diff --git a/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md b/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md index ed91df46..494decc5 100644 --- a/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md +++ b/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md @@ -1,10 +1,10 @@ Excessive agency or permission manipulation occurs when an attacker is able to manipulate the Large Language Model (LLM) outputs to perform actions that may be damaging or otherwise harmful. An attacker can abuse excessive agency or permission manipulation within the LLM to gain access to, modify, or delete data, without any confirmation from a user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage if an attacker compromises the LLM decision making or accesses unauthorized data. These cirvumstances not only harm the company but also weaken users' trust. The extent of business impact depends on the sensitivity of the data transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Enter the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage if an attacker 1. Observe that the output from the LLM returns sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md b/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md index c6539a40..4de370a8 100644 --- a/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md +++ b/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md @@ -1,10 +1,10 @@ Insecure output handling within Large Language Models (LLMs) occurs when the output generated by the LLM is not sanitized or validated before being passed downstream to other systems. This can allow an attacker to indirectly gain access to systems, elevate their privileges, or gain arbitrary code execution by using crafted prompts. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/prompt_injection/template.md b/submissions/description/ai_application_security/llm_security/prompt_injection/template.md index ebb75329..e332840d 100644 --- a/submissions/description/ai_application_security/llm_security/prompt_injection/template.md +++ b/submissions/description/ai_application_security/llm_security/prompt_injection/template.md @@ -1,10 +1,10 @@ Prompt injection occurs when an attacker crafts a malicious prompt that manipulates a Large Language Model (LLM) into executing unintended actions. The LLM's inability to distinguish user input from its dataset influences the output it generates. This flaw allows attackers to exploit the system by injecting malicious prompts, thereby bypassing safeguards. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Inject the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/template.md b/submissions/description/ai_application_security/llm_security/template.md index e87773df..ab78556f 100644 --- a/submissions/description/ai_application_security/llm_security/template.md +++ b/submissions/description/ai_application_security/llm_security/template.md @@ -1,10 +1,10 @@ Misconfigurations can occur across Large Language Model (LLM) within the setup, deployment, or usage of the LLM, leading to security weaknesses or vulnerabilities. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services. Misconfigurations may stem from inadequate access controls, insecure default settings, or improper configuration of fine-tuning parameters. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md b/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md index fc53a2b2..34b740a2 100644 --- a/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md +++ b/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md @@ -1,10 +1,10 @@ Training data poisoning occurs when an attacker manipulates the training data to intentionally compromise the output of the Large Language Model (LLM). This can be achieved by manipulating the pre-training data, fine-tuning data process, or the embedding process. An attacker can undermine the integrity of the LLM by poisoning the training data, resulting in outputs that are unreliable, biased, or unethical. This breach of integrity significantly impacts the model's trustworthiness and accuracy, posing a serious threat to the overall effectiveness and security of the LLM. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage if an attacker compromises the LLM decision making or accesses unauthorized data. These cirvumstances not only harm the company but also weaken users' trust. The extent of business impact depends on the sensitivity of the data transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Enter the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage if an attacker 1. Observe that the output from the LLM returns a compromised result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/template.md b/submissions/description/ai_application_security/template.md index 92f654dc..2f480971 100644 --- a/submissions/description/ai_application_security/template.md +++ b/submissions/description/ai_application_security/template.md @@ -1,10 +1,10 @@ Misconfigurations can occur in Artificial Intelligence (AI) applications, including but not limited to machine learning models, algorithms, and inference systems. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/algorithmic_biases/aggregation_bias/template.md b/submissions/description/algorithmic_biases/aggregation_bias/template.md index 9084e137..2ec67a7b 100644 --- a/submissions/description/algorithmic_biases/aggregation_bias/template.md +++ b/submissions/description/algorithmic_biases/aggregation_bias/template.md @@ -1,10 +1,10 @@ Aggregation bias occurs in an AI model when systematic favoritism is displayed when processing data from different demographic groups. This bias originates from training data that is skewed, or that has an under representation of certain groups. Outputs from AI models that have an aggregation bias can result in unequal treatment of users based on demographic characteristics, which can lead to unfair and discriminatory outcomes. -#### Business Impact +**Business Impact** Aggregation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Obtain a diverse dataset containing demographic information 1. Feed the dataset into the AI model @@ -12,7 +12,7 @@ Aggregation bias in this AI model can result in reputational damage and indirect 1. Compare outcomes across different demographic groups 1. Observe the systematic favoritism displayed by the model toward one or more specific groups -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/algorithmic_biases/processing_bias/template.md b/submissions/description/algorithmic_biases/processing_bias/template.md index afcc9d75..1d4f1aa6 100644 --- a/submissions/description/algorithmic_biases/processing_bias/template.md +++ b/submissions/description/algorithmic_biases/processing_bias/template.md @@ -1,16 +1,16 @@ Processing bias occurs when AI algorithms make biased decisions, or predictions, due to the way that they process data. This can be a result of the algorithm's design or the training data it has been trained on. Outputs from AI models that have a processing bias can result in discrimination, reinforcement of stereotypes, and unintended consequences such as amplification or polarization of viewpoints that disadvantage certain groups. -#### Business Impact +**Business Impact** Processing bias in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Input the following benchmark dataset into the AI model: {{Benchmark data set}} 1. Split the dataset into two sets. One is to act as the training dataset and the other as the testing dataset. 1. Examine the model's predictions and note the following disparity exists: {{Disparity between Group A and Group B}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/algorithmic_biases/template.md b/submissions/description/algorithmic_biases/template.md index 2c412eb7..d58f9e6d 100644 --- a/submissions/description/algorithmic_biases/template.md +++ b/submissions/description/algorithmic_biases/template.md @@ -1,17 +1,17 @@ Algorithmic bias occurs in an AI model when the algorithms used to develop the model produce biased outcomes as a result of inherent flaws or limitations in their design. This bias originates from assumptions made during algorithm development, selection of inappropriate models, or the way data is processed and weighted. This results in AI models that make unfair, skewed, or discriminatory decisions. -#### Business Impact +**Business Impact** Aggregation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Select an AI algorithm known to have potential biases 1. Train the algorithm on a dataset that may amplify these biases 1. Test the algorithm's decisions or predictions on a diverse dataset 1. Identify and document instances where the algorithm's output is biased -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md index c52df116..45c15aae 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is a local application-level DoS vulnerability within this Android application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via the Intent binding mechanism, crashing the application and making it unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the Denial of Service: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md index 5033668b..0f43efaf 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is a local application-level DoS vulnerability within this iOS application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via a URL scheme, crashing the application and making it unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the Denial of Service: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md index b11f4816..ddc7d9c7 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is an application-level DoS vulnerability within this iOS or Android application that causes it to crash. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service that has high impact or medium difficulty to be performed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the Denial of Service: diff --git a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md index eee7fd41..58586587 100644 --- a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is an application-level DoS vulnerability within this application that has critical impact or is easily performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{url}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service that has critical impact or is easy to perform -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) proof of the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md index 0b27f2d3..5e47fc4c 100644 --- a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md +++ b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md @@ -1,10 +1,10 @@ Injection occurs when an attacker provides inputs to a Large Language Model (LLM) which causes a large amount of resources to be consumed. This can result in a Denial of Service (DoS) to users, incur large amounts of computational resource costs, or slow response times of the LLM. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker incurring computational resource costs or denying service to other users, which would also impact customers' trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Inject the following prompt into the LLM: @@ -15,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM is slow to return a response -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md index 3e3e2310..90d0a29e 100644 --- a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md +++ b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a DoS condition -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md index 29380435..23536be8 100644 --- a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is an application-level DoS vulnerability within this application that has high impact or medium difficulty to be performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users, but not take down the application for all users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{url}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service that has high impact or medium difficulty to be performed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates proof of the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/template.md b/submissions/description/application_level_denial_of_service_dos/template.md index e058a2e4..957d831d 100644 --- a/submissions/description/application_level_denial_of_service_dos/template.md +++ b/submissions/description/application_level_denial_of_service_dos/template.md @@ -2,11 +2,11 @@ Application-level Denial of Service (DoS) attacks are designed to deny service t There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -#### Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Use the following payload: @@ -19,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a Denial of Service -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the Denial of Service: diff --git a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md index f7a68b14..0aa427d5 100644 --- a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md +++ b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md @@ -1,10 +1,10 @@ Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position. -#### Business Impact +**Business Impact** This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This vulnerability can result in reputational damage and indirect financial loss 1. Observe that the GNSS/GPS signal has been spoofed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing: diff --git a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md index f7a68b14..0aa427d5 100644 --- a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md +++ b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md @@ -1,10 +1,10 @@ Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position. -#### Business Impact +**Business Impact** This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This vulnerability can result in reputational damage and indirect financial loss 1. Observe that the GNSS/GPS signal has been spoofed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing: diff --git a/submissions/description/automotive_security_misconfiguration/abs/template.md b/submissions/description/automotive_security_misconfiguration/abs/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/abs/template.md +++ b/submissions/description/automotive_security_misconfiguration/abs/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md b/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md +++ b/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md index c9477d2f..93c5f6f6 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send messages to the system that are otherwise not allowed. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result on {{target}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md index 875f1332..172e96b0 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send multiple messages to the system at a rate which can cause a Denial of Service (DOS) condition. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that a DoS condition has been created -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s) recursively causing a DoS condition: diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/template.md b/submissions/description/automotive_security_misconfiguration/can/template.md index 2e589637..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/template.md @@ -1,10 +1,10 @@ The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md b/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md +++ b/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/immobilizer/template.md b/submissions/description/automotive_security_misconfiguration/immobilizer/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/immobilizer/template.md +++ b/submissions/description/automotive_security_misconfiguration/immobilizer/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md index c2e2557e..b4db69d5 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md @@ -1,10 +1,10 @@ The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can pivot into the CAN bus system and execute code by taking advantage of an IVI misconfiguration, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The IVI system {{application}} uses this feature to {{action}}, exploited by {{action}} 1. Pivot into the CAN bus using this vulnerability by {{action}} @@ -14,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the CAN bus, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md index f2c3633c..be38ee27 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md @@ -1,10 +1,10 @@ The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can execute code on the IVI unit by taking advantage of a misconfiguration in the system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -14,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md index 379fdd76..b6819158 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md @@ -1,17 +1,17 @@ The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Default credentials in the IVI unit can be leveraged by an attacker to gain developer access to the system. From here, the attacker can cause the system to behave not as intended. -#### Business Impact +**Business Impact** Default credentials in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Port scan the IVI unit by leveraging {{application}} and {{hardware}} 1. Bruteforce default credentials on exposed service(s) 1. Login to service(s) and run {{action}} 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the default password successfully authenticating an attacker into the infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md index 54bd427c..c4572c6f 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md @@ -1,10 +1,10 @@ The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of an IVI misconfiguration and inject format strings into the IVI system, causing a Denial of Service (DoS) condition to the system. -#### Business Impact +**Business Impact** DoS in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -14,7 +14,7 @@ DoS in the IVI system can result in reputational damage and indirect financial l 1. Observe the inserted payload from infotainment system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates theDoS from injected format strings on the target infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md index a0dca30f..9b1463be 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md @@ -1,10 +1,10 @@ The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md index bacf488d..262823c4 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md @@ -1,15 +1,15 @@ The In-Vehicle Infotainment (IVI) system is a the central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. The IVI system leaks sensitive data, allowing an attacker to collect this sensitive data via logs and user configurations within the underlying IVI interface. -#### Business Impact +**Business Impact** Sensitive data that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. Additionally, the impact is further enhanced by the impact of the business having to respond, notify, and recover from a potential data breach if an attacker is successful in exfiltrating PII. -#### Steps to Reproduce +**Steps to Reproduce** 1. Power on {{target}} by {{action}} 1. Use {{application}} and notice that the data is stored/transmitted by {{application}} in an insecure manner -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates how and where to find the sensitive data on the vulnerable system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md index 69001ed1..5d04c34a 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md @@ -1,16 +1,16 @@ The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Source code can be dumped in the target IVI system, allowing an attacker to read, release, and exploit code that should otherwise be hidden from users on the IVI unit. An attacker is able to dump firmware code online which also allows others to view, share, or exploit proprietary code. -#### Business Impact +**Business Impact** Source code that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Acquire a bin or firmware file for {{target}} 1. Unzip the firmware using {{software}} 1. Unsquare file system using {{software}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the extracted firmware folder and snippets of exposed source code: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md index a0dca30f..9b1463be 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md @@ -1,10 +1,10 @@ The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -#### Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -14,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md index 3adfe7bf..32322a01 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md @@ -1,15 +1,15 @@ The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Unauthorized access to services in the IVI system can originate from wireless protocols, in-vehicle applications, and physical inputs that communicate with the vehicle’s IVI unit. An attacker can leverage the unauthorized service(s) to escalate privileges on the IVI unit, and compromise internal and external communications. -#### Business Impact +**Business Impact** Exposed services that are accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Scan the {{target}} and find that {{application}} is exposed 1. Access application by {{action}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates that the IVI system is exposed to attackers: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md index 4e8a8352..2971d0ab 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md @@ -2,17 +2,17 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other el Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target and can interact and send messages to the CAN bus, disrupting the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md index e66e21c2..6faa9b73 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md @@ -2,17 +2,17 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other el Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target to decode the data sent Over the Air (OTA) or On-Vehicle as they are sent insecurely. Through this, an attacker can uncover PII or confidential data from encrypted communications. -#### Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Perform a Person-in-the-Middle (PitM) attack by doing {{action}}, using {{hardware}} and {{software}} 1. Attempt to bypass the encryption by {{action}} or using meta data from the intercepted messages to decode/decrypt the communication -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md index f979be78..1f0757ce 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md @@ -2,17 +2,17 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other el Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit the target system by creating a permanent clone of the key fob, giving permanent access to any vehicle of the same make/model. -#### Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Use the {{application}} on {{target}} to clone key fob by {{action}} 1. Use the original key fob to roll the nonce, then unlock {{target}} using spoofed {{hardware}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md index d18d9cc1..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md @@ -1,16 +1,16 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md index d18d9cc1..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md @@ -1,16 +1,16 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md index d18d9cc1..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md @@ -1,16 +1,16 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md index d18d9cc1..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md @@ -1,16 +1,16 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -#### Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md index a4527b9c..10eac746 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md @@ -2,16 +2,16 @@ The Radio Frequency Hub (RFH) is a receiver hub which communicates with other el Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can control the power state of a device via radio frequency. They could exploit this by performing a Denial of Service (DoS) attack, preventing the owner of the vehicle from turning their vehicle on or off, as well as allowing for remote control of the vehicle during use. -#### Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Turn on {{target}} using {{hardware}} and/or {{software}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md b/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md +++ b/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/rsu/template.md b/submissions/description/automotive_security_misconfiguration/rsu/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/rsu/template.md +++ b/submissions/description/automotive_security_misconfiguration/rsu/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/template.md b/submissions/description/automotive_security_misconfiguration/template.md index 8d249d08..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/template.md +++ b/submissions/description/automotive_security_misconfiguration/template.md @@ -1,10 +1,10 @@ Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -#### Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -12,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md index e9fc1419..f85e1125 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md @@ -1,11 +1,11 @@ An `Intent` is a messaging object used within an Android application to request action from a different component of the application. When a request occurs and information is retrieved, a lack of validation can result in access controls being bypassed and sensitive information being leaked. The application has an exposed sensitive Android `Intent` which an attacker can query to gather sensitive information from the application which they could use to perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +18,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md index 31840090..780216c5 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md @@ -2,11 +2,11 @@ A URL Scheme helps facilitate the transfer of a limited amount of data between i The application has an exposed sensitive iOS URL Scheme, which an attacker can take advantage of to perform an AitM attack, bypass the access controls of the application, and gather sensitive user data. This data could be used to perform further attacks on the application, the business, or its users, including account takeover. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md index 5a34324b..8c19340e 100644 --- a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to alter sensitive information by iterating through object identifiers. -#### Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md index 4cd60a69..2bb71e30 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to bypass access controls, manipulate and read non-sensitive information. -#### Business Impact +**Business Impact** IDOR can result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can result in reputational damage for the business through the impact to cu {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md index bbfb7922..1152e84f 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application leads to unauthorized access to, and manipulation of, sensitive data. An attacker is able to bypass access controls, by retrieving another user's Globally Unique Identifier (GUID). -#### Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md index 3ad0dc8d..8b49d9d9 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read Personally Identifiable Information (PII) by iterating through object identifiers. -#### Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md index 6a0e9d12..eb1f8b10 100644 --- a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read sensitive information by iterating through object identifiers. -#### Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/template.md b/submissions/description/broken_access_control/idor/template.md index fcafa6d7..b21ed7c4 100644 --- a/submissions/description/broken_access_control/idor/template.md +++ b/submissions/description/broken_access_control/idor/template.md @@ -1,10 +1,10 @@ Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to manipulate, destroy, or disclose data through their ability to bypass access controls, horizontally or vertically escalate their privileges, and gain access to sensitive information or take over users' accounts. -#### Business Impact +**Business Impact** IDOR can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -16,7 +16,7 @@ IDOR can lead to indirect financial loss through an attacker accessing, deleting {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/privilege_escalation/template.md b/submissions/description/broken_access_control/privilege_escalation/template.md index 0402bcf9..cf136231 100644 --- a/submissions/description/broken_access_control/privilege_escalation/template.md +++ b/submissions/description/broken_access_control/privilege_escalation/template.md @@ -1,10 +1,10 @@ Access controls can be bypassed through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The access controls for this application can be bypassed by an attacker who can gain access to a privileged user’s account and functionality. As a result, the attacker has access to more resources or functionality within the application. This could include viewing or editing sensitive customer data, and viewing or editing other user permissions. -#### Business Impact +**Business Impact** The impact of this vulnerability can vary in severity depending on the degree of access to resources or functionality the attacker is able to gain. An attacker with the ability to access, delete, or modify data from within the application could result in reputational damage for the business through the impact to customers’ trust. This can also result in indirect financial cost to the business through fines and regulatory bodies if sensitive data is accessed. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -26,7 +26,7 @@ The impact of this vulnerability can vary in severity depending on the degree of 1. Forward the request then turn off interception in the proxy 1. Observe that User Account A now has additional Administrator privileges and user functionality it was previously not authorized to access -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the access controls being bypassed. diff --git a/submissions/description/broken_access_control/template.md b/submissions/description/broken_access_control/template.md index 0a81a3b6..7fe684a8 100644 --- a/submissions/description/broken_access_control/template.md +++ b/submissions/description/broken_access_control/template.md @@ -1,10 +1,10 @@ When access controls are broken, users are able to perform functions outside of their intended user functionality within the application. Access controls help enforce users' access and how they interact with applications and APIs through authorization. There can be vertical, horizontal, and conditional access controls which give a user their intended permissions within an application. Broken access control in this application can be leveraged by an attacker to elevate privileges, or manipulate, destroy, or disclose data, depending on the type of access control vulnerability being exploited. -#### Business Impact +**Business Impact** Broken access controls can lead to financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ Broken access controls can lead to financial loss through an attacker accessing, 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md index 9e8c3384..3d0f5927 100644 --- a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md +++ b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md @@ -1,16 +1,16 @@ Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through a difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to identify the username or email of a user without brute forcing it, allowing an attacker to gain this user information for all users within the application in a short period of time. -#### Business Impact +**Business Impact** Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the response from the server: diff --git a/submissions/description/broken_access_control/username_enumeration/template.md b/submissions/description/broken_access_control/username_enumeration/template.md index a3af3ed3..ed2c9193 100644 --- a/submissions/description/broken_access_control/username_enumeration/template.md +++ b/submissions/description/broken_access_control/username_enumeration/template.md @@ -1,16 +1,16 @@ Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through the difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to brute force passwords, stuff credentials, or for further attacks such as social engineering. -#### Business Impact +**Business Impact** Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the response from the server: diff --git a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md index 52facc0d..33a7ef5e 100644 --- a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md @@ -2,17 +2,17 @@ Authentication bypass vulnerabilities allow an attacker to gain access to an acc Authentication bypass often occurs through logic flaws and incomplete implementation of authentication mechanisms. Bypassing the authentication mechanisms of this application allows an attacker to view or edit data or other user's permissions, take over user accounts, access unauthorized endpoints, or expose critical data, depending on the authorization of the account they gain access to. -#### Business Impact +**Business Impact** Authentication bypass can lead to data loss or theft through an attacker's access to data. The severity of which is dependent on the sensitivity of the data within the application. It can also result in reputational damage to the application or the company due to legitimate users not trusting the security of the application if the application's data becomes publicly available. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to: {{URL}} and login as a regular user 1. In the URL, change the `/user` to `/user/administrator` 1. Observe that the application now allows the user to view other user's profile details. These actions are usually restricted to an authenticated user -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following image(s) show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md index d3bdb9d7..fabc7c3d 100644 --- a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md +++ b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md @@ -1,10 +1,10 @@ Session tokens help a server trust that the requests it is receiving come from a specific authenticated user. When a session token is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. This application transmits the session token via a cleartext transmission which can allow an attacker to access the session token via a PitM attack and send requests to the server pretending to be the legitimate user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft through the attacker’s ability to manipulate data through their ability to make requests to the server through a legitimate session token. However, the attacker is limited by the legitimate user’s privileges within the application/ -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe the `Secure` flag is not set 1. Observe that cookies are sent in cleartext -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the session token being transmitted via cleartext: diff --git a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md index d6fd3fb6..af6e537a 100644 --- a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md +++ b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md @@ -1,17 +1,17 @@ Having multiple concurrent logins can allow an attacker to reuse stolen or acquired session tokens to hijack requests. Old sessions are commonly found in open source intelligence efforts or through sniffed requests via Person-in-The-Middle (PitM) attacks. An attacker can use previously acquired sessions to exploit the privacy of a user of this application by continually accessing their account. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to the application 1. Using an incognito tab or another browser, login using the same credentials 1. Observe that both sessions remain valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the concurrent logins: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md index 2307c55f..97f7b1f7 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md @@ -2,11 +2,11 @@ Sessions commonly fail to invalidate active sessions. An attacker can use previo An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md index 9068c942..a353ad12 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md @@ -2,11 +2,11 @@ Sessions commonly fail to invalidate active sessions. An attacker can use previo An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md index 903b6251..f9caacf1 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md @@ -2,11 +2,11 @@ Sessions commonly fail to invalidate active sessions. An attacker can use previo An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md index d3230547..6f4418a9 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md @@ -2,13 +2,13 @@ Failure to invalidate a session when a user logs out is a vulnerability that inc This application fails to invalidate a user’s session on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md index 61b4cdd6..490ba793 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md @@ -2,13 +2,13 @@ Failure to invalidate a session when a user logs out is a vulnerability that inc This application fails to invalidate a user’s session server-side on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +23,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md index 8ab47736..e05c610b 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md @@ -1,17 +1,17 @@ An attacker may compromise a user's session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker's actions are limited by the privileges of the user's account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Additionally, this can cause escalations where a user knows that their account is compromised, but have no means of evicting an attacker by changing their password. -#### Steps to Reproduce +**Steps to Reproduce** 1. Using one browser (Browser A), sign into a user's account using the login page: {{URL}} 1. Using a different browser (Browser B), sign into the same user's account 1. Using Browser A, change the password of the account 1. Using Browser B, observe that the user session is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the password change and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md index 8b129c6f..7723e07d 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md @@ -2,11 +2,11 @@ Failure to invalidate a session after a change in Two-Factor Authentication (2FA An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password or set their own 2FA on the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) @@ -14,7 +14,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Using Browser B, perform an authenticated action, such as changing the profile name 1. Observe that the authenticated action is successful and that the user session is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show 2FA being set and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md index 402986e7..00bf6700 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md @@ -1,15 +1,15 @@ -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Using one browser (Browser A), sign into a user's account using the login page: {{URL}} 1. Using a different browser (Browser B), sign into the same user's account 1. Using Browser A, change the permission level of the account 1. Using Browser B, observe that the user session is still valid with elevated account permissions -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md index c4b9e693..a2cf7681 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md @@ -2,17 +2,17 @@ Failure to invalidate a session is a vulnerability which allows an attacker to m An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) 1. Observe that both user sessions are valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md index aa587697..57c6b9a6 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md @@ -1,10 +1,10 @@ Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with local access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -#### Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md index f76ef0c5..b2932317 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md @@ -1,10 +1,10 @@ Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with remote access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies.This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -#### Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -15,7 +15,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Perform {{action}} to send the request in an incognito browser and login using the same user credentials -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md index 95dc03af..d1d593ac 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md @@ -1,10 +1,10 @@ Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed by setting a token in the URL or a hidden form by chaining vulnerabilities. -#### Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/template.md b/submissions/description/broken_authentication_and_session_management/template.md index 95c19460..580f3fd0 100644 --- a/submissions/description/broken_authentication_and_session_management/template.md +++ b/submissions/description/broken_authentication_and_session_management/template.md @@ -2,11 +2,11 @@ Broken authentication and session management vulnerabilities exist when a user i This application has authentication and session management controls which an attacker can bypass to access a user account. The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -#### Business Impact +**Business Impact** Broken authentication and session management could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +18,7 @@ Broken authentication and session management could lead to data theft through th 1. Observe that the authentication method or session management has been compromised in some way -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken authentication and session management: diff --git a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md index 6d483f33..57d2e09a 100644 --- a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md @@ -2,11 +2,11 @@ Incorrectly implemented Second Factor Authentication (2FA) mechanisms can be byp The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -#### Business Impact +**Business Impact** Bypassing 2FA mechanisms could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ Bypassing 2FA mechanisms could lead to data theft through the attacker’s abili 1. Observe that the 2FA mechanism has been bypassed and a successful login has occurred -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates that 2FA has been bypassed: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md index aa17b637..959b43f7 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md @@ -1,17 +1,17 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the login page to load over both a HTTP and a HTTPS connection. This means that it is possible for web requests to be transmitted over HTTP in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted HTTPS, but are also accessible on HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md index d90ba57f..fb76a722 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md @@ -1,17 +1,17 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP by default or doesn’t have HTTPS available, all web requests are transmitted over HTTP in plaintext. This allows any attacker on the same network to observe these requests, and obtain the login credentials. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete or modify the users data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP by default -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md index 824aa2e9..8bcb6b9f 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md @@ -1,10 +1,10 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as the login is only available via a LAN connection. A malicious attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the LAN to steal administrative credentials and login to the system using admin privileges. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. On the LAN, poison the DNS and ARP tables of the target: @@ -16,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Forward the request to see that the requests are unencrypted in transit -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md index 20ce7e45..3283ea22 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md @@ -1,10 +1,10 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows a login function to load on a non-operational endpoint that is not intended for public access. An attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the specified IP to steal administrative credentials and login to the system using admin privileges. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the vulnerable endpoint: {{URL or x.x.x.x}} @@ -16,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the requests are unencrypted in transit -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md index 029348a6..55dec947 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md @@ -1,17 +1,17 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the authentication to be transmitted over a plaintext protocol and does not implement a secure alternative. This means that it is possible for user credentials to be transmitted in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over an unsecure protocol and there is no option for HTTPS -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md index 89d576ef..d6bf7d39 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md @@ -1,17 +1,17 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP all web requests are transmitted in plaintext, allowing any attacker on the same network to observe these requests, and obtain the login credentials. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md index 38467474..0bc402c1 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md @@ -1,10 +1,10 @@ Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This can lead to an attacker gaining access to user data and functionality of the application by taking advantage of the broken authentication and session management mechanisms. -#### Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Observe in the HTTP interception proxy a 200 OK in the HTTP response indicating valid access -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md index f4461f2a..4f53a1bf 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md @@ -1,16 +1,16 @@ When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application sends a registration or confirmation link over an unsecure HTTP connection. An attacker with local network access can intercept and read the content of the HTTP connection, allowing them to abuse the registration process and misuse user accounts. -#### Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register a new user account 1. Observe that the registration implementation is connected over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md index f4eb7408..96397da4 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md @@ -1,16 +1,16 @@ When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -#### Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md index 614b1304..c3258163 100644 --- a/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md @@ -1,10 +1,10 @@ Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md index 6c5ce388..c01d0d6b 100644 --- a/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md @@ -1,10 +1,10 @@ Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md index 44bd7ab4..57630d08 100644 --- a/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md @@ -1,10 +1,10 @@ Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to elevate their privileges in the default folder location. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/template.md b/submissions/description/client_side_injection/binary_planting/template.md index 614b1304..c3258163 100644 --- a/submissions/description/client_side_injection/binary_planting/template.md +++ b/submissions/description/client_side_injection/binary_planting/template.md @@ -1,10 +1,10 @@ Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/template.md b/submissions/description/client_side_injection/template.md index 4f071baa..9cd9cfed 100644 --- a/submissions/description/client_side_injection/template.md +++ b/submissions/description/client_side_injection/template.md @@ -1,16 +1,16 @@ Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of JavaScript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} 1. Perform {{action}} to see the injected code executed by the system -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the client-side injection: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md index 01115b71..6b60933d 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su CSRF is possible for this application for an authenticated user action, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -23,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md index b429eff8..912f04f2 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su CSRF is possible within this application, allowing an attacker to log-out a valid user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain, logging the user out of their session. An attacker can deny service to users using this CSRF vector to prevent access to the application and constantly logging users out. -#### Business Impact +**Business Impact** CSRF could lead to reputational damage for the business through the impact to customers’ trust due to not being able to reliably access the application. This could also cause indirect financial impacts to the business. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -23,7 +23,7 @@ and forward the request to the endpoint: 1. Observe the user was logged out, proving that the CSRF POC code was successful -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md index a663fd40..9b9fc686 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md @@ -4,11 +4,11 @@ CSRF is possible for this application for a specific action, such as a logout, l When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to the application at: {{URL}} @@ -28,7 +28,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md index 2b5dc905..fdb75eee 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su CSRF is possible for this application for an unauthenticated user action, allowing an attacker to submit requests to the application on behalf of an unauthenticated user. This can include actions such as registration which can result in multiple fake accounts, or a login action which can login accounts uneccisarily. -#### Business Impact +**Business Impact** CSRF could lead to reputational damage for the business through the impact to customers’ trust in the application. Not having CSRF protection on unauthenticated actions means the application is more susceptible to XSS attacks which can involve an attacker gaining access to user data. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -23,7 +23,7 @@ CSRF could lead to reputational damage for the business through the impact to cu 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md index ccda771d..6a4c3163 100644 --- a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su Application-wide CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user on multiple endpoints. This can include changing the password and email associated with the account, or deleting the user account. These actions can severely disrupt a user's experience and lead to account takeover. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -24,7 +24,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} 1. Repeat the above steps for every user action on the application, demonstrating that the lack of CSRF protection is an application-wide issue -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md index 6c9de488..8c5c7a0d 100644 --- a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su CSRF is possible for this application as the CSRF token is not unique per request, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -26,7 +26,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md index 0289929b..a1d6d3ac 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su A high impact flash-based CSRF is possible for this application allowing an attacker to submit requests to the application on behalf of an authenticated privileged user. An attacker is able to perform the actions of a privileged user through their account. This could include modifying, adding, or removing data from the application. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** High impact CSRF could lead to data modification or theft leading to indirect financial impact to the business. An attacker is also able to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate privileged user. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -23,7 +23,7 @@ High impact CSRF could lead to data modification or theft leading to indirect fi 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md index 7ddde988..1557ff24 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su A low impact flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application for non-sensitive actions on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -23,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md index 4c1f3682..cea09c52 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md @@ -2,11 +2,11 @@ Cross-Site Request Forgery (CSRF) occurs when requests to the application are su Flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -23,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/template.md b/submissions/description/cross_site_request_forgery_csrf/template.md index 5c61a7fa..1d5833c5 100644 --- a/submissions/description/cross_site_request_forgery_csrf/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/template.md @@ -4,11 +4,11 @@ CSRF is possible for this application, allowing an attacker to submit requests t When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -#### Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -28,7 +28,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_scripting_xss/cookie_based/template.md b/submissions/description/cross_site_scripting_xss/cookie_based/template.md index cd86f31f..46bf76a7 100644 --- a/submissions/description/cross_site_scripting_xss/cookie_based/template.md +++ b/submissions/description/cross_site_scripting_xss/cookie_based/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Refresh the page and observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/flash_based/template.md b/submissions/description/cross_site_scripting_xss/flash_based/template.md index 6461fa1e..b31306da 100644 --- a/submissions/description/cross_site_scripting_xss/flash_based/template.md +++ b/submissions/description/cross_site_scripting_xss/flash_based/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Flash-based XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -19,7 +19,7 @@ Flash-based XSS could lead to data theft through the attacker’s ability to man 1. Refresh the page and observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/ie_only/template.md b/submissions/description/cross_site_scripting_xss/ie_only/template.md index 2e529fe2..4cc08d17 100644 --- a/submissions/description/cross_site_scripting_xss/ie_only/template.md +++ b/submissions/description/cross_site_scripting_xss/ie_only/template.md @@ -1,10 +1,10 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -#### Business Impact +**Business Impact** XSS could result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use an Internet Explorer browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ XSS could result in reputational damage for the business through the impact to c 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md index 25b3374b..c7d9906c 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr This carries the risk of an attacker being able to trigger an exploit on a seperate domain. By controlling code that is executed within a user’s browser, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/template.md b/submissions/description/cross_site_scripting_xss/off_domain/template.md index d31bda83..d748ff65 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr This carries the risk of an attacker being able to trigger an exploit on a separate domain, where only cookies scoped for that domain are at risk. By controlling code that is executed within a user’s browser, an attacker could carry out any action that the user is able to perform. This could include accessing any of the user's data and modifying information within the user’s permissions, assuming that there is a misconfiguration of the scoping for cookies and Cross-Origin Resource Sharing (CORS). -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to: {{URL}} 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/referer/template.md b/submissions/description/cross_site_scripting_xss/referer/template.md index 796d275b..c68e5622 100644 --- a/submissions/description/cross_site_scripting_xss/referer/template.md +++ b/submissions/description/cross_site_scripting_xss/referer/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md index dfa04e8d..18831a85 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md @@ -2,11 +2,11 @@ Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicio When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +18,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/self/template.md b/submissions/description/cross_site_scripting_xss/reflected/self/template.md index 36f676ff..1ffd790f 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/self/template.md @@ -2,11 +2,11 @@ Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicio When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Self-reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -18,7 +18,7 @@ Self-reflected XSS could lead to data theft through the attacker’s ability to 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/template.md b/submissions/description/cross_site_scripting_xss/reflected/template.md index dab45439..3a7cd298 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/template.md @@ -2,11 +2,11 @@ Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicio When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +18,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md index b557e9a2..eda4d4a4 100644 --- a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md @@ -4,11 +4,11 @@ When an attacker can control code that is executed within a user’s browser, th to create a crafted JavaScript payload. When a user navigates to the page, the arbitrary JavaScript executes within that user’s browser in the context of this domain. -#### Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Navigate to {{URL}} @@ -22,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Observe the JavaScript payload being executed, capturing the cookies of User A 1. Logout of User A’s account -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md index 85265b7d..0c5df807 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md @@ -2,11 +2,11 @@ Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with an account (User A) @@ -22,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of User B and log into the account of User A 1. Observe the account for User A has access to account information of User B -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md index 7ddaeb7b..13b3f1ab 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md @@ -2,11 +2,11 @@ Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with the privileged user account (User B) @@ -22,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of the higher-privileged account (User A) and log into the privileged account (User B) 1. Observe the privileged account (User B) has gained escalated privileges -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/self/template.md b/submissions/description/cross_site_scripting_xss/stored/self/template.md index 43021c63..512a3f7c 100644 --- a/submissions/description/cross_site_scripting_xss/stored/self/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/self/template.md @@ -2,11 +2,11 @@ Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Self-stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -18,7 +18,7 @@ Self-stored XSS could lead to data theft through the attacker’s ability to man 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/template.md b/submissions/description/cross_site_scripting_xss/stored/template.md index 3b094dbe..e37b4400 100644 --- a/submissions/description/cross_site_scripting_xss/stored/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/template.md @@ -2,11 +2,11 @@ Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md index 23c44a15..089d0b2f 100644 --- a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md @@ -2,11 +2,11 @@ Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/template.md b/submissions/description/cross_site_scripting_xss/template.md index 0cf15e24..73e64fd6 100644 --- a/submissions/description/cross_site_scripting_xss/template.md +++ b/submissions/description/cross_site_scripting_xss/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/trace_method/template.md b/submissions/description/cross_site_scripting_xss/trace_method/template.md index 13b630cb..10855d27 100644 --- a/submissions/description/cross_site_scripting_xss/trace_method/template.md +++ b/submissions/description/cross_site_scripting_xss/trace_method/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could hijack a user’s session and carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md index 026e244a..9c7caba1 100644 --- a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md +++ b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md @@ -2,11 +2,11 @@ Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScr From here, an attacker could carry out any actions that the user is able to perform in the context of the domain for this application, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -#### Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/template.md index b09148b8..187bc853 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses broken, weak, or otherwise flawed cryptography which can allow an attacker to decrypt sensitive information. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md index 70c38600..89bd37ff 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a broken cryptographic primitive which can allow an attacker to decrypt sensitive information. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md index 04266f07..f3a57c36 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a vulnerable cryptographic library which can allow an attacker to decrypt sensitive information. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md index e5677b7e..5351764b 100644 --- a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md +++ b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cleanup of keying material is incomplete and it retains sensitive cryptographic data in memory longer than is necessary. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md index fe327699..b007efe8 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the implementation of cryptography improperly follows specifications, which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper following of specification: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md index 4df64509..2ae90ce0 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Missing computational steps during the implementation of cryptography was identified which degrades security. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the missing cryptographic step: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/template.md index e52c31e3..31dc4da0 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Insecure implementation of cryptography was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insecure implementation: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md index 4e489494..b72cbed7 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves improper asymmetric exponent selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper asymmetric exponent selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md index b1059e20..1b4e8b76 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves improper asymmetric prime selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper asymmetric prime selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md index b8264231..8a6765ce 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that has insufficient key space. This can allow an attacker to use brute-force techniques to identify keys and break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient key space: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md index 3045085c..057edcdc 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that has insufficient key stretching. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient key stretching: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md index aff6d7be..058d1bd9 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves key exchange without entity authentication. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the key exchange without entity authentication: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md index 43aa3fbd..72b530fd 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insecure key generation: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md index acf7b11d..e0706934 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md @@ -1,17 +1,17 @@ Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is reused for multiple encryptions, an attacker can identify the IV from the original data within the encryption. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the initialization vector reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md index 321975d0..5fd4a30a 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of a Random Number Generator (RNG) was identified which can create predictable random numbers. This can allow an attacker to guess the session ID or cryptographic key and gain access to restricted data or functionality. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient entropy of the RNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md index 518e959b..15386ed1 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md @@ -1,17 +1,17 @@ Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is predictable, an attacker can identify the IV from the original data within the encryption. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictability of the initialization vector: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md index 26e4b60c..7aed0015 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md @@ -1,17 +1,17 @@ A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is predictable in full or in part, it is possible to determine the random numbers produce by the PRNG. The PRNG seed value is predictable, allowing an attacker to guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md index 7b45413b..2fcd5eaa 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md @@ -1,17 +1,17 @@ A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is known, it is possible to determine the random numbers produce by the PRNG. An attacker with access to the seed value can predict or guess the random numbers which can lead to unauthorized access if that seed value is used for authorization and authentication. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md index 8889510a..93ac913c 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md @@ -1,17 +1,17 @@ A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is small in size, it is possible to bruteforce all possible seeed values. An attacker who can guess the seed value can predict or guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the small seed space in the PRNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md index c12f3c6e..3aa0f51b 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of cryptographic algorithm generation was identified which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient entropy: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md index 3aecd073..cbd5f01c 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md @@ -1,17 +1,17 @@ Most True Random Number Generators (TRNG) have a finite limit to their random number generation rate. Therefore, a TRNG should only be used when entropy is required for security purposes. When an application draws from a TRNG for a non-security purpose, it depletes the entropy of the source, increasing the likelihood that an attacker would be able to predict of guess number generated. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the True Random Number Generator being used for a non-security purpose: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md index 8db0fbab..7aee61a0 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application fails to verify the cryptographic signature. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient validation of the cryptographic signature: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md index ea30d16c..3a8579a6 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the Integrity Check Value (ICV) is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient verification of the ICV: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md index f7c1a13e..49095962 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the data used in the cryptographic processes is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient verification of data authenticity: diff --git a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md index b6d6d6e9..65e53b18 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys across different environment (inter-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the inter-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md index 6a0157cc..c813b677 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys within the same environment (intra-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the intra-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md index b10b5d37..7c10bf31 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md @@ -1,17 +1,17 @@ It was identified that the application's cryptographic mechanism lacks the use of Perfect Forward Secrecy (PFS). PFS involves the negotiation of an ephemeral key pair for each newly create session between two parties. Without PFS, an attacker would be able to compromise all past and future sessions based on a set of keys that they can decrypt. They can then leverage the keys to gain access to information or privileges within the application that are protected by the same key. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the lack of PFS: diff --git a/submissions/description/cryptographic_weakness/key_reuse/template.md b/submissions/description/cryptographic_weakness/key_reuse/template.md index 82598295..ba28732d 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys. This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the key reuse: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md index 30a97542..a4724afe 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a differential fault analysis attack as there are changes to the system's response to specially crafted fault conditions during specific steps of cryptographic operations. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md index 5d0692b5..6203f39c 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a emanations attack as there are changes to the electromagnetic emanations across the physical system when it is performing different steps of cryptographic operations. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the power emanations attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md index 4b84c659..f01e235c 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md @@ -1,17 +1,17 @@ A cryptographic weakness was identified which can allow an attacker to use a padding oracle attack to derive the encryption key. This is due to the application revealing information during the decryption process about the validity of the padding data. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the padding oracle attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md index 447e5fe0..e6841047 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a power analysis attack as there is uneven power consumption across the system when performing different steps of cryptographic operations. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the power analysis attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/template.md index e2dc76c6..8b7afdfc 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A cryptographic weakness was identified which can allow an attacker to use a side-channel attack to break the confidentiality and integrity of requests sent to and from the endpoint by deriving the encryption key through various methods. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the side-channel attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md index 9e3e61f4..66e825d4 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a timing attack as the time it takes to complete a cryptographic operation directly relates to user-supplied data. This allows an attacker to use a timing attack to derive the encryption key. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the timing attack: diff --git a/submissions/description/cryptographic_weakness/template.md b/submissions/description/cryptographic_weakness/template.md index 62737660..77607aa9 100644 --- a/submissions/description/cryptographic_weakness/template.md +++ b/submissions/description/cryptographic_weakness/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses broken, weak, or otherwise flawed cryptography which can allow an attacker to decrypt sensitive information, or otherwise compromise the confidentiality, integrity, or authenticity of data. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. Perform {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md index 7556ad25..186ee5ea 100644 --- a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md +++ b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application uses an expired cryptographic key or certificate which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md index 688a5630..5e98627c 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the hash does not have a salt which can allow an attacker to use rainbow table attacks. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the lack of salt: diff --git a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md index ef348699..99f21c9e 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable hash collision was identified where the same hash value is generated by a hashing algorithm for different plaintext inputs. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictable hash collision: diff --git a/submissions/description/cryptographic_weakness/weak_hash/template.md b/submissions/description/cryptographic_weakness/weak_hash/template.md index 8686c3ab..cc1425aa 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A weak hash was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the weak hash: diff --git a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md index 83cd5b11..50bb3d08 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md @@ -1,17 +1,17 @@ Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable salt in the hashing mechanism was identified which can allow an attacker to use rainbow table attacks. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictable salt: diff --git a/submissions/description/data_biases/pre_existing_bias/template.md b/submissions/description/data_biases/pre_existing_bias/template.md index 2939c1d7..12e85152 100644 --- a/submissions/description/data_biases/pre_existing_bias/template.md +++ b/submissions/description/data_biases/pre_existing_bias/template.md @@ -1,16 +1,16 @@ Pre-existing bias occurs when historical or societal prejudices are present in the training data. This can look like a lack of certain data points, over representation or under representation of groups, a bias in the selection of data points that make up the AI model, or data labels that are discriminatory or subjective. Outputs from AI models that have a pre-existing bias can result in inferior performance and outcomes that disadvantage certain groups. -#### Business Impact +**Business Impact** Pre-existing bias in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, showing a pre-existing bias. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/data_biases/representation_bias/template.md b/submissions/description/data_biases/representation_bias/template.md index 61129cba..b04c452f 100644 --- a/submissions/description/data_biases/representation_bias/template.md +++ b/submissions/description/data_biases/representation_bias/template.md @@ -1,16 +1,16 @@ Representation bias occurs when the training data of an AI model has an omission, or insufficient representation, of certain groups which the AI model intends to serve. Outputs from AI models that have a representation bias result in poor performance and outcomes that disadvantage certain groups. -#### Business Impact +**Business Impact** Representation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, demonstrating a representation bias. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/data_biases/template.md b/submissions/description/data_biases/template.md index 9cd080d3..d028a22b 100644 --- a/submissions/description/data_biases/template.md +++ b/submissions/description/data_biases/template.md @@ -1,16 +1,16 @@ Data biases occurs when the data used train the AI model is flawed, unrepresentative or systematically skewed. Biases can stem from different sources, such as sampling errors, historical prejudices, or a lack of diversity in the dataset. Outputs from AI models that have a data bias can result in inaccurate, unfair, or otherwise discriminatory predictions or decisions. -#### Business Impact +**Business Impact** Data biases in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, showing a bias in the data. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/developer_biases/implicit_bias/template.md b/submissions/description/developer_biases/implicit_bias/template.md index 9d033ff6..6f49d4b9 100644 --- a/submissions/description/developer_biases/implicit_bias/template.md +++ b/submissions/description/developer_biases/implicit_bias/template.md @@ -1,15 +1,15 @@ Implicit bias occurs when there are biases present within the training data of an AI model that affects its decision-making. These implicit biases are usually introduced into the AI model via the developers who affect the design, implementation, and deployment of the AI system. -#### Business Impact +**Business Impact** Implicit bias in this AI model can result in unintended discrimination and unfairness which can lead to reputational damage and a loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Provide the AI model with data containing subtle, implicit biases. 1. Observe the model's decisions and identify instances where it unintentionally favors certain groups or viewpoints. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/developer_biases/template.md b/submissions/description/developer_biases/template.md index df39a757..996fd615 100644 --- a/submissions/description/developer_biases/template.md +++ b/submissions/description/developer_biases/template.md @@ -1,15 +1,15 @@ Developer biases occurs when AI model developers' perspectives, assumptions, and decisions influence the behaviour and design of an the model. Biases stem from developer's background and experiences, and subconscious prejudices. Outputs from AI models that have a developer bias can result in skewed or otherwise unfair outcomes. -#### Business Impact +**Business Impact** Implicit bias in this AI model can result in unintended discrimination and unfairness which can lead to reputational damage and a loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Provide the AI model with data containing subtle, implicit biases. 1. Observe the model's decisions and identify instances where it unintentionally favors certain groups or viewpoints. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md index 13d49bbf..0e2dfd98 100644 --- a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md +++ b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md @@ -1,15 +1,15 @@ Browsers implement features such as service workers to offer offline features for an application. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these offline workers can cause issues like high CPU usage or overly aggressive offline caching, as seen in this instance. Depending on the implementation of the service worker, aggressive offline caching can act as a vector for Denial of Service (DoS) to regular application users by consuming compute to overly write to the offline cache. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ access to the application and its functions. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile when service worker is active and compare to when the server worker is not active -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the aggressive offline caching: diff --git a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md index 463c87ed..d578a502 100644 --- a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md @@ -1,17 +1,17 @@ Browsers implement features such as autocomplete to offer form filling features for end users. Autocomplete is an HTML attribute that saves previously entered text within the input Document Object Model (DOM) fields. An attacker can leverage the cached input for this application locally to login as a user or expose critical pieces of data. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter text within the input field and submit the form 1. Use `Inspect` from the developer tools to verify the input parameter has `autocomplete=on` 1. {{action}} to see the text saved into the input field -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the autocomplete enabled: diff --git a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md index 1673ce9a..241a79a8 100644 --- a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md @@ -1,10 +1,10 @@ Browsers implement features such as autocorrect to offer predictive spelling and grammar features for end users. The applications implementation of autocorrect for sensitive fields can enable an attacker with local access to login as a user, or leverage critical pieces of information to impersonate the user or make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Fill and {{action}} to submit form @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the autocorrect enabled on a sensitive field: diff --git a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md index 260aa99d..374375c9 100644 --- a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md +++ b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md @@ -1,10 +1,10 @@ The password field for the login form of the application reveals the password in plaintext. An attacker with local access can shoulder surf or otherwise tailgate a user and watch them login to the application. From here, an attacker could login as a user to impersonate them or make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter text within the password field @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the password field rendering in plaintext: diff --git a/submissions/description/external_behavior/browser_feature/save_password/template.md b/submissions/description/external_behavior/browser_feature/save_password/template.md index 6890e78e..affd8216 100644 --- a/submissions/description/external_behavior/browser_feature/save_password/template.md +++ b/submissions/description/external_behavior/browser_feature/save_password/template.md @@ -1,17 +1,17 @@ Browsers implement features such as saving input field text to reduce the time it takes for a user to fill in forms. For this application, the password is saved in the input field. An attacker with local access to the application and computer can impersonate a user and make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter username and password within the login form and submit 1. Logout of application and navigate back to the login page 1. Observe that the username and password is saved -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the password saved in the input field: diff --git a/submissions/description/external_behavior/browser_feature/template.md b/submissions/description/external_behavior/browser_feature/template.md index be5cfd69..9aa6ec84 100644 --- a/submissions/description/external_behavior/browser_feature/template.md +++ b/submissions/description/external_behavior/browser_feature/template.md @@ -1,15 +1,15 @@ Browsers implement features to offer users both online and offline features to enhance the user experience of the browser and applications. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these browser features can cause security issues depending on their implementation. A local attacker can take advantage of the browser feature to impersonate a user and make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the browser feature that is showing sensitive user information -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the misconfigured browser feature: diff --git a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md index 54c102ad..2c280f91 100644 --- a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md +++ b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md @@ -1,15 +1,15 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. Powerful Optical Artificial Intelligence (OAI) enabled tools require a large amount of data to create models to break implementations of CAPTCHA. An attacker can leverage OAI tools to bypass captcha and make requests to critical functionality without rate limit. Forms that are often firewalled by a CAPTCHA can even be a vector for Denial of Service executing read and write from the database multiple times. -#### Business Impact +**Business Impact** CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/captcha_bypass/template.md b/submissions/description/external_behavior/captcha_bypass/template.md index 8ebd8c08..a44380eb 100644 --- a/submissions/description/external_behavior/captcha_bypass/template.md +++ b/submissions/description/external_behavior/captcha_bypass/template.md @@ -2,16 +2,16 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -#### Business Impact +**Business Impact** CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/csv_injection/template.md b/submissions/description/external_behavior/csv_injection/template.md index 549a8ecf..65c6e8d9 100644 --- a/submissions/description/external_behavior/csv_injection/template.md +++ b/submissions/description/external_behavior/csv_injection/template.md @@ -1,10 +1,10 @@ Applications will often embed unsafe input in exported spreadsheets targeting desktop applications such as Excel or LibreOffice, or their cloud application equivalents. A malicious attacker can leverage this unsafe input to exfiltrate data from users, or deliver malicious binary to users downloading their input controlled file. Unsafe CSV formulas in CSV files within the application allow malicious attackers to deliver payloads or exfiltrate data using specifically crafted input. -#### Business Impact +**Business Impact** CSV injection can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business if an attacker is able to exfiltrate data. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint: {{value}} 1. {{action}} to export a CSV file @@ -18,7 +18,7 @@ CSV injection can lead to reputational damage for the business due to a loss in 1. Upload to publicly accessible endpoint -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CSV injection: diff --git a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md index ed57c81b..de550267 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md @@ -1,10 +1,10 @@ The system clipboard leaks sensitive information when performing a copy and paste function within the application. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/system_clipboard_leak/template.md b/submissions/description/external_behavior/system_clipboard_leak/template.md index ed57c81b..de550267 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/template.md @@ -1,10 +1,10 @@ The system clipboard leaks sensitive information when performing a copy and paste function within the application. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/template.md b/submissions/description/external_behavior/template.md index ee9600d7..63ff7e4c 100644 --- a/submissions/description/external_behavior/template.md +++ b/submissions/description/external_behavior/template.md @@ -1,15 +1,15 @@ Behavior external from the application is leaking user sensitive information due to misconfiguration errors of system or browser features. A local attacker can take advantage of these external behavior errors to gather sensitive user information and impersonate a user or make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the external behavior that is showing sensitive user information -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the misconfigured external behavior: diff --git a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md index 356a8007..2696aefa 100644 --- a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md +++ b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md @@ -1,10 +1,10 @@ The user’s password is kept in memory after the application has ceased utilizing it. An attacker can abuse this to read the user password in memory and login as the user, impersonate them, or make requests on their behalf. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Utilize some software that allows computer memory to be accessed in a human-readable format 1. Log in to the application @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Cease using the application 1. Using the computer memory viewer, view the password of the user that remained in memory after use -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** You can observe the plaintext password that remained in memory after utilization below: diff --git a/submissions/description/indicators_of_compromise/template.md b/submissions/description/indicators_of_compromise/template.md index 837c858b..f2e551f7 100644 --- a/submissions/description/indicators_of_compromise/template.md +++ b/submissions/description/indicators_of_compromise/template.md @@ -1,10 +1,10 @@ Indicators of compromise (IoC) comprise of vulnerabilities in the detection, analysis, or response mechanisms used to identify potential security breaches, or compromises within, an organization's network or systems. This vulnerability may stem from inadequate IoC management, ineffective threat intelligence integration, or improper incident response procedures. -#### Business Impact +**Business Impact** The impact of Indicators of Compromise (IoC) Vulnerability can be severe. It can lead to undetected security breaches, prolonged exposure to threats, or ineffective incident response, compromising the confidentiality, integrity, or availability of assets and data. Additionally, it may result in legal liabilities, regulatory penalties, and reputational damage to the organization. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the IoC detection and response mechanisms deployed within the organization, including security tools, monitoring systems, and incident response procedures: {{Vulnerable component}} @@ -14,7 +14,7 @@ The impact of Indicators of Compromise (IoC) Vulnerability can be severe. It can {{Identify what is lacking here}} 4. Observe the impact of successful exploitation of the IoC vulnerabilities on the organization's security posture and incident response capabilities. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md index 93a66f58..612cf635 100644 --- a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md @@ -1,17 +1,17 @@ Insecure data storage can occur in both the client and server sides of an application. Non-sensitive data from the application is stored unencrypted and is susceptible to being identified and used maliciously. An attacker with access to the unencrypted non-sensitive data can leverage the data to gather further information on users and the application, and use it to perform further attacks. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Navigate to the following URL: {{URL}} 1. Observe the application data that is stored unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md index 1a9633b8..6fcd31be 100644 --- a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md +++ b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md @@ -1,16 +1,16 @@ Screen caching occurs when an application is sent to the background and a screenshot is taken in order to make it appear that the application is shrinking while moving between applications on the mobile screen. Personal information can be unknowingly captured in this screen cache and stored unencrypted on the phone. An attacker could abuse this screen caching being enabled to steal sensitive information that is captured and stored unencrypted when a user exits the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Log in to the mobile application and access a screen where sensitive information is displayed 1. Click the home button, and navigate to where the mobile operating system stores cached application screenshots 1. Observe the screenshot taken that captures sensitive information when the home button was clicked -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the screen caching displaying sensitive information: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md index 62f1e58b..c2e465d5 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md @@ -1,16 +1,16 @@ When sensitive application data is stored insecurely on external storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md index 38859346..089a10f6 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md @@ -1,16 +1,16 @@ When sensitive application data is stored insecurely on internal storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md index 368f240c..0505b069 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md @@ -1,16 +1,16 @@ Insecure data storage can occur in both the client and server sides of an application. When sensitive application data is stored insecurely it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md index 0dbad5f3..3c40bc98 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md @@ -1,17 +1,17 @@ When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the plaintext credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server in plaintext -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md index f1205140..a4a18d0d 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md @@ -1,17 +1,17 @@ When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/template.md b/submissions/description/insecure_data_storage/template.md index 3de47b80..9458dd56 100644 --- a/submissions/description/insecure_data_storage/template.md +++ b/submissions/description/insecure_data_storage/template.md @@ -1,17 +1,17 @@ Insecure data storage can occur in both the client and server sides of an application. When data from the application is stored insecurely it is susceptible to being identified and used maliciously. An attacker with access to the insecurely stored data of this application can leverage the data to gather further information on users and the application, and use it to perform further attacks. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Navigate to the following URL: {{URL}} 1. Observe the application data that is stored unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md index 47cdabaa..b8c1306e 100644 --- a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md +++ b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md @@ -1,10 +1,10 @@ When sensitive data is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can send requests to the server pretending to be the legitimate user by using a PitM attack to access the sensitive data. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -13,7 +13,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show sensitive data being transmitted via cleartext: diff --git a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md index 74ddf0c0..492e7dba 100644 --- a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md @@ -1,17 +1,17 @@ Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption or a secure integrity check, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted and does not go through an integrity check -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md index de464619..5ccdb596 100644 --- a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md @@ -1,17 +1,17 @@ Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/template.md b/submissions/description/insecure_data_transport/executable_download/template.md index 3b6adcce..e1adb9b3 100644 --- a/submissions/description/insecure_data_transport/executable_download/template.md +++ b/submissions/description/insecure_data_transport/executable_download/template.md @@ -1,17 +1,17 @@ Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file can be downloaded: diff --git a/submissions/description/insecure_data_transport/template.md b/submissions/description/insecure_data_transport/template.md index 26020336..36d83900 100644 --- a/submissions/description/insecure_data_transport/template.md +++ b/submissions/description/insecure_data_transport/template.md @@ -1,10 +1,10 @@ When data is transmitted over unencrypted channels, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can then gather user data and potentially send requests to the server pretending to be the legitimate user, or otherwise collect sensitive user data. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -13,7 +13,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show sensitive data being transmitted insecurely: diff --git a/submissions/description/insecure_os_firmware/command_injection/template.md b/submissions/description/insecure_os_firmware/command_injection/template.md index 12fa272e..462d2796 100644 --- a/submissions/description/insecure_os_firmware/command_injection/template.md +++ b/submissions/description/insecure_os_firmware/command_injection/template.md @@ -1,11 +1,11 @@ When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. An attacker could abuse this command injection vulnerability in the application to execute arbitrary commands on the user's operating system. -#### Business Impact +**Business Impact** This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Start {{application}} on the operating system and navigate to {{url}} 1. Observe that the OS firmware is insecure by {{action}} @@ -13,7 +13,7 @@ This vulnerability can lead to direct financial loss to the company due to data {{Payload}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the steps required to exploit the command injection: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md index d52a2b01..0c0cc584 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md @@ -1,17 +1,17 @@ The device stores non-sensitive data that is not encrypted at rest. Despite the data not being directly exploitable, its accessibility due to lack of encryption allows attackers with physical access to the device to retrieve this information. This exposure could facilitate reverse engineering efforts or aid in future exploitation attempts, indirectly compromising the system's security. -#### Business Impact +**Business Impact** While the data in question is classified as non-sensitive, its exposure still poses security risks. Unauthorized access to this data can provide attackers with insights into the device's operations or architecture, potentially leading to vulnerabilities being uncovered. This situation can undermine the security posture of the device, leading to increased susceptibility to targeted attacks, erosion of customer confidence, and potential reputational damage. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. 1. Locate the hard drive on the device, and remove it. 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md index 59f0e937..8becfd57 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md @@ -1,17 +1,17 @@ The device stores sensitive data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials. -#### Business Impact +**Business Impact** The absence of encryption for sensitive data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. 1. Locate the hard drive on the device, and remove it. 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md index 7d55335b..f54a4039 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md @@ -1,10 +1,10 @@ The device stores data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials. -#### Business Impact +**Business Impact** The absence of encryption for data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. {{screenshot}} @@ -12,7 +12,7 @@ The absence of encryption for data at rest on the device poses a significant ris 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md b/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md index 6522d5a3..04e8bb0d 100644 --- a/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md +++ b/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md @@ -1,16 +1,16 @@ During the deployment or configuration phases of the device, sensitive artifacts (which can include: configuration information, secrets, or credentials) are transferred to and stored on the device's storage medium. These artifacts are not adequately removed post-deployment or configuration. As a result, an attacker gaining access to the device could view these sensitive artifacts. -#### Business Impact +**Business Impact** The persistence of sensitive artifacts on the device's storage poses a significant risk to data confidentiality and system integrity. Unauthorized access to these artifacts can lead to security breaches, unauthorized system access, and the potential leakage of confidential information. The implications include not only immediate operational and financial losses but also long-term damage to the organization's reputation and trustworthiness, alongside potential regulatory non-compliance. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the device using the credentials supplied. 2. Open the file found at: {{filepath}} 3. You'll see that the file is a deployment script, viewing the variable, {{variable}} you'll see secrets used during deployment. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md index 97f1e0c6..0f7c41c6 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md @@ -2,16 +2,16 @@ When Operating System (OS) firmware is insecure, it broadens the application’s A hard-coded password for a non-privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a non-privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -#### Business Impact +**Business Impact** This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md index c8ccb217..713db94c 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md @@ -2,16 +2,16 @@ When Operating System (OS) firmware is insecure, it broadens the application’s A hard-coded password for a privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, or gather sensitive data from within the application. -#### Business Impact +**Business Impact** This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/template.md index f72947b2..c76d59db 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/template.md @@ -2,16 +2,16 @@ When Operating System (OS) firmware is insecure, it broadens the application’s Hard-coded passwords were identified in the source code of the application. An attacker could abuse the hard-coded passwords to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -#### Business Impact +**Business Impact** This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md b/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md index d48bc969..17ed7f02 100644 --- a/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md +++ b/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md @@ -1,16 +1,16 @@ A kiosk escape or breakout occurs when an exploit allows users to bypass the software package serving as the frontend for an application on a system, gaining unauthorized access to the underlying operating system. This vulnerability varies in impact depending on the operating system and the level of hardening applied to the system. In cases where the system uses administrator-level access, the consequences can include defacement, installation of malicious software, or breaches of data integrity, potentially affecting stored customer data. -#### Business Impact +**Business Impact** This vulnerability can lead to unauthorized access, data breaches, and malicious activities, including the installation of unwanted software and alteration of stored data. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. -#### Steps to Reproduce +**Steps to Reproduce** 1. Turn the {{hardware}} on and wait for the software to run. 1. Constantly click on the bottom right of the touch screen, revealing the desktop. 1. Observe that there is an administrator level user on the device. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots demonstrate the process of escaping from the application's controlled environment to access the underlying operating system. This may include screenshots or a description of the exploit technique used, the access gained to system settings or files, and any unauthorized actions performed as a result: diff --git a/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md b/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md index 93e8ac73..92d40d4c 100644 --- a/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md +++ b/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md @@ -1,10 +1,10 @@ The current configuration of the device uses a local administrator account as the default environment setting. This configuration inherently provides administrator-level access to the running processes and access, posing a significant security risk. If an attacker compromises the application or device, they can gain elevated privileges automatically, allowing for extensive control over the device's functions and data. -#### Business Impact +**Business Impact** Operating devices under local administrator accounts by default increases the risk of severe security breaches. An attacker with administrator-level access can disable security measures, install malicious software, and access or alter sensitive information. This could lead to operational disruptions, data breaches involving sensitive customer or business information, and significant financial and reputational damage to the organization. Furthermore, this practice may fail to comply with security standards and regulatory compliance requirements. -#### Steps to Reproduce +**Steps to Reproduce** 1. Open the device and use a TTY Cable to connect to the header pins found in the screenshot below: {{screenshot}} @@ -20,7 +20,7 @@ or 3. Now on the desktop, open a terminal and type the command: {{command}}. 4. You'll see the response shows the user is a local administrator account. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md b/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md index 9ab802ca..7a96c5d9 100644 --- a/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md +++ b/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md @@ -1,10 +1,10 @@ The device contains a set of credentials stored on its storage medium that are over-permissioned for their intended use. While these credentials are designed to access a specific shared service, their excessive permissions allow for broader unauthorized access. If the device is compromised or falls into the hands of unauthorized user, these over-permissioned credentials could be used to access not only the intended service but also additional services and data that should be segregated. -#### Business Impact +**Business Impact** Storing over-permissioned credentials on the device presents a significant security risk, amplifying the potential damage from unauthorized access. Attackers could exploit these credentials to gain extensive control over the system's resources and sensitive data, including customer information and proprietary secrets. Such breaches can lead to financial losses, regulatory penalties, erosion of customer trust, and long-term reputational damage to the organization. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover, as seen in the images below: {{screenshot}} @@ -22,7 +22,7 @@ or 1. Using the HTTP request below, send the request with the token: {{HTTP request}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md b/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md index 2174e1b2..7259608b 100644 --- a/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md +++ b/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md @@ -1,16 +1,16 @@ The device uses a disk encryption to protect stored data from being accessed while at rest. However, due to a poor configuration of the encryption mechanism, an unauthorized attacker with physical access to the device can decrypt the disk's contents. This vulnerability could expose secrets, customer data, or other sensitive information stored on the device. -#### Business Impact +**Business Impact** A flaw in the disk encryption configuration significantly undermines the device's data security, posing a high risk to the confidentiality and integrity of stored data. If exploited, this vulnerability can lead to the exposure of sensitive information, potentially resulting in financial losses, damage to the organization's reputation, and erosion of customer trust. Furthermore, it may result in non-compliance with data protection regulations. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and start the boot process. 2. Once the device has reached the boot menu and asks for a password, type `A` 257 times and press enter. 3. The device will decrypt the disk and you can access its contents, including any sensitive data stored on the device. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md b/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md index 43da3e2b..8df340ab 100644 --- a/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md +++ b/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md @@ -1,15 +1,15 @@ The device employs a standard operating system where the configuration fails to adequately secure the device. This poor configuration can expose the device to various security vulnerabilities, making it susceptible to unauthorized access, data breaches, and other malicious activities. An attacker with access to the operating system can gain access to the applications and data on the device. -#### Business Impact +**Business Impact** The inadequate security configuration of the operating system can lead to significant risks, including the compromise of sensitive information, operational disruptions, and financial losses. Moreover, it can damage the organization's reputation and customer trust. Ensuring compliance with security standards and regulatory requirements becomes challenging under these conditions, potentially resulting in legal and financial repercussions. -#### Steps to Reproduce +**Steps to Reproduce** 1. Power on the device and login, then open the settings menu. 2. You'll see issues which deviate from hardening recommendations, including unnecessary services running, default passwords unchanged, or insufficient access controls. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md b/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md index 6b609157..bd5e4848 100644 --- a/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md +++ b/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md @@ -1,16 +1,16 @@ The device's storage medium fails to adequately delete data when a factory reset is performed due to a flaw in the process. An attacker with access to the storage medium post-reset can recover and exploit the sensitive information. -#### Business Impact +**Business Impact** The incomplete deletion of sensitive data during a factory reset poses a substantial risk of data breaches. If exploited, this vulnerability can lead to the unauthorized disclosure of confidential information, undermining customer trust and violating privacy regulations. The consequent legal, financial, and reputational damages can significantly impact the organization's standing and operations. -#### Steps to Reproduce +**Steps to Reproduce** 1. Perform a factory reset on the device to initiate the data removal process. 2. Access the storage medium of the device after the reset. 3. Use {{tool}} to retrieve previously stored sensitive information. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md b/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md index 145cbdbe..4c776f78 100644 --- a/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md +++ b/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md @@ -1,10 +1,10 @@ The device in question stores a set of shared credentials on its storage medium. These credentials are intended for accessing a shared service. However, should the device be compromised or acquired by unauthorized parties, an attacker could use these shared credentials to gain access to services that are normally restricted. -#### Business Impact +**Business Impact** The presence of shared credentials stored on the device poses a significant security risk. Unauthorized access to shared services can lead to data breaches, unauthorized transactions, or the manipulation of sensitive information. Such incidents can severely impact the organization's operational security, result in financial losses, and damage the organization's reputation, especially if customer data or critical business operations are compromised. -#### Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover, as seen in the images below: @@ -21,7 +21,7 @@ or 4. Using the HTTP request below, send the request with the token: {{HTTP request}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/template.md b/submissions/description/insecure_os_firmware/template.md index 7546cda8..3cbe830e 100644 --- a/submissions/description/insecure_os_firmware/template.md +++ b/submissions/description/insecure_os_firmware/template.md @@ -1,10 +1,10 @@ When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. -#### Business Impact +**Business Impact** This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Start {{application}} on the operating system and navigate to {{url}} 1. Input the following payload into {{parameter}}: @@ -14,7 +14,7 @@ This vulnerability can lead to direct financial loss to the company due to data 1. Observe that the OS firmware is insecure -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows insecure OS firmware: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md index 161602e6..16dd8810 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md @@ -1,17 +1,17 @@ The hardware lacks the capability for firmware updates, leaving the system exposed to unpatched vulnerabilities and security risks. These limitations prevents effective maintenance and security management, rendering the device obsolete against evolving threats. An attacker can leverage the lack of firmware updates to gain access to sensitive information. -#### Business Impact +**Business Impact** Inability to perform firmware updates directly affects operational resilience and security posture, leading to potential system integrity and reliability issues. It elevates the risk of operational disruptions and could necessitate increased expenditures for device replacement or additional security measures. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the specific {{Hardware}} model: {{Hardware name and model number}} 2. Check the user interface or official documentation for firmware update options. 3. Verify the lack of an update mechanism by attempting to locate or execute a firmware update process within the device's settings or configuration portal. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md index 3382c8d0..33a2cee8 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md @@ -1,16 +1,16 @@ The hardware fails to validate the authenticity and integrity of the update file. Without proper validation, the system is susceptible to accepting and installing corrupted or malicious updates, compromising the device's security and functionality. -#### Business Impact +**Business Impact** The direct impact includes potential compromise of device functionality, unauthorized access to sensitive data, and the introduction of malware, leading to operational disruptions. This vulnerability undermines the trust in the device's security measures, potentially resulting in significant financial costs for mitigation and recovery, alongside damaging the organization's reputation for safeguarding user data and system integrity. -#### Steps to Reproduce +**Steps to Reproduce** 1. Prepare a modified or corrupted firmware update file for the {{hardware version}}. 2. Initiate the firmware update process using the compromised file. 3. Observe the lack of validation checks for the update's authenticity or integrity during the update process. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md index bdc8134b..07907825 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md @@ -1,16 +1,16 @@ The firmware used for the hardware is stored or transmitted without encryption. This lack of encryption allows for easier reverse engineering and analysis, enabling unauthorized individuals to more readily identify security vulnerabilities within the device's firmware. -#### Business Impact +**Business Impact** The absence of encryption on the firmware heightens the risk of security vulnerabilities being discovered and exploited. This can lead to unauthorized access and data breaches, compromising the integrity of the device. The subsequent detection and exploitation of these vulnerabilities can cause significant financial, operational, and reputational damage to the organization, diminishing customer trust and potentially violating regulatory compliance. -#### Steps to Reproduce +**Steps to Reproduce** 1. Browse to the following URL and download the firmware: {{URL}} 2. Open the firmware file using {{Tool}} and {{techniques}}, due to its unencrypted state. 3. Observe that the firmware appears unencrypted, simplifying the process for reverse engineering and vulnerability identification. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md index acbebff1..8d6cde25 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md @@ -1,17 +1,17 @@ There is a weakness in firmware updates that leaves the system exposed to unpatched vulnerabilities and security risks. These limitations prevents effective maintenance and security management, rendering the device obsolete against evolving threats. An attacker can leverage the weakness in firmware updates to gain access to sensitive information. -#### Business Impact +**Business Impact** Weaknesses in firmware updates directly affects operational resilience and security posture, leading to potential system integrity and reliability issues. It can lead to unauthorized access and data breaches, compromising the integrity of the device. The subsequent detection and exploitation of these vulnerabilities can cause significant financial, operational, and reputational damage to the organization, diminishing customer trust and potentially violating regulatory compliance. -#### Steps to Reproduce +**Steps to Reproduce** 1. Identify the specific {{Hardware}} model: {{Hardware name and model number}} 2. Check the user interface or official documentation for firmware update options. 3. Verify the weakness in the firmware update process within the device's settings or configuration portal. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md index c91d30e5..955d3d93 100644 --- a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md +++ b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md @@ -1,16 +1,16 @@ The overall security of an application is diminished when accounts are not properly configured to include a notification email upon important account changes, such as a password or email address change. A lack of notification email on account changes allows an attacker who has gained access to a user's account through other means to make changes without notifying the user. -#### Business Impact +**Business Impact** A lack of a notification email upon important account changes as a single vulnerability does not have a strong impact. However, chained with other vulnerabilities, it could lead to data theft through the attacker’s ability to manipulate data via their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify an account variable, such as the password or username 1. Observe that no notification email is sent to the associated account email address to notify the owner of the change -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/no_password_policy/template.md b/submissions/description/insufficient_security_configurability/no_password_policy/template.md index fc9881cd..1d66782a 100644 --- a/submissions/description/insufficient_security_configurability/no_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/no_password_policy/template.md @@ -1,16 +1,16 @@ When there is no password policy set, the strength of the overall authentication process for an application is diminished. No password policy is present within this web application, allowing for weak passwords to be used by any user, including Administrator accounts. This makes it relatively easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -#### Business Impact +**Business Impact** Having no password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords, such as `a` -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that there is no password policy: diff --git a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md index 471fdedc..91d43f64 100644 --- a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md +++ b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md @@ -1,10 +1,10 @@ When there is no password policy set, or the password policy can be bypassed, the overall strength of the authentication process for an application is diminished. A password policy bypass is present within this web application, allowing for weak passwords to be used by any user. This makes it easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -#### Business Impact +**Business Impact** Having a password policy bypass present within the application can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login @@ -12,7 +12,7 @@ Having a password policy bypass present within the application can result in rep ​​{{parameter}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the bypass of the password policy: diff --git a/submissions/description/insufficient_security_configurability/template.md b/submissions/description/insufficient_security_configurability/template.md index d3ce943a..59b402e8 100644 --- a/submissions/description/insufficient_security_configurability/template.md +++ b/submissions/description/insufficient_security_configurability/template.md @@ -1,15 +1,15 @@ Insufficient security configurability refers to the lack of options or flexibility in configuring security settings within a system or application. This vulnerability may arise from hardcoded security configurations, limited options for customization, or inadequate documentation. Due to this, an attacker can manipulate data and perform actions that appear to originate from a legitimate user. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 2. Perform {{action}} and observe that the security configuration is weak -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the vulnerability: diff --git a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md index 07202271..56ba2060 100644 --- a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md +++ b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md @@ -1,16 +1,16 @@ The overall security of an application is diminished when accounts are not properly verified upon creation of a new contact method, such as an email address. The lack of verification for the contact method allows an attacker to associate their own email address with a user's account which can lead to phishing and impersonation attacks, or account squatting. -#### Business Impact +**Business Impact** A lack of a verification email for an updated contact method can result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify a contact method of the account, such as the phone number of email address 1. Observe that no verification email is sent to the new contact method before it is associated with the account -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md index 65ffc256..a579136f 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md @@ -1,16 +1,16 @@ When the password policy for an application is weak, the strength of the overall authentication process for the application is diminished. Not having complexity requirements for passwords, password history checks, or enforcing account lockouts, all weaken the password policy. This application’s weak password policy decreases the time it takes an attacker to successfully guess account passwords through manual or automated processes. This can lead to account take over for accounts with weak passwords set. -#### Business Impact +**Business Impact** Having a weak password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password policy: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md index 0de5d443..e4e3146d 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md @@ -1,10 +1,10 @@ When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to intercept the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -#### Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -12,7 +12,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md index adf67fe7..a541b8ed 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md @@ -1,19 +1,19 @@ The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it has a long timed expiry, giving an attacker more time to discover an unexpired reset password token and use it to take over its account. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Initiate a password reset 1. Observe within the HTTP interception proxy that the password reset token has a long timed expiry -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot specifies the long timed expiry of the password reset token below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md index cef8380e..b3c8d0e5 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md @@ -1,19 +1,19 @@ The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it allows an email that is no longer associated with the account to perform a password reset. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Navigate to the following URL and modify the account email address 1. Observe that the password reset token that was received in the earlier step is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after email change below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md index de7796bf..57358d67 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md @@ -2,20 +2,20 @@ The password reset implementation needs to involve a unique, temporary high-entr The application does not invalidate the password reset token after the user successfully resets their password and login to the application. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Login to the application with the new password 1. Observe that the password reset token that was received in the earlier step is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after login below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md index dd2c2864..36285565 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md @@ -2,20 +2,20 @@ The password reset implementation needs to involve a unique, temporary high-entr The application does not invalidate the password reset token after a new token is requested. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset (request_1) 1. Initiate a password reset (request_2) 1. Open the received request_1 and observe that the password reset token is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after a subsequent request for a password reset: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md index 99856f7b..00acb1d7 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md @@ -2,20 +2,20 @@ The password reset implementation needs to involve a unique, temporary high-entr The application does not invalidate the password reset token after a password change. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Modify the password for the account 1. Observe that the password reset token received earlier is still valid -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after a password change: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md index f9db4ec7..0d9e1eed 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md @@ -2,20 +2,20 @@ The password reset implementation needs to involve a unique, temporary high-entr The application does not invalidate the password reset token after its use. If an attacker were to gain access to the system used to store the reset token, or the email of the user, they could reset the users password again. -#### Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Utilize the password reset token received to reset the password 1. Observe that the password reset token received earlier is still valid after being used -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after use: {{screenshot}} diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md index c72f3989..4e03753f 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md @@ -1,16 +1,16 @@ When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application allows users to submit a disposable or alias email address to register an account. An attacker can abuse this weakness to bulk register fake user profiles and use them to launch spam campaigns. -#### Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account using a disposable email service 1. Observe that the account is created -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md index f4eb7408..96397da4 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md @@ -1,16 +1,16 @@ When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -#### Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md index 836ac96a..a592b5b7 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md @@ -1,16 +1,16 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. Not providing a failsafe in the 2FA implementation in the application could prevent a user who has lost their 2FA device to an attacker from resetting the password of their account. An attacker can take advantage of this and potentially take over user accounts. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Navigate to the 2FA registration page at: {{url}} 1. Register for 2FA, and observe that the implementation provides no failsafe login methods, such as offline backup codes -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the missing 2FA failsafe: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md index 1dd676b4..668f39af 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md @@ -1,10 +1,10 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. An older 2FA code is not invalidated when a new code is generated in the application. This could allow an attacker to perform a replay attack. In this kind of attack, an attacker can use older unused 2FA codes to bypass the 2FA implementation of the application. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Input the first, older code into the 2FA input 1. Observe that the application allows the use of the first code after the second was generated, meaning it was not invalidated -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the old 2FA code not being invalidated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md index adcba5ed..70ce6b95 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md @@ -1,16 +1,16 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The application’s implementation of 2FA is weak which makes user accounts more susceptible to compromise. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the two factor authentication step of the login is reached, request a code 1. Perform {{action}} and observe that the 2FA implementation is weak -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the weak implementation of 2FA: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md index bb8754e5..81c26468 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md @@ -1,17 +1,17 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. A 2FA code is not updated when a new code is requested in the application which does not follow best practice for 2FA implementation. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code 1. When the first code is received, request a new code and verify that the second code is also received 1. Observe that the first and second code are identical, demonstrating that the 2FA code is not updated when a new code is requested -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates that the 2FA code is not updated when a new code is requested: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md index dc34508e..9d2ec0a4 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md @@ -1,16 +1,16 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret cannot be rotated in the application which does not follow best practice for 2FA implementation.If an attacker were able to compromise a user's 2FA system, the user would not be able to invalidate their 2FA secret. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After the 2FA secret is created, observe that there is no way in which the secret can be rotated -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates that the 2FA code can’t be rotated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md index 525d6cca..ace6a11a 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md @@ -1,16 +1,16 @@ Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret remains obtainable after initial setup in the application. This could allow an attacker with account access or physical access to bypass the 2FA system. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After initial setup, observe that the two factor authentication secret is still obtainable at: {{url}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the full exploit: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md index ed13130c..c91b2541 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md @@ -1,16 +1,16 @@ A lack of exploit mitigations in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of exploit mitigations in order to run known exploits on the application. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Run the following known exploit: {{payload}} 1. Observe that the application does not contain any mitigations to prevent this exploit -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of exploit mitigation: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md index 4e2642d9..20e5c677 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md @@ -1,16 +1,16 @@ A lack of jailbreak (iOS) or root access (Android) detections in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of jailbreak (iOS) or root access (Android) detections to access the internal file system of the application, or inject unauthorized code into the application. -#### Business Impact +**Business Impact** This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Jailbreak (iOS) or gain root access (Android) to a mobile device 1. Install the application on the mobile device 1. Open the application and observe that the application does not prevent access or acknowledge that the mobile device has been jailbroken (iOS) or that root access (Android) has been gained, indicating it lacks a detection mechanism -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of jailbreak (iOS) or root access (Android) detections: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md index 34d4af32..b5d4fcc0 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md @@ -1,15 +1,15 @@ A lack of obfuscation of the source code of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse non-obfuscated source code of the application, read source code without any hindrances and perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no obfuscation in the source code -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of obfuscation: diff --git a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md index dc331365..45ee1910 100644 --- a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md +++ b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md @@ -1,15 +1,15 @@ A lack of runtime instrumentation-based binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. When an application cannot detect changes in the code base at runtime compared to known integrity checks, the application can react in unpredictable ways. An attacker can take advantage of this lack of checks at runtime and alter the performance of the application, then also perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no integrity checking in the source code at runtime -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/lack_of_binary_hardening/template.md b/submissions/description/lack_of_binary_hardening/template.md index 82bfaaba..ebcd21f8 100644 --- a/submissions/description/lack_of_binary_hardening/template.md +++ b/submissions/description/lack_of_binary_hardening/template.md @@ -1,15 +1,15 @@ A lack of binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker with access to the code of an application with a lack of binary hardening can reverse engineer it and perform unauthorized code modification. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no binary hardening for the application -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/misinterpretation_biases/context_ignorance/template.md b/submissions/description/misinterpretation_biases/context_ignorance/template.md index 6074a688..45f9d609 100644 --- a/submissions/description/misinterpretation_biases/context_ignorance/template.md +++ b/submissions/description/misinterpretation_biases/context_ignorance/template.md @@ -1,15 +1,15 @@ Context ignorance occurs when AI models do not consider the broader context when making decisions, leading to uninformed or unfair decision making. This can be a result of the AI model's design or the training data it has been trained on. Outputs from AI models that have context ignorance can result in discrimination, reinforcement of stereotypes, or viewpoints that disadvantage certain groups. -#### Business Impact +**Business Impact** Context ignorance in this AI model can result in a lack of fairness and objectivity which can lead to reputational damage and a loss of customer trust in the output of the model. Additionally, business decisions that rely on this AI model are also affected due to suboptimal outcomes and missed opportunities. -#### Steps to Reproduce +**Steps to Reproduce** 1. Present the AI model with scenarios where it needs to consider broader context. 1. Observe the model's decisions and its inability to account for the context in its choices. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/misinterpretation_biases/template.md b/submissions/description/misinterpretation_biases/template.md index 37b19a85..2613f920 100644 --- a/submissions/description/misinterpretation_biases/template.md +++ b/submissions/description/misinterpretation_biases/template.md @@ -1,15 +1,15 @@ Misinterpretation biases can occur when AI models incorrectly interpret the context or data, leading the model to make inaccurate decisions or predictions. These misinterpretation biases can stem from inadequate training data, or limitations in the model's design, resulting in outputs that to do not align with the context of the inputs. -#### Business Impact +**Business Impact** Misinterpretation biases in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -#### Steps to Reproduce +**Steps to Reproduce** 1. Present the AI model with scenarios where it needs to consider broader context. 1. Observe the model's decisions and its inability to account for the context in its choices. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md index 1c313f28..ea723989 100644 --- a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md +++ b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md @@ -2,18 +2,18 @@ Mobile security misconfigurations can occur at any level of the application stac An attacker could abuse an application that has auto backup allowed by default to access this sensitive data from the application once they have physical access to the device. This could allow the attacker to bypass any in-app authentication and access sensitive data which they could abuse to perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Install the application on an android mobile device 1. In the mobile device, enable USB debugging 1. Use the android ADB tool to backup the data of the mobile device 1. In this backup, view that sensitive data from the application was included in the backup automatically -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md index 6e0a94c7..3ab0d859 100644 --- a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md +++ b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md @@ -2,17 +2,17 @@ Mobile security misconfigurations can occur at any level of the application stac An attacker could abuse the system clipboard being enabled to steal sensitive information that a user copied to their clipboard from within the application. With access to this sensitive data they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Navigate to the following URL: {{URL}} and copy some sensitive account information 1. Paste this data in some other area of your mobile device and observe that access to the clipboard was enabled in the application -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md index 8badb720..f8dd0963 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md @@ -2,17 +2,17 @@ Mobile security misconfigurations can occur at any level of the application stac Without SSL certificate pinning, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the application does not implement certificate pinning -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md index 1f1913fe..96696d40 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md @@ -2,11 +2,11 @@ Mobile security misconfigurations can occur at any level of the application stac When SSL certificate pinning is defeatable, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning was defeated -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md index b81b16cd..20f85bda 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md @@ -2,11 +2,11 @@ Mobile security misconfigurations can occur at any level of the application stac When SSL certificate pinning is misconfigured, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -16,7 +16,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning is misconfigured -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md index 1d8faf40..d6f5d696 100644 --- a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md +++ b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md @@ -2,16 +2,16 @@ Mobile security misconfigurations can occur at any level of the application stac An attacker could abuse an application that does not protect sensitive UI functionality from tapjacking by stealing UI inputs from a user that uses the application on specific Android OS versions. With access to sensitive data through a tapjacking attack, an attacker could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. View the source code files of the application 1. Navigate to the following URL: {{URL}} and view the sensitive UI functionality does not have the attribute `"filterTouchesWhenObscured="true"`, thus allowing tapjacking attacks on certain Android OS versions -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/template.md b/submissions/description/mobile_security_misconfiguration/template.md index bcdd5ed6..6c181196 100644 --- a/submissions/description/mobile_security_misconfiguration/template.md +++ b/submissions/description/mobile_security_misconfiguration/template.md @@ -1,15 +1,15 @@ Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. An attacker can take advantage of security misconfigurations within the mobile application to perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following filesystem/page within the application: {{location}} 1. Observe through an HTTP interception proxy or in-application tools that there is a mobile security misconfiguration -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md index 825a002a..18ccfc0d 100644 --- a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md +++ b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md @@ -1,15 +1,15 @@ When telnet is enabled, all data sent over the connection is unsecured as telnet transmits all data via plain text. An attacker could perform a Person-in-the-Middle (PitM) attack and access sensitive data being transmitted via the telnet connection. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Issue the following command line in the terminal window: `telnet {{application}}` 1. Observe that a telnet connection is successfully established between the client computer and the application -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that a successful telnet connection can be made: diff --git a/submissions/description/network_security_misconfiguration/template.md b/submissions/description/network_security_misconfiguration/template.md index 9d0be3f3..94770abd 100644 --- a/submissions/description/network_security_misconfiguration/template.md +++ b/submissions/description/network_security_misconfiguration/template.md @@ -1,15 +1,15 @@ Network security misconfigurations can occur in network devices, services, or infrastructure and expose the organization to security risks. This vulnerability was identified due to default settings, inadequate access controls, or improper firewall rules. Due to this, an attacker can perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Issue the following command line in the terminal window: {{command}} 1. Observe that the network security is bypassed and a connection is successfully established between the client computer and the application -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md b/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md index 69d879aa..c504aec1 100644 --- a/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md +++ b/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md @@ -1,17 +1,17 @@ The physical access control mechanisms implemented to secure the device are vulnerable to a bypass attack. This flaw allows unauthorized attacker to circumvent the designed physical security measures implemented, gaining access to the device's internal hardware and components that are intended to be restricted. -#### Business Impact +**Business Impact** The ability to bypass physical access controls undermines the overall security of the device, exposing it to risks of tampering, data extraction, or the insertion of malicious components. Such breaches can lead to compromised device integrity, unauthorized access to sensitive information, and potential operational failures. The resulting damage can extend to financial losses, erosion of customer trust, and reputational harm, especially if the compromise leads to broader security incidents. -#### Steps to Reproduce +**Steps to Reproduce** 1. Walk up to the front of the {{hardware}}, and notice the lock currently in place to prevent access to the machine. -2. Walk to the opposite side, and you'll notice a vent grill attached with phillips head screws. -3. Using a philips #1 screwdriver, unscrew the vent grill and pull it off the device. +2. Walk to the opposite side, and you'll notice a vent grill attached with Philips head screws. +3. Using a Philips #1 screwdriver, unscrew the vent grill and pull it off the device. 4. You now have bypassed the access control and gained access to the device's internal components. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md index a1066baa..74b545b9 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md @@ -1,10 +1,10 @@ The physical access control system securing the device relies on a physical key that is susceptible to cloning. This design flaw allows attackers, with brief access to the key, to create an unauthorized copy. Access to the key could be obtained through various means, including insider threats or by employing teleduplication techniques, where a photograph of the key is used to replicate it. Consequently, An attacker can gain unauthorised access by using a cloned key, circumventing intended security measures. -#### Business Impact +**Business Impact** The possibility of key cloning poses a considerable security threat, undermining the physical security of the device and the safeguarding of the data and systems it contains. Unauthorized access achieved through a cloned key can lead to significant adverse outcomes, such as data breaches, unauthorized changes to the device, and the theft of sensitive or proprietary information. The repercussions of such incidents include financial losses, reputational damage to the organization, and diminished confidence from customers and business partners. -#### Steps to Reproduce +**Steps to Reproduce** 1. Obtain access to the physical key for a short period of time (2 minutes). 2. Using a clay mold, dust the key with Talcum powder, and take an impression of the key briefly, and remove the key. @@ -18,7 +18,7 @@ or 3. With the image, look at the bow and you'll notice it says SC1, using the SC1 Depth and Space measurements which are public, we can identify the bitting as: {{bittingcode}} 4. Using a Key cutting machine or Impressioning file and Calipers, cut the key to the correct depth and space, and test to verify the key does work inside of the lock. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md index a85c5e94..646910ba 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md @@ -1,16 +1,16 @@ The physical access control deployed to secure the device was found to use a lock keyed alike to commonly used keys. This scenario typically arises when locks are mass-manufactured with the same key configuration by vendors, intended for low-risk applications, or when a specific key standard is adopted with an expectation of limited use. When these lock systems are employed in contexts requiring higher security, like the device in question, the security efficacy is substantially reduced. The widespread availability or public knowledge of these keys means unauthorized individuals could easily obtain a key to gain access. -#### Business Impact +**Business Impact** Utilizing a commonly keyed system for securing devices intended to be secure significantly undermines the device's physical security. It opens avenues for unauthorized access, potentially leading to theft, data breaches, and compromise of the device's integrity. The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -#### Steps to Reproduce +**Steps to Reproduce** 1. Looking at the lock, we can identify markings showing {{markings}} which indicate the lock in use is a {{locksystem}} 2. This lock matches to the key {{key}} which is commonly keyed to other systems. 3. Attempt to unlock the device using the key. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md index a85c5e94..646910ba 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md @@ -1,16 +1,16 @@ The physical access control deployed to secure the device was found to use a lock keyed alike to commonly used keys. This scenario typically arises when locks are mass-manufactured with the same key configuration by vendors, intended for low-risk applications, or when a specific key standard is adopted with an expectation of limited use. When these lock systems are employed in contexts requiring higher security, like the device in question, the security efficacy is substantially reduced. The widespread availability or public knowledge of these keys means unauthorized individuals could easily obtain a key to gain access. -#### Business Impact +**Business Impact** Utilizing a commonly keyed system for securing devices intended to be secure significantly undermines the device's physical security. It opens avenues for unauthorized access, potentially leading to theft, data breaches, and compromise of the device's integrity. The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -#### Steps to Reproduce +**Steps to Reproduce** 1. Looking at the lock, we can identify markings showing {{markings}} which indicate the lock in use is a {{locksystem}} 2. This lock matches to the key {{key}} which is commonly keyed to other systems. 3. Attempt to unlock the device using the key. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md index 3a63c007..ca73d96d 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md @@ -1,10 +1,10 @@ The physical access control system designed to secure the device utilizes a master keyed system. In such systems, locks can be opened by multiple keys, each cut differently, but all locks within the system can also be opened by a single master key. This configuration presents a significant security vulnerability. An attacker with access to a mastered lock, or who comes into possession of a key from the system, could derive the master key. With the master key, the attacker would have the capability to open all locks within the system, severely compromising security. -#### Business Impact +**Business Impact** The potential for an attacker to derive the master key and gain unrestricted access to all areas secured by the system poses a considerable threat. It could lead to unauthorized access to sensitive areas, data breaches, theft of physical and intellectual property, and other security incidents. Such breaches can have far-reaching consequences, including financial losses, damage to the organization’s reputation, and loss of customer trust. The use of a master keyed system thereby introduces a critical point of failure in the physical security infrastructure. -#### Steps to Reproduce +**Steps to Reproduce** 1. Obtain access to a lock from the master keyed system. 2. Apply a metal shim to the back of the lock cylinder where the key pins are binding. @@ -22,7 +22,7 @@ or 4. Using a tool, such as KeySpace, enter the details for the key system, and cut test keys to suit. 5. After testing each key, the key with the bitting {{bitting}} is our master key for this system. -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md index a16dfb68..11a80f23 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md @@ -1,15 +1,15 @@ A weakness has been identified in the physical access controls deployed to secure physical access to facilities, premises, or sensitive areas within an organization. This scenario typically arises from insufficient security measures, such as weak locks, ineffective surveillance, or lack of employee awareness. This vulnerability can result in unauthorized individuals could easily obtain a key to gain access. -#### Business Impact +**Business Impact** The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -#### Steps to Reproduce +**Steps to Reproduce** 1. Looking at the facility, it is possible to identify indications of physical access: {{indicators}} 1. Perform {{action}} to bypass {{security measure}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/privacy_concerns/template.md b/submissions/description/privacy_concerns/template.md index 6260ab94..1b57723d 100644 --- a/submissions/description/privacy_concerns/template.md +++ b/submissions/description/privacy_concerns/template.md @@ -1,16 +1,16 @@ Privacy concerns arise when an application collects user or user device data that is not necessary for the functionality of the application. Unnecessary can range from personally identifiable user information to user device information that is not needed for use of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md index 08a1aa64..74aef083 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md @@ -1,16 +1,16 @@ Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md index 487d1a00..b41443c9 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md @@ -1,16 +1,16 @@ Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. The WIFI SSID and password is not used by the application and therefore its collection is unnecessary. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that the WIFI SSID and password is being collected -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md index 42eddacf..9d3bc742 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md @@ -1,10 +1,10 @@ Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses the password of a user’s account which an attacker could use to take over the account and access, delete, or modify data from within the application. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Verify that the password is valid and allows authenticated actions to be performed in the user’s account -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md index 3ab8d1aa..42a09029 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md @@ -1,12 +1,12 @@ Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses private API keys which an attacker could use to abuse the API access and retrieve, delete, or modify data using the API functionality. -#### Business Impact +**Business Impact** Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If the API is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the API key is valid and allows access to sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the API key disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md index 330a3ef5..6749f70b 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md @@ -1,12 +1,12 @@ Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This data exposure can be described as critically sensitive as its exposure would likely cause a high priority incident. -#### Business Impact +**Business Impact** Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If a private API key is accessed and is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +19,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the critical sensitive data is valid and allows access to other data or functionality -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md index 7506452c..3ef2220b 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md @@ -2,16 +2,16 @@ Sensitive data can be exposed when it is not behind an authorization barrier. Wh Known public information is disclosed by this application which can be used by an attacker to build a profile of the business, the application, and its users for further attacks. -#### Business Impact +**Business Impact** Disclosure of known public information can result in reputational damage for the business through an attacker’s ability to impact customers' trust through further attack methods, such as social engineering. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Observe that publicly known information is being disclosed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the publicly known information disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md index aad67321..dead9aa4 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md @@ -1,10 +1,10 @@ Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses data within data traffic spam which can enable an attacker to use secrets for privilege escalation within the application, or to send API requests on behalf of the user. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Observe the disclosure of sensitive data in the HTTP interception proxy -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md index 9f37a0e7..c2a351b4 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md @@ -2,11 +2,11 @@ Disclosure of secrets for internal assets occurs when sensitive data for the int Disclosure of secrets for this internal asset could be leveraged by an attacker to access the internal application or the environment where the application is hosted. -#### Business Impact +**Business Impact** Disclosure of secrets for internal assets can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. This could happen through an insider threat, existing data breaches, or a malicious internal attacker escalating their privileges. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Setup a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{url}}/data/ @@ -15,7 +15,7 @@ Disclosure of secrets for internal assets can lead to indirect financial loss du {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the full exploit: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md index c7c9afd6..82fed3f7 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md @@ -1,10 +1,10 @@ Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access. -#### Business Impact +**Business Impact** Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed @@ -15,7 +15,7 @@ Disclosure of secrets for a publicly available asset can lead to indirect financ {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The exposed secrets for this publicly accessible asset can be seen in the screenshot below: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md index 5b1f8a46..07187b26 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md @@ -1,17 +1,17 @@ Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses an invalid, or intentionally public sample, of secrets that are used for the application. While seemingly harmless, an attacker can use these examples to build wordlists, which can be used to bruteforce requests to the application until a valid secret is processed successfully. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Observe the following invalid/Intentionally public secret was revealed: {{value}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md index 512ccde2..5f6e796a 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md @@ -1,17 +1,17 @@ Disclosure of secrets occurs when the data is not properly secured. When secrets are exposed it can place the application at further risk of compromise. This application discloses secrets for a non-corporate user which can be leveraged by an attacker to access the application and make requests on the legitimate user’s behalf. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Observe the following secret for a non-corporate user was revealed: {{value}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md index 41089314..5b019944 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md @@ -1,10 +1,10 @@ Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses sensitive data that could be used by an attacker to make repeated API requests on a user’s behalf without their knowledge. Additionally, if an attacker is able to chain this vulnerability with another, they could use their access to the API to escalate privileges on the application and its hosted environment. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to direct financial loss through an attacker making repeated requests to the API which are generally pay-per-use. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +20,7 @@ Disclosure of secrets can lead to direct financial loss through an attacker maki 1. Observe the HTTP 200 OK success status response code -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md index a9e0e093..8bfea50c 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md @@ -2,16 +2,16 @@ Personally Identifiable Information (PII) exposure can occur when sensitive data Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -#### Business Impact +**Business Impact** Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the PII disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md index a083154c..3a37219f 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md @@ -2,16 +2,16 @@ Disclosure of secrets occurs when sensitive data is not behind an authorization Examples of secret data include, but are not limited to, vendor details, client information, Personally Identifiable Information (PII), Social Security Numbers, medical data, banking information, and credentials or authentication keys. Disclosure of secrets could be used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md index ca43e65b..b51ec8ec 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md @@ -1,10 +1,10 @@ Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to automatically enumerate users. -#### Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image @@ -12,7 +12,7 @@ When an application fails to remove the EXIF data from uploaded images, it break {{Software}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md index 2a4bdd71..3d8b55c9 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md @@ -1,16 +1,16 @@ Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to manually enumerate users. -#### Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified as an attacker is able to manually enumerate geolocation data of users on the platform. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data for multiple users -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md index 22cf93a4..0696107a 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md @@ -1,16 +1,16 @@ Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. -#### Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md index 6a3327e3..d0a46292 100644 --- a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md @@ -1,16 +1,16 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses an internal IP address which an attacker could use to gather information, and carry out network-layer attacks, on the underlying system. -#### Business Impact +**Business Impact** When an application fails to mask internal IP addresses it leaves the internal network more susceptible to future network based attacks. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. In the HTTP interception proxy, observe the disclosed internal IP address -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the disclosed internal IP address: diff --git a/submissions/description/sensitive_data_exposure/json_hijacking/template.md b/submissions/description/sensitive_data_exposure/json_hijacking/template.md index 87b9df09..8b6932c8 100644 --- a/submissions/description/sensitive_data_exposure/json_hijacking/template.md +++ b/submissions/description/sensitive_data_exposure/json_hijacking/template.md @@ -2,11 +2,11 @@ Sensitive data can be exposed when it is not behind an authorization barrier. Wh This application is susceptible to JSON hijacking which enables an attacker to retrieve sensitive data by tricking a user to click on a crafted link. Once a user clicks on the link, data from the user’s account is read and passed to the attacker. This allows an attacker to collect Personally Identifiable Information (PII) and sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -#### Business Impact +**Business Impact** Sensitive data disclosure through JSON hijacking can result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Host the following payload on the attacker server: @@ -21,7 +21,7 @@ Sensitive data disclosure through JSON hijacking can result in reputational dama {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data disclosed: diff --git a/submissions/description/sensitive_data_exposure/mixed_content/template.md b/submissions/description/sensitive_data_exposure/mixed_content/template.md index 2f096e05..b603ad57 100644 --- a/submissions/description/sensitive_data_exposure/mixed_content/template.md +++ b/submissions/description/sensitive_data_exposure/mixed_content/template.md @@ -1,17 +1,17 @@ Mixed content is when a page is loaded over a HTTPS connection but the application pulls content using a mix of HTTP and HTTPS, leaving the page susceptible to sniffing and Person-in-The-Middle (PiTM) attacks. This application discloses sensitive data via mixed content, enabling an attacker to collect sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application through a PiTM connection. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login as a user and navigate to: {{URL}} 1. Use Developer Tools, Network tab to see that sensitive content is being served over HTTP: {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data served over HTTP: diff --git a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md index 92c0f20d..52a06885 100644 --- a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md @@ -1,15 +1,15 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses a non-sensitive token in the URL which an attacker can use to build word lists for brute-forcing valid tokens across the application environment. -#### Business Impact +**Business Impact** When an application discloses a non-sensitive token in the URL it leaves the application more susceptible to future attacks. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the non-sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/password_reset_token/template.md b/submissions/description/sensitive_data_exposure/password_reset_token/template.md index 3500997d..3d22eb9f 100644 --- a/submissions/description/sensitive_data_exposure/password_reset_token/template.md +++ b/submissions/description/sensitive_data_exposure/password_reset_token/template.md @@ -1,10 +1,10 @@ The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user password reset tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed password reset token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -#### Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can capture the password reset token and use it to escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -12,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the password token in the `Referer` header -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md index 6aa93a95..b2da6df2 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md @@ -1,10 +1,10 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded file paths which can be used by an attacker to request files from the underlying system via directory traversal and can lead to exposure of data such as file naming conventions, system admin users, and permissions on the system. -#### Business Impact +**Business Impact** This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -13,7 +13,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded file path: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md index 1b5e2d09..7898e7be 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md @@ -1,10 +1,10 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded OAuth secrets which can be used by an attacker to escalate privileges within the application via OAuth workflows. -#### Business Impact +**Business Impact** This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -13,7 +13,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded OAuth secret: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md index 65522950..2b7a4b38 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md @@ -1,10 +1,10 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has sensitive data that is hardcoded, such as API keys, credentials, or Personally Identifiable Information (PII). This hardcoded sensitive data can be used by an attacker to gain access to the application and escalate their privileges, which can lead to user account compromise and data exfiltration. -#### Business Impact +**Business Impact** This vulnerability can lead to data exfiltration through the attacker’s ability to manipulate the application through their access to the hardcoded sensitive data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -13,7 +13,7 @@ This vulnerability can lead to data exfiltration through the attacker’s abilit {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded sensitive data: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md index f48e3254..93ae98d8 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md @@ -1,15 +1,15 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL in background requests which are not seen in the main user interface. If captured by an attacker, these sensitive tokens can be used to escalate privileges or authorize API calls within the application. -#### Business Impact +**Business Impact** Disclosure of a sensitive token in the URL in the background could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL of a background request -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md index 2382fb56..1d356e0e 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md @@ -1,16 +1,16 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL upon the password reset function which, if captured by an attacker, can be used to reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Navigate to the password reset function 1. Observe the exposed token in the URL -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md index d69fc6ea..b56261fd 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md @@ -1,15 +1,15 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL, which, if captured by an attacker, can be used to gain access to the users account through this token, breaching the Confidentiality and Integrity of that account. -#### Business Impact +**Business Impact** A sensitive token in the URL could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md index 37119547..464df7b8 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md @@ -1,15 +1,15 @@ Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL that is user facing which can be captured by an attacker. This allows the attacker to gain access to a legitimate user’s account, breaching the Confidentiality and Integrity of their account. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Login as a user and navigate to: {{URL}} 1. Observe the exposed token in the URL -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/template.md b/submissions/description/sensitive_data_exposure/template.md index daac3d63..af7523e8 100644 --- a/submissions/description/sensitive_data_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/template.md @@ -2,16 +2,16 @@ Sensitive data exposure can occur when sensitive data is not encrypted, or behin Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -#### Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md index d457879a..e8855061 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md @@ -1,17 +1,17 @@ The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens that are transmitted over an unencrypted HTTP connection. This connection can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -#### Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that the connection is over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md index 02836cb5..0c0c1f01 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md @@ -1,17 +1,17 @@ The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens which can be intercepted by an attacker performing a Person-in-The-Middle (PiTM) attack, or by exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -#### Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md index 8f3cffcf..9fa0a4f3 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md @@ -1,10 +1,10 @@ The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens to a trusted third-party. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -#### Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -12,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token is in `Referer` header and that the connection is over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md index 7fe2988d..3fa5fd56 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md @@ -1,10 +1,10 @@ The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -#### Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -12,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that theconnection is over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md index 62e482b9..d8b4aad6 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md @@ -1,10 +1,10 @@ Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a non-sensitive token in the local storage which is accessible by JavaScript. As a result, the token can be captured by an attacker using Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), allowing them to gather relevant user data and leverage this information to build phishing campaigns. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive token -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the non-sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md index a285afe3..b5b3579c 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md @@ -1,10 +1,10 @@ Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a sensitive token in the local storage which is accessible by JavaScript. As a result, the sensitive token can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ma 1. Observe the exposed sensitive token -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md index 3f096743..aaa09c0e 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md @@ -1,10 +1,10 @@ Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the local storage which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks. -#### Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive data -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md index 6c0a0e84..e9558ffc 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md @@ -2,16 +2,16 @@ Visible detailed error pages are a result of improper error handling which intro The descriptive stack trace leaked by this application shows versions of software and implementation data. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -#### Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing a descriptive stack trace -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the descriptive stack trace: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md index 19e2d8d5..32d1a190 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md @@ -2,16 +2,16 @@ Visible detailed error pages are a result of improper error handling which intro The detailed server configuration leaked by this application shows which versions of software are running, physical paths, environmental variables, and the software configuration settings. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -#### Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing detailed server configuration -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the detailed server configuration: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md index c9f2b192..97381cfb 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md @@ -2,16 +2,16 @@ Visible detailed error pages are a result of improper error handling which intro The full path disclosure leaked by this application displays implementation information which should not be publicly available. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application and access the paths displayed. -#### Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing the full path disclosure -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the full path disclosure: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md index 07555b9f..534d216e 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md @@ -1,15 +1,15 @@ Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The detailed error pages leaked by this application can be collected by an attacker and combined with other attack vectors to increase the severity and impact of malicious attacks on the application. -#### Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -#### Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the detailed error message: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md index 517f5a64..dfa52eb3 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md @@ -2,11 +2,11 @@ When the password reset implementation is weak, the strength of the overall auth This application transmits the password reset token over an insecure HTTP connection, rather than HTTPS. An attacker could intercept this token and reset a user’s password, locking the user out of their account and achieving full account takeover. -#### Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -14,7 +14,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe that the password reset token is being sent over HTTP -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the password reset token being sent over HTTP: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md index 33c13da5..a6b6dfdb 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md @@ -1,10 +1,10 @@ When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to abuse the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -#### Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -12,7 +12,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md index 74b68a7a..769a767e 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md @@ -1,10 +1,10 @@ When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. `Host` header poisoning occurs when the `Host` header is manipulated in a HTTP request to point to a domain an attacker controls. From here, when the user clicks on the password reset link sent to their email, the attacker can capture the the token and reset a user’s password, locking the user out of their account and achieving full account takeover. -#### Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -14,7 +14,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. From the user’s email account, click the password reset link 1. Observer that an attacker can capture the password reset token -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/xssi/template.md b/submissions/description/sensitive_data_exposure/xssi/template.md index d10023a6..c2afea4f 100644 --- a/submissions/description/sensitive_data_exposure/xssi/template.md +++ b/submissions/description/sensitive_data_exposure/xssi/template.md @@ -1,10 +1,10 @@ Cross-Site Script Inclusion (XSSI) is a client-side attack that uses JavaScript within an authenticated session to leak sensitive data. This sensitive data could be authentication related or user related sensitive data. XSSI can be found on this domain which allows an attacker to control code that is executed within a user’s authenticated session. -#### Business Impact +**Business Impact** XSSI could lead to data theft and exfiltration through the attacker’s ability to manipulate data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +17,7 @@ XSSI could lead to data theft and exfiltration through the attacker’s ability 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/server_security_misconfiguration/bitsquatting/template.md b/submissions/description/server_security_misconfiguration/bitsquatting/template.md index ffa27368..f441a233 100644 --- a/submissions/description/server_security_misconfiguration/bitsquatting/template.md +++ b/submissions/description/server_security_misconfiguration/bitsquatting/template.md @@ -1,10 +1,10 @@ Bitsquatting is the act of registering domains with one bit flipped from the original domain name. This allows an attacker to hijack traffic from known domains via DNS queries from accidental key presses, as well as misconfigurations on hardware processing the queries. Bitflipping domains can allow an attacker to serve malicious content and collect data on behalf of the targeted application in the form of HTTP requests, binary data, and other sensitive data. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Register domain with one bitflipped e.g. Bugcrowd.com -> eugcrowd.com 1. {{action}} to collect data on the bitflipped domain @@ -12,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the bitsquatting: diff --git a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md index 5cedfa37..0a2b8318 100644 --- a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md +++ b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md @@ -2,11 +2,11 @@ A web cache allows for static and fast fetching of content in web applications. Cache poisoning allows an attacker to serve content for cached pages on CDNs and websites with cache misconfigurations. This opens the application up to attacks like Cross-Site Request Forgery (CSRF), and to leakage of sensitive information. -#### Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -#### Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following url: {{URL}} @@ -23,7 +23,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. {{action}} to poison the cache -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the cache poisoning: diff --git a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md index ee9544fe..75b26aab 100644 --- a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md @@ -2,16 +2,16 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -#### Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA being bruteforced: diff --git a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md index 9f88cfba..26c86c1b 100644 --- a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md @@ -2,16 +2,16 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -#### Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA being bypassed: diff --git a/submissions/description/server_security_misconfiguration/captcha/missing/template.md b/submissions/description/server_security_misconfiguration/captcha/missing/template.md index 562a4f4d..97555ee8 100644 --- a/submissions/description/server_security_misconfiguration/captcha/missing/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/missing/template.md @@ -2,16 +2,16 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart Due to the absence of a CAPTCHA, an attacker can leverage scripts and tools to make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -#### Business Impact +**Business Impact** A missing CAPTCHA can lead to reputational damage for the business due to a loss in confidence and trust by users. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Observe that CAPTCHA is missing for the following critical functionality: {{value}} -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the missing CAPTCHA: diff --git a/submissions/description/server_security_misconfiguration/captcha/template.md b/submissions/description/server_security_misconfiguration/captcha/template.md index a1fdec78..efec5df2 100644 --- a/submissions/description/server_security_misconfiguration/captcha/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/template.md @@ -2,16 +2,16 @@ A Computer Automated Public Turing Test test to tell Computers and Humans Apart An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -#### Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -#### Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -#### Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md index 92ee5c95..bf849e91 100644 --- a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md +++ b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md @@ -1,17 +1,17 @@ Clickjacking is a method of tricking a user into clicking on a link that performs an action, which is disguised as a legitimate link to something else. Usually, this is carried out by embedding a link into a transparent `