Common Web Vulnerabilities
OWASP Top 10 Examples
This document summarizes common vulnerabilities in web applications, especially in the context of penetration testing, whether for internal or publicly available applications.
1. Broken Authentication / Access Control
Description:
- Broken Authentication: Allows bypassing login mechanisms.
- Example: Logging in as admin without valid credentials.
- Broken Access Control: Accessing pages/features without permission.
- Example: Normal user accessing admin panel.
Example Vulnerable App:
- College Management System 1.2
PoC:
Email: ' or 0=0 #
Password: any value
- Effect: Auth Bypass without a valid account.
2. Malicious File Upload
Description:
- Uploading malicious scripts (e.g., PHP) due to insufficient file validation.
- Common bypass method: double extensions (e.g.,
shell.php.jpg).
Example:
- WordPress Plugin: Responsive Thumbnail Slider 1.0
- Exploit: Arbitrary file upload using double extension.
- Tools: Exploitable via Metasploit Module.
3. Command Injection
Description:
- Occurs when user input is included in OS command execution.
- Attackers inject commands via unsanitized inputs.
Example:
- WordPress Plugin: Plainview Activity Monitor 20161228
- Vulnerable Field:
ip
- Vulnerable Field:
PoC:
ip=127.0.0.1 | <command>
- Allows attackers to inject their command in the
ipvalue, by simply adding| COMMAND...after theipvalue.
4. SQL Injection (SQLi)
Description:
- Vulnerability in SQL query handling when user input isn't sanitized.
- Allows attackers to run arbitrary SQL commands.
Vulnerable Code Example:
$query = "select * from users where name like '%$searchInput%'";
Exercise
To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to?
Description for CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
flag: Command Injection