request_1) 1. Initiate a password reset (request_2) 1. Open the received request_1 and observe that the password reset token is still valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that the password reset token is not invalidated after a subsequent request for a password reset: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md index adabb6fc..c6c6153c 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md @@ -1,25 +1,25 @@ # Weak Password Reset Implementation (Token is Not Invalidated After Password Change) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after a password change. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Modify the password for the account 1. Observe that the password reset token received earlier is still valid -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that the password reset token is not invalidated after a password change: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md index e1c0c636..b02a7ab2 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md @@ -1,25 +1,25 @@ # Weak Password Reset Implementation (Token is Not Invalidated After Use) -## Overview of the Vulnerability +## Overview of the Vulnerability: The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after its use. If an attacker were to gain access to the system used to store the reset token, or the email of the user, they could reset the users password again. -## Business Impact +## Business Impact: Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Utilize the password reset token received to reset the password 1. Observe that the password reset token received earlier is still valid after being used -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows that the password reset token is not invalidated after use: {{screenshot}} diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md index a0e4e489..2e878f18 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md @@ -1,20 +1,20 @@ # Allows Disposable Email Addresses -## Overview of the Vulnerability +## Overview of the Vulnerability: When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application allows users to submit a disposable or alias email address to register an account. An attacker can abuse this weakness to bulk register fake user profiles and use them to launch spam campaigns. -## Business Impact +## Business Impact: Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Register an account using a disposable email service 1. Observe that the account is created -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md index 391b9263..537e5227 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md @@ -1,20 +1,20 @@ # Weak Registration Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -## Business Impact +## Business Impact: Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md index 9b98b167..afb0b846 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md @@ -1,20 +1,20 @@ # 2FA Missing Failsafe -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. Not providing a failsafe in the 2FA implementation in the application could prevent a user who has lost their 2FA device to an attacker from resetting the password of their account. An attacker can take advantage of this and potentially take over user accounts. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. Navigate to the 2FA registration page at: {{url}} 1. Register for 2FA, and observe that the implementation provides no failsafe login methods, such as offline backup codes -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the missing 2FA failsafe: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md index 66937eb6..f012bbe6 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md @@ -1,14 +1,14 @@ # Old 2FA Code is Not Invalidated After New Code is Generated -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. An older 2FA code is not invalidated when a new code is generated in the application. This could allow an attacker to perform a replay attack. In this kind of attack, an attacker can use older unused 2FA codes to bypass the 2FA implementation of the application. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Input the first, older code into the 2FA input 1. Observe that the application allows the use of the first code after the second was generated, meaning it was not invalidated -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the old 2FA code not being invalidated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md index d232bf90..b58156c9 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md @@ -1,20 +1,20 @@ # Weak 2FA Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The application’s implementation of 2FA is weak which makes user accounts more susceptible to compromise. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. When the two factor authentication step of the login is reached, request a code 1. Perform {{action}} and observe that the 2FA implementation is weak -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the weak implementation of 2FA: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md index 6a993260..842b009f 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md @@ -1,21 +1,21 @@ # 2FA Code is Not Updated After New Code is Requested -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. A 2FA code is not updated when a new code is requested in the application which does not follow best practice for 2FA implementation. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code 1. When the first code is received, request a new code and verify that the second code is also received 1. Observe that the first and second code are identical, demonstrating that the 2FA code is not updated when a new code is requested -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates that the 2FA code is not updated when a new code is requested: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md index ffc17f44..97f292ae 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md @@ -1,20 +1,20 @@ # 2FA Secret Cannot be Rotated -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret cannot be rotated in the application which does not follow best practice for 2FA implementation.If an attacker were able to compromise a user's 2FA system, the user would not be able to invalidate their 2FA secret. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After the 2FA secret is created, observe that there is no way in which the secret can be rotated -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates that the 2FA code can’t be rotated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md index 407c07fe..b41f47c3 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md @@ -1,20 +1,20 @@ # 2FA Secret Remains Obtainable After 2FA is Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret remains obtainable after initial setup in the application. This could allow an attacker with account access or physical access to bypass the 2FA system. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After initial setup, observe that the two factor authentication secret is still obtainable at: {{url}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the full exploit: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md index 19ca95bb..aee4fa8b 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md @@ -1,20 +1,20 @@ # Lack of Exploit Mitigations -## Overview of the Vulnerability +## Overview of the Vulnerability: A lack of exploit mitigations in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of exploit mitigations in order to run known exploits on the application. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Run the following known exploit: {{payload}} 1. Observe that the application does not contain any mitigations to prevent this exploit -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the lack of exploit mitigation: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md index c267d891..e7e42254 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md @@ -1,20 +1,20 @@ # Lack of Jailbreak Detections -## Overview of the Vulnerability +## Overview of the Vulnerability: A lack of jailbreak (iOS) or root access (Android) detections in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of jailbreak (iOS) or root access (Android) detections to access the internal file system of the application, or inject unauthorized code into the application. -## Business Impact +## Business Impact: This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Jailbreak (iOS) or gain root access (Android) to a mobile device 1. Install the application on the mobile device 1. Open the application and observe that the application does not prevent access or acknowledge that the mobile device has been jailbroken (iOS) or that root access (Android) has been gained, indicating it lacks a detection mechanism -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the lack of jailbreak (iOS) or root access (Android) detections: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md index c4299097..ba980b10 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md @@ -1,19 +1,19 @@ # Lack of Obfuscation -## Overview of the Vulnerability +## Overview of the Vulnerability: A lack of obfuscation of the source code of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse non-obfuscated source code of the application, read source code without any hindrances and perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that there is no obfuscation in the source code -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the lack of obfuscation: diff --git a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md index d03aa4f3..ab364d47 100644 --- a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md +++ b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md @@ -1,19 +1,19 @@ # Lack of Binary Hardening (Runtime Instrumentation-Based) -## Overview of the Vulnerability +## Overview of the Vulnerability: A lack of runtime instrumentation-based binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. When an application cannot detect changes in the code base at runtime compared to known integrity checks, the application can react in unpredictable ways. An attacker can take advantage of this lack of checks at runtime and alter the performance of the application, then also perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that there is no integrity checking in the source code at runtime -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/lack_of_binary_hardening/template.md b/submissions/description/lack_of_binary_hardening/template.md index a2fb4091..ded30a94 100644 --- a/submissions/description/lack_of_binary_hardening/template.md +++ b/submissions/description/lack_of_binary_hardening/template.md @@ -1,19 +1,19 @@ # Lack of Binary Hardening -## Overview of the Vulnerability +## Overview of the Vulnerability: A lack of binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker with access to the code of an application with a lack of binary hardening can reverse engineer it and perform unauthorized code modification. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the source code files of the application 1. Observe that there is no binary hardening for the application -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md index c7cdaa1d..d0f8af9f 100644 --- a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md +++ b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md @@ -1,23 +1,23 @@ # Auto Backup Allowed by Default -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When automatic backup is allowed by default, sensitive user data can be unknowingly stored on the mobile device. An attacker could abuse an application that has auto backup allowed by default to access this sensitive data from the application once they have physical access to the device. This could allow the attacker to bypass any in-app authentication and access sensitive data which they could abuse to perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Install the application on an android mobile device 1. In the mobile device, enable USB debugging 1. Use the android ADB tool to backup the data of the mobile device 1. In this backup, view that sensitive data from the application was included in the backup automatically -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md index 29a3f4d4..ff1be5ab 100644 --- a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md +++ b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md @@ -1,22 +1,22 @@ # System Clipboard Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When the system clipboard is enabled, sensitive user data, such as passwords, can be unknowingly stored on the mobile device. An attacker could abuse the system clipboard being enabled to steal sensitive information that a user copied to their clipboard from within the application. With access to this sensitive data they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Install the application on your mobile device 1. Navigate to {{url}} and copy some sensitive account information 1. Paste this data in some other area of your mobile device and observe that access to the clipboard was enabled in the application -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md index 535a4930..1510d7fd 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md @@ -1,22 +1,22 @@ # Mobile Security Misconfiguration (SSL Certificate Pinning Absent) -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. Without SSL certificate pinning, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the application does not implement certificate pinning -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md index 204693c4..f30f45e4 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md @@ -1,16 +1,16 @@ # Mobile Security Misconfiguration (SSL Certificate Pinning Defeatable) -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. When SSL certificate pinning is defeatable, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -20,7 +20,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning was defeated -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md index 58f34e24..af38896e 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md @@ -1,16 +1,16 @@ # Mobile Security Misconfiguration (SSL Certificate Pinning) -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. When SSL certificate pinning is misconfigured, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -20,7 +20,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning is misconfigured -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md index c4b77353..a43781a6 100644 --- a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md +++ b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md @@ -1,21 +1,21 @@ # Tapjacking -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. Tapjacking occurs when user input is captured by an application it was not intended for. This usually occurs through screen overlays that gather input when a user believes they are inputting information into a different screen. An attacker could abuse an application that does not protect sensitive UI functionality from tapjacking by stealing UI inputs from a user that uses the application on specific Android OS versions. With access to sensitive data through a tapjacking attack, an attacker could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. View the source code files of the application 1. Navigate to {{url}} and view the sensitive UI functionality does not have the attribute `"filterTouchesWhenObscured="true"`, thus allowing tapjacking attacks on certain Android OS versions -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/template.md b/submissions/description/mobile_security_misconfiguration/template.md index 0f94900f..fd26c5d3 100644 --- a/submissions/description/mobile_security_misconfiguration/template.md +++ b/submissions/description/mobile_security_misconfiguration/template.md @@ -1,19 +1,19 @@ # Mobile Security Misconfiguration -## Overview of the Vulnerability +## Overview of the Vulnerability: Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. An attacker can take advantage of security misconfigurations within the mobile application to perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following filesystem/page within the application: {{location}} 1. Observe through an HTTP interception proxy or in-application tools that there is a mobile security misconfiguration -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md index ef991197..f3d7fd9d 100644 --- a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md +++ b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md @@ -1,19 +1,19 @@ # Telnet Enabled -## Overview of the Vulnerability +## Overview of the Vulnerability: When telnet is enabled, all data sent over the connection is unsecured as telnet transmits all data via plain text. An attacker could perform a Person-in-the-Middle (PitM) attack and access sensitive data being transmitted via the telnet connection. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Issue the following command line in the terminal window: `telnet {{application}}` 1. Observe that a telnet connection is successfully established between the client computer and the application -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating that a successful telnet connection can be made: diff --git a/submissions/description/privacy_concerns/template.md b/submissions/description/privacy_concerns/template.md index 7e4c0b17..9150c383 100644 --- a/submissions/description/privacy_concerns/template.md +++ b/submissions/description/privacy_concerns/template.md @@ -1,20 +1,20 @@ # Privacy Concerns -## Overview of the Vulnerability +## Overview of the Vulnerability: Privacy concerns arise when an application collects user or user device data that is not necessary for the functionality of the application. Unnecessary can range from personally identifiable user information to user device information that is not needed for use of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md index 1307312e..03a5ad8e 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md @@ -1,20 +1,20 @@ # Unnecessary Data Collection -## Overview of the Vulnerability +## Overview of the Vulnerability: Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md index 7fdc4cbf..4c4a91ec 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md @@ -1,20 +1,20 @@ # Unnecessary Data Collection (WIFI SSID & Password) -## Overview of the Vulnerability +## Overview of the Vulnerability: Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. The WIFI SSID and password is not used by the application and therefore its collection is unnecessary. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that the WIFI SSID and password is being collected -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md index a9eb580a..4614fe20 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md @@ -1,14 +1,14 @@ # Critically Sensitive Data Exposure: Password Disclosure -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses the password of a user’s account which an attacker could use to take over the account and access, delete, or modify data from within the application. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +21,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Verify that the password is valid and allows authenticated actions to be performed in the user’s account -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md index 82e4c44c..baca6ba4 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md @@ -1,16 +1,16 @@ # Critically Sensitive Data Exposure: Private API Keys -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses private API keys which an attacker could use to abuse the API access and retrieve, delete, or modify data using the API functionality. -## Business Impact +## Business Impact: Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If the API is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the API key is valid and allows access to sensitive data -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the API key disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md index 0e646e9b..e76b5b57 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md @@ -1,16 +1,16 @@ # Critically Sensitive Data Exposure -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This data exposure can be described as critically sensitive as its exposure would likely cause a high priority incident. -## Business Impact +## Business Impact: Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If a private API key is accessed and is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the critical sensitive data is valid and allows access to other data or functionality -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md index 61870bf9..8faed33e 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md @@ -1,21 +1,21 @@ # Sensitive Data Exposure: Disclosure of Known Public Information -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Known public information is disclosed by this application which can be used by an attacker to build a profile of the business, the application, and its users for further attacks. -## Business Impact +## Business Impact: Disclosure of known public information can result in reputational damage for the business through an attacker’s ability to impact customers' trust through further attack methods, such as social engineering. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}} 1. Observe that publicly known information is being disclosed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the publicly known information disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md index a696755b..21a3e881 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md @@ -1,14 +1,14 @@ # Disclosure of Secrets in Data Traffic Spam -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses data within data traffic spam which can enable an attacker to use secrets for privilege escalation within the application, or to send API requests on behalf of the user. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Observe the disclosure of sensitive data in the HTTP interception proxy -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md index 72d0269f..8e31a3fc 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md @@ -1,16 +1,16 @@ # Disclosure of Secrets for Internal Asset -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets for internal assets occurs when sensitive data for the internal assets is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Disclosure of secrets for this internal asset could be leveraged by an attacker to access the internal application or the environment where the application is hosted. -## Business Impact +## Business Impact: Disclosure of secrets for internal assets can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. This could happen through an insider threat, existing data breaches, or a malicious internal attacker escalating their privileges. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Setup a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{url}}/data/ @@ -19,7 +19,7 @@ Disclosure of secrets for internal assets can lead to indirect financial loss du {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below show the full exploit: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md index a7a9594b..ebc4495b 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md @@ -1,14 +1,14 @@ # Disclosure of Secrets for a Publicly Accessible Asset -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access. -## Business Impact +## Business Impact: Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed @@ -19,7 +19,7 @@ Disclosure of secrets for a publicly available asset can lead to indirect financ {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The exposed secrets for this publicly accessible asset can be seen in the screenshot below: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md index 3c83cb6b..326a9e49 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md @@ -1,21 +1,21 @@ # Disclosure of Secrets for an Invalid or Intentionally Publicly Sample -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses an invalid, or intentionally public sample, of secrets that are used for the application. While seemingly harmless, an attacker can use these examples to build wordlists, which can be used to bruteforce requests to the application until a valid secret is processed successfully. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following URL: {{URL}} 1. Observe the following invalid/Intentionally public secret was revealed: {{value}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md index 988a682a..ed75ae9c 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md @@ -1,21 +1,21 @@ # Disclosure of Secrets for Non-Corporate User -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets occurs when the data is not properly secured. When secrets are exposed it can place the application at further risk of compromise. This application discloses secrets for a non-corporate user which can be leveraged by an attacker to access the application and make requests on the legitimate user’s behalf. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following URL: {{URL}} 1. Observe the following secret for a non-corporate user was revealed: {{value}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md index 5b8eccc0..feb6fefb 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md @@ -1,14 +1,14 @@ # Disclosure of Secrets Pay-Per-Use Abuse -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses sensitive data that could be used by an attacker to make repeated API requests on a user’s behalf without their knowledge. Additionally, if an attacker is able to chain this vulnerability with another, they could use their access to the API to escalate privileges on the application and its hosted environment. -## Business Impact +## Business Impact: Disclosure of secrets can lead to direct financial loss through an attacker making repeated requests to the API which are generally pay-per-use. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +24,7 @@ Disclosure of secrets can lead to direct financial loss through an attacker maki 1. Observe the HTTP 200 OK success status response code -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md index 2248ee10..4d991248 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md @@ -1,21 +1,21 @@ # Disclosure of Secrets -## Overview of the Vulnerability +## Overview of the Vulnerability: Disclosure of secrets occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Examples of secret data include, but are not limited to, vendor details, client information, Personally Identifiable Information (PII), Social Security Numbers, medical data, banking information, and credentials or authentication keys. Disclosure of secrets could be used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md index 5d305a9b..b7b20175 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md @@ -1,14 +1,14 @@ # Automatic User Enumeration from EXIF Geolocation Data on Uploaded Images -## Overview of the Vulnerability +## Overview of the Vulnerability: Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to automatically enumerate users. -## Business Impact +## Business Impact: When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image @@ -16,7 +16,7 @@ When an application fails to remove the EXIF data from uploaded images, it break {{Software}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md index d3f41f82..a1fdd674 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md @@ -1,20 +1,20 @@ # Manual User Enumeration from EXIF Geolocation Data on Uploaded Images -## Overview of the Vulnerability +## Overview of the Vulnerability: Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to manually enumerate users. -## Business Impact +## Business Impact: When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified as an attacker is able to manually enumerate geolocation data of users on the platform. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data for multiple users -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md index b65faa5c..1607eda3 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md @@ -1,20 +1,20 @@ # EXIF Geolocation Data on Uploaded Images -## Overview of the Vulnerability +## Overview of the Vulnerability: Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. -## Business Impact +## Business Impact: When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md index e3b2e1ac..022f4514 100644 --- a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md @@ -1,20 +1,20 @@ # Internal IP Address Disclosure -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses an internal IP address which an attacker could interact with to send requests and execute functions on the underlying system. -## Business Impact +## Business Impact: When an application fails to mask internal IP addresses it leaves the internal network more susceptible to future network based attacks. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. In the HTTP interception proxy, observe the disclosed internal IP address -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the disclosed internal IP address: diff --git a/submissions/description/sensitive_data_exposure/json_hijacking/template.md b/submissions/description/sensitive_data_exposure/json_hijacking/template.md index 210b9ec9..fde4462b 100644 --- a/submissions/description/sensitive_data_exposure/json_hijacking/template.md +++ b/submissions/description/sensitive_data_exposure/json_hijacking/template.md @@ -1,16 +1,16 @@ # Sensitive Data Disclosure via JSON Hijacking -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. JSON Hijacking allows a malicious attacker to exfiltrate sensitive data using Cross Site Request Forgery (CSRF) and overriding the Object prototype by using `__defineSetter__`. This application is susceptible to JSON hijacking which enables an attacker to retrieve sensitive data by tricking a user to click on a crafted link. Once a user clicks on the link, data from the user’s account is read and passed to the attacker. This allows an attacker to collect Personally Identifiable Information (PII) and sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -## Business Impact +## Business Impact: When an application fails to mask internal IP addresses it leaves the internal network more susceptible to future network based attacks. -## Steps to Reproduce +## Steps to Reproduce: 1. Host the following payload on the attacker server: @@ -25,7 +25,7 @@ When an application fails to mask internal IP addresses it leaves the internal n {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive data disclosed: diff --git a/submissions/description/sensitive_data_exposure/mixed_content/template.md b/submissions/description/sensitive_data_exposure/mixed_content/template.md index 83a39816..29238c22 100644 --- a/submissions/description/sensitive_data_exposure/mixed_content/template.md +++ b/submissions/description/sensitive_data_exposure/mixed_content/template.md @@ -1,21 +1,21 @@ # Sensitive Data Exposure via Mixed Content -## Overview of the Vulnerability +## Overview of the Vulnerability: Mixed content is when a page is loaded over a HTTPS connection but the application pulls content using a mix of HTTP and HTTPS, leaving the page susceptible to sniffing and Person-in-The-Middle (PiTM) attacks. This application discloses sensitive data via mixed content, enabling an attacker to collect sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application through a PiTM connection. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login as a user and navigate to: {{URL}} 1. Use Developer Tools, Network tab to see that sensitive content is being served over HTTP: {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive data served over HTTP: diff --git a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md index 29011d13..0ae84be6 100644 --- a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md @@ -1,19 +1,19 @@ # Sensitive data disclosure: Non-Sensitive Token in URL -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses a non-sensitive token in the URL which an attacker can use to build word lists for brute-forcing valid tokens across the application environment. -## Business Impact +## Business Impact: When an application discloses a non-sensitive token in the URL it leaves the application more susceptible to future attacks. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the non-sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md b/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md index 371ee144..633a3097 100644 --- a/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/pii_leakage_exposure/template.md @@ -1,21 +1,21 @@ # PII Leakage/Exposure -## Overview of the Vulnerability +## Overview of the Vulnerability: Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials. Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +## Business Impact: Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the PII disclosed: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md index cd4250e3..890f1d60 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md @@ -1,14 +1,14 @@ # Hardcoded File Paths -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded file paths which can be used by an attacker to request files from the underlying system via directory traversal and can lead to exposure of data such as file naming conventions, system admin users, and permissions on the system. -## Business Impact +## Business Impact: This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the hardcoded file path: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md index c2eac6cb..7802ec19 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md @@ -1,14 +1,14 @@ # Hardcoded OAuth Secret -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded OAuth secrets which can be used by an attacker to escalate privileges within the application via OAuth workflows. -## Business Impact +## Business Impact: This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the hardcoded OAuth secret: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md index e62b4025..278c79fd 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md @@ -1,14 +1,14 @@ # Hardcoded Sensitive Data -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has sensitive data that is hardcoded, such as API keys, credentials, or Personally Identifiable Information (PII). This hardcoded sensitive data can be used by an attacker to gain access to the application and escalate their privileges, which can lead to user account compromise and data exfiltration. -## Business Impact +## Business Impact: This vulnerability can lead to data exfiltration through the attacker’s ability to manipulate the application through their access to the hardcoded sensitive data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to data exfiltration through the attacker’s abilit {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the hardcoded sensitive data: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md index a0791157..36027c79 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md @@ -1,19 +1,19 @@ # Sensitive Token Exposed in URL in Background -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL in the background which, if captured by an attacker, can be used to escalate privileges or authorize API calls within the application. -## Business Impact +## Business Impact: Disclosure of a sensitive token in the URL in the background could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md index dc92a841..de812aef 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md @@ -1,20 +1,20 @@ # Sensitive Token Exposed in URL On Password Reset -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL upon the password reset function which, if captured by an attacker, can be used to reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Navigate to the password reset function 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md index 00b2bbf2..d46ce6ac 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md @@ -1,19 +1,19 @@ # Sensitive data disclosure: Sensitive Token in URL -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL, which, if captured by an attacker, can be used to gain access to the users account through this token, breaching the Confidentiality and Integrity of that account. -## Business Impact +## Business Impact: A sensitive token in the URL could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md index 37478e5b..029f2c3a 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md @@ -1,19 +1,19 @@ # Sensitive Token Exposed in URL User Facing -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL that is user facing which can be captured by an attacker. This allows the attacker to gain access to a legitimate user’s account, breaching the Confidentiality and Integrity of their account. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Login as a user and navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/template.md b/submissions/description/sensitive_data_exposure/template.md index 31584f4f..b64b0d98 100644 --- a/submissions/description/sensitive_data_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/template.md @@ -1,21 +1,21 @@ # Sensitive Data Exposure -## Overview of the Vulnerability +## Overview of the Vulnerability: Sensitive data exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: personally identifiable information (PII), Social Security numbers, medical data, banking information, and login credentials. Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +## Business Impact: Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md index f2417a93..f50116a6 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md @@ -1,21 +1,21 @@ # Token Leakage via Referer Header over HTTP -## Overview of the Vulnerability +## Overview of the Vulnerability: The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens that are transmitted over an unencrypted HTTP connection. This connection can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +## Business Impact: Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that the connection is over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md index b83602cb..124c1b94 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md @@ -1,21 +1,21 @@ # Token Leakage via Referer Header -## Overview of the Vulnerability +## Overview of the Vulnerability: The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens which can be intercepted by an attacker performing a Person-in-The-Middle (PiTM) attack, or by exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +## Business Impact: Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the token exposed within the `Referer` HTTP request header: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md index 95a5e546..e5e55e99 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md @@ -1,14 +1,14 @@ # Token Leakage via Referer Header over Trusted Third-Party -## Overview of the Vulnerability +## Overview of the Vulnerability: The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens to a trusted third-party. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +## Business Impact: Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -16,7 +16,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that the connection is over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md index 0ca5b668..b69b3182 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md @@ -1,14 +1,14 @@ # Token Leakage via Referer Header over Untrusted Third-Party -## Overview of the Vulnerability +## Overview of the Vulnerability: The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +## Business Impact: Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -16,7 +16,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that theconnection is over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md index cbb7e8a3..e6356a23 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md @@ -1,14 +1,14 @@ # Non-Sensitive Token Exposed in Local or Session Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a non-sensitive token in the local storage which is accessible by JavaScript. As a result, the token can be captured by an attacker using Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), allowing them to gather relevant user data and leverage this information to build phishing campaigns. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive token -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the non-sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md index 61cd59b7..8579bea5 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md @@ -1,14 +1,14 @@ # Sensitive Token Exposed in Local or Session Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a sensitive token in the local storage which is accessible by JavaScript. As a result, the sensitive token can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ma 1. Observe the exposed sensitive token -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md index 97c1d352..1cc23dfe 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md @@ -1,14 +1,14 @@ # Sensitive Data Exposed in Local or Session Storage -## Overview of the Vulnerability +## Overview of the Vulnerability: Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the local storage which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks. -## Business Impact +## Business Impact: This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive data -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the sensitive data exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md index a75f1f48..03fce568 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md @@ -1,21 +1,21 @@ # Descriptive Stack Trace -## Overview of the Vulnerability +## Overview of the Vulnerability: Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The descriptive stack trace leaked by this application shows versions of software and implementation data. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -## Business Impact +## Business Impact: This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing a descriptive stack trace -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the data disclosed in the descriptive stack trace: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md index 25bf4e0a..33738a90 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md @@ -1,21 +1,21 @@ # Detailed Server Configuration -## Overview of the Vulnerability +## Overview of the Vulnerability: Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The detailed server configuration leaked by this application shows which versions of software are running, physical paths, environmental variables, and the software configuration settings. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -## Business Impact +## Business Impact: This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing detailed server configuration -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the data disclosed in the detailed server configuration: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md index 190ee1a8..909f3d34 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md @@ -1,19 +1,19 @@ # Visible Detailed Error Page -## Overview of the Vulnerability +## Overview of the Vulnerability: Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The detailed error pages leaked by this application can be collected by an attacker and combined with other attack vectors to increase the severity and impact of malicious attacks on the application. -## Business Impact +## Business Impact: This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +## Steps to Reproduce: 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the data disclosed in the detailed error message: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md index 1b7ca250..f44f30d1 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md @@ -1,16 +1,16 @@ # Password Reset Token Sent Over HTTP -## Overview of the Vulnerability +## Overview of the Vulnerability: When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application transmits the password reset token over an insecure HTTP connection, rather than HTTPS. An attacker could intercept this token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +## Business Impact: Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -18,7 +18,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe that the password reset token is being sent over HTTP -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below displays the password reset token being sent over HTTP: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md index 8e1683b2..7974c0a5 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md @@ -1,14 +1,14 @@ # Weak Password Reset Implementation -## Overview of the Vulnerability +## Overview of the Vulnerability: When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to abuse the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +## Business Impact: Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -16,7 +16,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -## Proof of Concept (PoC) +## Proof of Concept (PoC): The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md index 981bac7a..d023972b 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md @@ -1,14 +1,14 @@ # Password Reset Token Leakage via Host Header Poisoning -## Overview of the Vulnerability +## Overview of the Vulnerability: When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. `Host` header poisoning occurs when the `Host` header is manipulated in a HTTP request to point to a domain an attacker controls. From here, when the user clicks on the password reset link sent to their email, the attacker can capture the the token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +## Business Impact: Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +18,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. From the user’s email account, click the password reset link 1. Observer that an attacker can capture the password reset token -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below displays the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/xssi/template.md b/submissions/description/sensitive_data_exposure/xssi/template.md index 390f02b8..457d706c 100644 --- a/submissions/description/sensitive_data_exposure/xssi/template.md +++ b/submissions/description/sensitive_data_exposure/xssi/template.md @@ -1,14 +1,14 @@ # Sensitive Data Exposure via Cross-Site Script Inclusion -## Overview of the Vulnerability +## Overview of the Vulnerability: Cross-Site Script Inclusion (XSSI) is a client-side attack that uses JavaScript within an authenticated session to leak sensitive data. This sensitive data could be authentication related or user related sensitive data. XSSI can be found on this domain which allows an attacker to control code that is executed within a user’s authenticated session. -## Business Impact +## Business Impact: XSSI could lead to data theft and exfiltration through the attacker’s ability to manipulate data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +21,7 @@ XSSI could lead to data theft and exfiltration through the attacker’s ability 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +## Proof of Concept (PoC): Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/server_security_misconfiguration/bitsquatting/template.md b/submissions/description/server_security_misconfiguration/bitsquatting/template.md index 872a31f1..7e035378 100644 --- a/submissions/description/server_security_misconfiguration/bitsquatting/template.md +++ b/submissions/description/server_security_misconfiguration/bitsquatting/template.md @@ -1,14 +1,14 @@ # Bitsquatting -## Overview of the Vulnerability +## Overview of the Vulnerability: Bitsquatting is the act of registering domains with one bit flipped from the original domain name. This allows an attacker to hijack traffic from known domains via DNS queries from accidental key presses, as well as misconfigurations on hardware processing the queries. Bitflipping domains can allow an attacker to serve malicious content and collect data on behalf of the targeted application in the form of HTTP requests, binary data, and other sensitive data. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Register domain with one bitflipped e.g. Bugcrowd.com -> eugcrowd.com 1. {{action}} to collect data on the bitflipped domain @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the bitsquatting: diff --git a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md index 10b8058e..f8106e94 100644 --- a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md +++ b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md @@ -1,16 +1,16 @@ # Cache Poisoning -## Overview of the Vulnerability +## Overview of the Vulnerability: A web cache allows for static and fast fetching of content in web applications. Content Delivery Networks (CDNs) are commonly used to serve content used by applications. A malicious attacker can take advantage of caching mechanisms to serve content or deny service to certain applications using X-Based Host headers (X-Forwarded-Host, etc.). Cache poisoning allows an attacker to serve content for cached pages on CDNs and websites with cache misconfigurations. This opens the application up to attacks like Cross-Site Request Forgery (CSRF), and to leakage of sensitive information. -## Business Impact +## Business Impact: This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +## Steps to Reproduce: 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following url: {{URL}} @@ -27,7 +27,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. {{action}} to poison the cache -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot below demonstrates the cache poisoning: diff --git a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md index 8f5214d8..4d9efbff 100644 --- a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md @@ -1,21 +1,21 @@ # CAPTCHA Can be Bruteforced -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +## Business Impact: CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CAPTCHA being bruteforced: diff --git a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md index 76c9d973..1bf33f5a 100644 --- a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md @@ -1,21 +1,21 @@ # CAPTCHA Implementation Vulnerability -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +## Business Impact: CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CAPTCHA being bypassed: diff --git a/submissions/description/server_security_misconfiguration/captcha/missing/template.md b/submissions/description/server_security_misconfiguration/captcha/missing/template.md index f9ced0ff..0a93d9ac 100644 --- a/submissions/description/server_security_misconfiguration/captcha/missing/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/missing/template.md @@ -1,21 +1,21 @@ # CAPTCHA is Missing -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. Due to the absence of a CAPTCHA, an attacker can leverage scripts and tools to make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +## Business Impact: A missing CAPTCHA can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Observe that CAPTCHA is missing for the following critical functionality: {{value}} -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the missing CAPTCHA: diff --git a/submissions/description/server_security_misconfiguration/captcha/template.md b/submissions/description/server_security_misconfiguration/captcha/template.md index dd825889..b1d34bcc 100644 --- a/submissions/description/server_security_misconfiguration/captcha/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/template.md @@ -1,21 +1,21 @@ # CAPTCHA Misconfiguration -## Overview of the Vulnerability +## Overview of the Vulnerability: A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -## Business Impact +## Business Impact: CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +## Steps to Reproduce: 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +## Proof of Concept (PoC): The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md index 83b955dd..6fd9cdd6 100644 --- a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md +++ b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md @@ -1,21 +1,21 @@ # Clickjacking on Form Input -## Overview of the Vulnerability +## Overview of the Vulnerability: Clickjacking is a method of tricking a user into clicking on a link that performs an action, which is disguised as a legitimate link to something else. Usually, this is carried out by embedding a link into a transparent `