diff --git a/.gitignore b/.gitignore index 94197e66..7d0551c4 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,6 @@ Gemfile.lock submissions/description/broken_access_control/privilege_escalation/.gitkeep submissions/description/sensitive_data_exposure/password_reset_token/.gitkeep +submissions/description/server_security_misconfiguration/misconfigured_dns/basic_subdomain_takeover/.gitkeep +submissions/description/server_security_misconfiguration/misconfigured_dns/high_impact_subdomain_takeover/.gitkeep +submissions/description/server_security_misconfiguration/misconfigured_dns/subdomain_takeover/.gitkeep diff --git a/.markdownlint.json b/.markdownlint.json index 47812c78..63421f08 100644 --- a/.markdownlint.json +++ b/.markdownlint.json @@ -6,6 +6,5 @@ "line_length": false, "fenced-code-language": false, "no-emphasis-as-heading": false, - "MD041": false, - "blanks-around-headings": false + "first-line-heading": false } diff --git a/README.md b/README.md index 446faabf..3484c13e 100644 --- a/README.md +++ b/README.md @@ -149,20 +149,20 @@ Incorrect: Incorrect: -> Throughout the course of the engagement, a critical severity SQL injection was discovered in the web application (www.example.com) which could be used by an attacker to exfiltrate personally identifiable information from the backend database. +> Throughout the course of the engagement, a critical severity SQL injection was discovered in the web application () which could be used by an attacker to exfiltrate personally identifiable information from the backend database. Correct: -> An SQL injection was discovered in www.example.com allowing a malicious attacker to exfiltrate personally identifiable information. +> An SQL injection was discovered in allowing a malicious attacker to exfiltrate personally identifiable information. ### Split Up Long Sentences Incorrect: -> An SQL injection was discovered in www.example.com allowing a malicious attacker to exfiltrate personally identifiable information including email addresses which would be considered a GDPR violation and poses a considerable business risk. +> An SQL injection was discovered in allowing a malicious attacker to exfiltrate personally identifiable information including email addresses which would be considered a GDPR violation and poses a considerable business risk. Correct: -> An SQL injection was discovered in www.example.com allowing a malicious attacker to exfiltrate personally identifiable information. The retrievable data includes passwords, email addresses and full names. This poses a GDPR violation and considerable business risk. +> An SQL injection was discovered in allowing a malicious attacker to exfiltrate personally identifiable information. The retrievable data includes passwords, email addresses and full names. This poses a GDPR violation and considerable business risk. ## Acronyms @@ -184,7 +184,7 @@ Incorrect: pen test, PenTest, Pen Test ## A vs. An -"An" should be used when the next word starts with a consonant _sound_. Otherwise, "A" should be used. +"An" should be used when the next word starts with a consonant *sound*. Otherwise, "A" should be used. Correct: diff --git a/methodology/notes/website_testing/information.md b/methodology/notes/website_testing/information.md index 4c070a90..9ebaedcd 100644 --- a/methodology/notes/website_testing/information.md +++ b/methodology/notes/website_testing/information.md @@ -1,16 +1,19 @@ # Information gathering and Reconnaisance ## Tools used + ## Attack Surface Summary + ## What is done well + diff --git a/spec/bugcrowd_templates_spec.rb b/spec/bugcrowd_templates_spec.rb index 8c993e08..c0d46284 100644 --- a/spec/bugcrowd_templates_spec.rb +++ b/spec/bugcrowd_templates_spec.rb @@ -70,7 +70,7 @@ let!(:file_name) { 'template' } it 'returns the bugcrowd template value as string' do - is_expected.to include('# Outdated Software Version') + is_expected.to include('Outdated Software Version') end context 'when file_name with multiple options' do @@ -78,7 +78,7 @@ let!(:file_name) { 'template' } it 'returns the bugcrowd template value as string' do - is_expected.to include('# Outdated Software Version') + is_expected.to include('Outdated Software Version') end end @@ -113,7 +113,7 @@ let!(:file_name) { 'template' } it 'returns the bugcrowd template value as string' do - is_expected.to include('# Outdated Software Version') + is_expected.to include('Outdated Software Version') end end @@ -159,7 +159,7 @@ let!(:file_name) { 'template' } it 'returns the template defined in the subcategory folder' do - is_expected.to include('# Clickjacking') + is_expected.to include('Clickjacking') end end @@ -170,7 +170,7 @@ let!(:file_name) { 'template' } it 'returns the template defined in the subcategory folder' do - is_expected.to include('# Clickjacking') + is_expected.to include('Clickjacking') end end @@ -181,7 +181,7 @@ let!(:file_name) { 'template' } it 'returns the template defined in the subcategory folder' do - is_expected.to include('# Outdated Software Version') + is_expected.to include('Outdated Software Version') end end diff --git a/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md b/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md index df4e957a..494decc5 100644 --- a/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md +++ b/submissions/description/ai_application_security/llm_security/excessive_agency_permission_manipulation/template.md @@ -1,14 +1,10 @@ -# Excessive Agency or Permission Manipulation - -## Overview of the Vulnerability - Excessive agency or permission manipulation occurs when an attacker is able to manipulate the Large Language Model (LLM) outputs to perform actions that may be damaging or otherwise harmful. An attacker can abuse excessive agency or permission manipulation within the LLM to gain access to, modify, or delete data, without any confirmation from a user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage if an attacker compromises the LLM decision making or accesses unauthorized data. These cirvumstances not only harm the company but also weaken users' trust. The extent of business impact depends on the sensitivity of the data transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Enter the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage if an attacker 1. Observe that the output from the LLM returns sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md b/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md index 9157f4c5..4de370a8 100644 --- a/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md +++ b/submissions/description/ai_application_security/llm_security/llm_output_handling/template.md @@ -1,14 +1,10 @@ -# Large Language Model (LLM) Output Handling - -## Overview of the Vulnerability - Insecure output handling within Large Language Models (LLMs) occurs when the output generated by the LLM is not sanitized or validated before being passed downstream to other systems. This can allow an attacker to indirectly gain access to systems, elevate their privileges, or gain arbitrary code execution by using crafted prompts. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/prompt_injection/template.md b/submissions/description/ai_application_security/llm_security/prompt_injection/template.md index b41b8c17..e332840d 100644 --- a/submissions/description/ai_application_security/llm_security/prompt_injection/template.md +++ b/submissions/description/ai_application_security/llm_security/prompt_injection/template.md @@ -1,14 +1,10 @@ -# Prompt Injection - -## Overview of the Vulnerability - Prompt injection occurs when an attacker crafts a malicious prompt that manipulates a Large Language Model (LLM) into executing unintended actions. The LLM's inability to distinguish user input from its dataset influences the output it generates. This flaw allows attackers to exploit the system by injecting malicious prompts, thereby bypassing safeguards. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Inject the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/template.md b/submissions/description/ai_application_security/llm_security/template.md index bafc00da..ab78556f 100644 --- a/submissions/description/ai_application_security/llm_security/template.md +++ b/submissions/description/ai_application_security/llm_security/template.md @@ -1,14 +1,10 @@ -# Large Language Model (LLM) Security Misconfiguration - -## Overview of the Vulnerability - Misconfigurations can occur across Large Language Model (LLM) within the setup, deployment, or usage of the LLM, leading to security weaknesses or vulnerabilities. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services. Misconfigurations may stem from inadequate access controls, insecure default settings, or improper configuration of fine-tuning parameters. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md b/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md index 2c6ae7dc..34b740a2 100644 --- a/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md +++ b/submissions/description/ai_application_security/llm_security/training_data_poisoning/template.md @@ -1,14 +1,10 @@ -# Training Data Poisoning - -## Overview of the Vulnerability - Training data poisoning occurs when an attacker manipulates the training data to intentionally compromise the output of the Large Language Model (LLM). This can be achieved by manipulating the pre-training data, fine-tuning data process, or the embedding process. An attacker can undermine the integrity of the LLM by poisoning the training data, resulting in outputs that are unreliable, biased, or unethical. This breach of integrity significantly impacts the model's trustworthiness and accuracy, posing a serious threat to the overall effectiveness and security of the LLM. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage if an attacker compromises the LLM decision making or accesses unauthorized data. These cirvumstances not only harm the company but also weaken users' trust. The extent of business impact depends on the sensitivity of the data transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Enter the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage if an attacker 1. Observe that the output from the LLM returns a compromised result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/ai_application_security/template.md b/submissions/description/ai_application_security/template.md index 07e20b43..2f480971 100644 --- a/submissions/description/ai_application_security/template.md +++ b/submissions/description/ai_application_security/template.md @@ -1,14 +1,10 @@ -# AI Application Security Misconfiguration - -## Overview of the Vulnerability - Misconfigurations can occur in Artificial Intelligence (AI) applications, including but not limited to machine learning models, algorithms, and inference systems. These misconfigurations can allow an attacker to compromise confidentiality, integrity, or availability of data and services. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker gaining access to unauthorized data or compromising the decision-making of the LLM, which would also impact customers' trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: 1. Inject the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM returns sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/algorithmic_biases/aggregation_bias/template.md b/submissions/description/algorithmic_biases/aggregation_bias/template.md index 42251ebd..2ec67a7b 100644 --- a/submissions/description/algorithmic_biases/aggregation_bias/template.md +++ b/submissions/description/algorithmic_biases/aggregation_bias/template.md @@ -1,14 +1,10 @@ -# Aggregation Bias - -## Overview of the Vulnerability - Aggregation bias occurs in an AI model when systematic favoritism is displayed when processing data from different demographic groups. This bias originates from training data that is skewed, or that has an under representation of certain groups. Outputs from AI models that have an aggregation bias can result in unequal treatment of users based on demographic characteristics, which can lead to unfair and discriminatory outcomes. -## Business Impact +**Business Impact** Aggregation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Obtain a diverse dataset containing demographic information 1. Feed the dataset into the AI model @@ -16,7 +12,7 @@ Aggregation bias in this AI model can result in reputational damage and indirect 1. Compare outcomes across different demographic groups 1. Observe the systematic favoritism displayed by the model toward one or more specific groups -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/algorithmic_biases/processing_bias/template.md b/submissions/description/algorithmic_biases/processing_bias/template.md index 3c626027..1d4f1aa6 100644 --- a/submissions/description/algorithmic_biases/processing_bias/template.md +++ b/submissions/description/algorithmic_biases/processing_bias/template.md @@ -1,20 +1,16 @@ -# Processing Bias - -## Overview of the Vulnerability - Processing bias occurs when AI algorithms make biased decisions, or predictions, due to the way that they process data. This can be a result of the algorithm's design or the training data it has been trained on. Outputs from AI models that have a processing bias can result in discrimination, reinforcement of stereotypes, and unintended consequences such as amplification or polarization of viewpoints that disadvantage certain groups. -## Business Impact +**Business Impact** Processing bias in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Input the following benchmark dataset into the AI model: {{Benchmark data set}} 1. Split the dataset into two sets. One is to act as the training dataset and the other as the testing dataset. 1. Examine the model's predictions and note the following disparity exists: {{Disparity between Group A and Group B}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/algorithmic_biases/template.md b/submissions/description/algorithmic_biases/template.md index 3683358c..d58f9e6d 100644 --- a/submissions/description/algorithmic_biases/template.md +++ b/submissions/description/algorithmic_biases/template.md @@ -1,21 +1,17 @@ -# Algorithmic bias - -## Overview of the Vulnerability - Algorithmic bias occurs in an AI model when the algorithms used to develop the model produce biased outcomes as a result of inherent flaws or limitations in their design. This bias originates from assumptions made during algorithm development, selection of inappropriate models, or the way data is processed and weighted. This results in AI models that make unfair, skewed, or discriminatory decisions. -## Business Impact +**Business Impact** Aggregation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Select an AI algorithm known to have potential biases 1. Train the algorithm on a dataset that may amplify these biases 1. Test the algorithm's decisions or predictions on a diverse dataset 1. Identify and document instances where the algorithm's output is biased -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md index 5b15d057..45c15aae 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_android_intents/template.md @@ -1,18 +1,14 @@ -# Application-Level Denial of Service Causes Application to Crash via Malformed Android Intents - -## Overview of the Vulnerability - -Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. +Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is a local application-level DoS vulnerability within this Android application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via the Intent binding mechanism, crashing the application and making it unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Use the following payload: {{payload}} @@ -21,10 +17,10 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service +1. Observe that the payload causes a Denial of Service -## Proof of Concept (PoC) +**Proof of Concept (PoC)** -The screenshot below demonstrates the denial of service: +The screenshot below demonstrates the Denial of Service: {{screenshot}} diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md index b4da8a6d..0f43efaf 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/malformed_ios_url_schemes/template.md @@ -1,18 +1,14 @@ -# Application-Level Denial of Service Causes Application to Crash via Malformed iOS URL Schemes - -## Overview of the Vulnerability - -Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. +Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is a local application-level DoS vulnerability within this iOS application that causes it to crash. An attacker can use this vulnerability to provide empty, malformed, or irregular data via a URL scheme, crashing the application and making it unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Use the following payload: {{payload}} @@ -21,10 +17,10 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service +1. Observe that the payload causes a Denial of Service -## Proof of Concept (PoC) +**Proof of Concept (PoC)** -The screenshot below demonstrates the denial of service: +The screenshot below demonstrates the Denial of Service: {{screenshot}} diff --git a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md index cef20be5..ddc7d9c7 100644 --- a/submissions/description/application_level_denial_of_service_dos/app_crash/template.md +++ b/submissions/description/application_level_denial_of_service_dos/app_crash/template.md @@ -1,18 +1,14 @@ -# Application-Level Denial of Service Causes Application to Crash - -## Overview of the Vulnerability - -Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. +Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this iOS or Android application that causes it to crash. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Use the following payload: {{payload}} @@ -21,10 +17,10 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service that has high impact or medium difficulty to be performed +1. Observe that the payload causes a Denial of Service that has high impact or medium difficulty to be performed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** -The screenshot below demonstrates the denial of service: +The screenshot below demonstrates the Denial of Service: {{screenshot}} diff --git a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md index 75720077..58586587 100644 --- a/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/critical_impact_and_or_easy_difficulty/template.md @@ -1,16 +1,12 @@ -# Application-Level Denial of Service: Critical Impact or Easy Difficulty - -## Overview of the Vulnerability - Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that has critical impact or is easily performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{url}} 1. Use the following payload: @@ -21,9 +17,9 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service that has critical impact or is easy to perform +1. Observe that the payload causes a Denial of Service that has critical impact or is easy to perform -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) proof of the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md index dabf0cc3..5e47fc4c 100644 --- a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md +++ b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/injection_prompt/template.md @@ -1,14 +1,10 @@ -# Injection (Prompt) - -## Overview of the Vulnerability - Injection occurs when an attacker provides inputs to a Large Language Model (LLM) which causes a large amount of resources to be consumed. This can result in a Denial of Service (DoS) to users, incur large amounts of computational resource costs, or slow response times of the LLM. -## Business Impact +**Business Impact** This vulnerability can lead to reputational and financial damage of the company due an attacker incurring computational resource costs or denying service to other users, which would also impact customers' trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Inject the following prompt into the LLM: @@ -19,7 +15,7 @@ This vulnerability can lead to reputational and financial damage of the company 1. Observe that the LLM is slow to return a response -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: > diff --git a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md index c9e269c4..90d0a29e 100644 --- a/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md +++ b/submissions/description/application_level_denial_of_service_dos/excessive_resource_consumption/template.md @@ -1,18 +1,14 @@ -# Excessive Resource Consumption - -## Overview of the Vulnerability - -Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. +Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Use the following payload: {{payload}} @@ -23,7 +19,7 @@ Application-level DoS can result in indirect financial loss for the business thr 1. Observe that the payload causes a DoS condition -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md index dedde9dd..23536be8 100644 --- a/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md +++ b/submissions/description/application_level_denial_of_service_dos/high_impact_and_or_medium_difficulty/template.md @@ -1,16 +1,12 @@ -# Application-Level Denial of Service: High Impact or Medium Difficulty - -## Overview of the Vulnerability - Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that has high impact or medium difficulty to be performed. An attacker can use this vulnerability to exhaust resources, making the application unavailable for its designed purpose to legitimate users, but not take down the application for all users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{url}} 1. Use the following payload: @@ -21,9 +17,9 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service that has high impact or medium difficulty to be performed +1. Observe that the payload causes a Denial of Service that has high impact or medium difficulty to be performed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates proof of the vulnerability: diff --git a/submissions/description/application_level_denial_of_service_dos/template.md b/submissions/description/application_level_denial_of_service_dos/template.md index 2e41ac8a..957d831d 100644 --- a/submissions/description/application_level_denial_of_service_dos/template.md +++ b/submissions/description/application_level_denial_of_service_dos/template.md @@ -1,18 +1,14 @@ -# Application-Level Denial of Service - -## Overview of the Vulnerability - -Application-level denial of service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. +Application-level Denial of Service (DoS) attacks are designed to deny service to users of an application by flooding it with many HTTP requests. This makes it impossible for the server to respond to legitimate requests in any practical time frame. There is an application-level DoS vulnerability within this application that an attacker can use to exhaust resources, making the application unavailable for its designed purpose to legitimate users. -## Business Impact +**Business Impact** Application-level DoS can result in indirect financial loss for the business through the attacker’s ability to DoS the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Use the following payload: {{payload}} @@ -21,10 +17,10 @@ Application-level DoS can result in indirect financial loss for the business thr {{parameter}} -1. Observe that the payload causes a denial of service +1. Observe that the payload causes a Denial of Service -## Proof of Concept (PoC) +**Proof of Concept (PoC)** -The screenshot below demonstrates the denial of service: +The screenshot below demonstrates the Denial of Service: {{screenshot}} diff --git a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md index f02deb3c..0aa427d5 100644 --- a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md +++ b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/Spoofing/template.md @@ -1,14 +1,10 @@ -# GNSS/GPS Spoofing - -## Overview of the Vulnerability - Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position. -## Business Impact +**Business Impact** This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This vulnerability can result in reputational damage and indirect financial loss 1. Observe that the GNSS/GPS signal has been spoofed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing: diff --git a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md index 35dc9e24..0aa427d5 100644 --- a/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md +++ b/submissions/description/automotive_security_misconfiguration/GNSS_GPS/template.md @@ -1,14 +1,10 @@ -# GNSS/GPS Misconfiguration - -## Overview of the Vulnerability - Global Navigation Satellite System (GNSS) and Global Positioning System (GPS) spoofing involves the broadcast of fake GNSS/GPS signals to fake the position of a vehicle, or otherwise make the positioning unreliable. An attacker is able to send fake GNSS/GPS signals to the receiver and successfully spoof a vehicle’s position. -## Business Impact +**Business Impact** This vulnerability can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The GNSS/GPS signal is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This vulnerability can result in reputational damage and indirect financial loss 1. Observe that the GNSS/GPS signal has been spoofed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the GNSS/GPS communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s), causing GNSS/GPS spoofing: diff --git a/submissions/description/automotive_security_misconfiguration/abs/template.md b/submissions/description/automotive_security_misconfiguration/abs/template.md index f77d41aa..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/abs/template.md +++ b/submissions/description/automotive_security_misconfiguration/abs/template.md @@ -1,14 +1,10 @@ -# Automotive Security Misconfiguration - Anti-Lock Braking Systems (ABS) - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md b/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md index caf3ebea..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md +++ b/submissions/description/automotive_security_misconfiguration/abs/unintended_acceleration_brake/template.md @@ -1,14 +1,10 @@ -# Anti-Lock Braking Systems (ABS) - Unintended Acceleration Brake - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md index 05d16ea6..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/firmware_dump/template.md @@ -1,14 +1,10 @@ -# Battery Management System - Firmware Dump - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md index cca9f7ae..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/fraudulent_interface/template.md @@ -1,14 +1,10 @@ -# Automotive Security Misconfiguration - Battery Management System - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md b/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md index 69ce6baf..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md +++ b/submissions/description/automotive_security_misconfiguration/battery_management_system/template.md @@ -1,14 +1,10 @@ -# Battery Management System - Fraudulent Interface - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md index fe1ac117..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_basic_safety_message/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Basic Safety Message - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md index 6ce5db32..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_battery_management_system/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Battery Management System - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md index 9caa34c3..93c5f6f6 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_disallowed_messages/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Disallowed Messages - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send messages to the system that are otherwise not allowed. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result on {{target}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md index e3baf8d4..172e96b0 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_dos/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Denial of Service - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. The {{application}} allows an attacker to connect to the CAN Bus and send multiple messages to the system at a rate which can cause a Denial of Service (DOS) condition. This can cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that a DoS condition has been created -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s) recursively causing a DoS condition: diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md index 2d3e8225..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_headlights/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Headlights - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md index e3135601..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_powertrain/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Powertrain - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md index 152ec606..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_pyrotechnical_device_deployment_tool/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Pyrotechnical Device Deployment Tool - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md index 0d831a1a..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_sensors/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Sensors - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md index b497ea79..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_steering_control/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Steering Control - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md b/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md index 84c121f9..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/injection_vehicle_anti_theft_systems/template.md @@ -1,14 +1,10 @@ -# CAN Injection - Vehicle Anti-Theft Systems - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/can/template.md b/submissions/description/automotive_security_misconfiguration/can/template.md index feeb06e7..8ca6260c 100644 --- a/submissions/description/automotive_security_misconfiguration/can/template.md +++ b/submissions/description/automotive_security_misconfiguration/can/template.md @@ -1,14 +1,10 @@ -# CAN Misconfiguration - -## Overview of the Vulnerability - The Controller Area Network (CAN) is a network bus designed to aid communication between an automotive vehicle’s electronic devices and control units. CAN misconfigurations can lead to security weaknesses in the data transfer process between components that can result in injection flaws. An attacker can take advantage of the CAN misconfiguration and inject a payload into the CAN system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This CAN misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The CAN input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This CAN misconfiguration can result in reputational damage and indirect financi 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the CAN communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md b/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md index 30c2dcb2..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md +++ b/submissions/description/automotive_security_misconfiguration/immobilizer/engine_start/template.md @@ -1,14 +1,10 @@ -# Engine Start Immobilizer - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/immobilizer/template.md b/submissions/description/automotive_security_misconfiguration/immobilizer/template.md index 366ce921..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/immobilizer/template.md +++ b/submissions/description/automotive_security_misconfiguration/immobilizer/template.md @@ -1,14 +1,10 @@ -# Automotive Security Misconfiguration - Immobilizer - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md index 9526cd1a..b4db69d5 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_can_bus_pivot/template.md @@ -1,14 +1,10 @@ -# Infotainment Code Execution CAN Bus Pivot - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can pivot into the CAN bus system and execute code by taking advantage of an IVI misconfiguration, causing the system to not behave as intended. -## Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The IVI system {{application}} uses this feature to {{action}}, exploited by {{action}} 1. Pivot into the CAN bus using this vulnerability by {{action}} @@ -18,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the CAN bus, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md index 48f3f1ec..be38ee27 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/code_execution_no_can_bus_pivot/template.md @@ -1,14 +1,10 @@ -# Infotainment Code Execution No CAN Bus Pivot - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can execute code on the IVI unit by taking advantage of a misconfiguration in the system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -18,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md index 15f9bdd7..b6819158 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/default_credentials/template.md @@ -1,21 +1,17 @@ -# Infotainment Default Credentials - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Default credentials in the IVI unit can be leveraged by an attacker to gain developer access to the system. From here, the attacker can cause the system to behave not as intended. -## Business Impact +**Business Impact** Default credentials in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Port scan the IVI unit by leveraging {{application}} and {{hardware}} 1. Bruteforce default credentials on exposed service(s) 1. Login to service(s) and run {{action}} 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the default password successfully authenticating an attacker into the infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md index c86acd88..c4572c6f 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/dos_brick/template.md @@ -1,14 +1,10 @@ -# Infotainment Denial of Service - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of an IVI misconfiguration and inject format strings into the IVI system, causing a Denial of Service (DoS) condition to the system. -## Business Impact +**Business Impact** DoS in the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Perform reconnaissance on the application by {{action}}, using {{software}} on the system 1. The IVI system {{application}} exposes {{target}} on the system @@ -18,7 +14,7 @@ DoS in the IVI system can result in reputational damage and indirect financial l 1. Observe the inserted payload from infotainment system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates theDoS from injected format strings on the target infotainment system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md index a4e97904..9b1463be 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/ota_firmware_manipulation/template.md @@ -1,14 +1,10 @@ -# OTA Firmware Manipulation - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md index 0087ab80..262823c4 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/sensitive_data_leakage_exposure/template.md @@ -1,19 +1,15 @@ -# Sensitive Data Leakage Exposure - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system is a the central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. The IVI system leaks sensitive data, allowing an attacker to collect this sensitive data via logs and user configurations within the underlying IVI interface. -## Business Impact +**Business Impact** Sensitive data that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. Additionally, the impact is further enhanced by the impact of the business having to respond, notify, and recover from a potential data breach if an attacker is successful in exfiltrating PII. -## Steps to Reproduce +**Steps to Reproduce** 1. Power on {{target}} by {{action}} 1. Use {{application}} and notice that the data is stored/transmitted by {{application}} in an insecure manner -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates how and where to find the sensitive data on the vulnerable system: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md index 632e2feb..5d04c34a 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/source_code_dump/template.md @@ -1,20 +1,16 @@ -# Source Code Dump - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Source code can be dumped in the target IVI system, allowing an attacker to read, release, and exploit code that should otherwise be hidden from users on the IVI unit. An attacker is able to dump firmware code online which also allows others to view, share, or exploit proprietary code. -## Business Impact +**Business Impact** Source code that is accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Acquire a bin or firmware file for {{target}} 1. Unzip the firmware using {{software}} 1. Unsquare file system using {{software}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the extracted firmware folder and snippets of exposed source code: diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md index f6b29ea7..9b1463be 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/template.md @@ -1,14 +1,10 @@ -# In-Vehicle Infotainment Misconfiguration - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system, is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. An attacker can take advantage of IVI misconfiguration and inject a payload into the IVI system, causing the system to not behave as intended. -## Business Impact +**Business Impact** This IVI system misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. The IVI system input is identified by using {{hardware}} on {{target}} 1. Connect to {{target}} by using {{application}} with {{hardware}} @@ -18,7 +14,7 @@ This IVI system misconfiguration can result in reputational damage and indirect 1. Observe that {{action}} occurs as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the process by which an attacker identifies where the IVI system communication occurs. It also shows how an attacker connects to the {{target}}, and is able to inject the payload(s): diff --git a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md index 7085f5c0..32322a01 100644 --- a/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md +++ b/submissions/description/automotive_security_misconfiguration/infotainment_radio_head_unit/unauthorized_access_to_services/template.md @@ -1,19 +1,15 @@ -# Unauthorized Access To Services - -## Overview of the Vulnerability - The In-Vehicle Infotainment (IVI) system is a central unit in an automotive vehicle's dashboard that centralizes information and entertainment systems and their controls. Misconfigurations in the IVI system can lead to security weaknesses. Unauthorized access to services in the IVI system can originate from wireless protocols, in-vehicle applications, and physical inputs that communicate with the vehicle’s IVI unit. An attacker can leverage the unauthorized service(s) to escalate privileges on the IVI unit, and compromise internal and external communications. -## Business Impact +**Business Impact** Exposed services that are accessible from within the IVI system can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Scan the {{target}} and find that {{application}} is exposed 1. Access application by {{action}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates that the IVI system is exposed to attackers: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md index 09545db3..2971d0ab 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/can_injection_interaction/template.md @@ -1,22 +1,18 @@ -# Radio Frequency Can Injection Interaction - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target and can interact and send messages to the CAN bus, disrupting the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md index 522e7c90..6faa9b73 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/data_leakage_pull_encryption_mechanism/template.md @@ -1,22 +1,18 @@ -# Radio Frequency Data Leakage Pull Encryption Mechanism - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit radio frequency interactions in the target to decode the data sent Over the Air (OTA) or On-Vehicle as they are sent insecurely. Through this, an attacker can uncover PII or confidential data from encrypted communications. -## Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Perform a Person-in-the-Middle (PitM) attack by doing {{action}}, using {{hardware}} and {{software}} 1. Attempt to bypass the encryption by {{action}} or using meta data from the intercepted messages to decode/decrypt the communication -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md index cbfb7690..1f0757ce 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/key_fob_cloning/template.md @@ -1,22 +1,18 @@ -# Radio Frequency Key Fob Cloning - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can exploit the target system by creating a permanent clone of the key fob, giving permanent access to any vehicle of the same make/model. -## Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Use the {{application}} on {{target}} to clone key fob by {{action}} 1. Use the original key fob to roll the nonce, then unlock {{target}} using spoofed {{hardware}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md index c5cbfd4d..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/relay/template.md @@ -1,20 +1,16 @@ -# Radio Frequency Relay - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md index 89dd6d9d..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/replay/template.md @@ -1,20 +1,16 @@ -# Radio Frequency Replay - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md index 427096ff..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/roll_jam/template.md @@ -1,20 +1,16 @@ -# Radio Frequency Roll Jam - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md index c1412aab..7fba7b39 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/template.md @@ -1,20 +1,16 @@ -# Radio Frequency Hub - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can leverage misconfigurations in the RFH and cause disruption to the communication between the vehicle’s electronic devices and control units. -## Business Impact +**Business Impact** RFH misconfigurations can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Using {{software}} send command: {{payload}} 1. Observe that {{action}} occurs on the {{target}} as a result -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md index cceb1563..10eac746 100644 --- a/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md +++ b/submissions/description/automotive_security_misconfiguration/rf_hub/unauthorized_access_turn_on/template.md @@ -1,21 +1,17 @@ -# Radio Frequency Unauthorized Access To Turn On Vehicle - -## Overview of the Vulnerability - The Radio Frequency Hub (RFH) is a receiver hub which communicates with other electronic devices and control units through either the Controller Area Network (CAN) bus or a separate serial bus. The RFH allows communications for vehicle accessories such as remote ignition systems, keyless entry, remote immobilization systems, and anti-theft systems, amongst other operations. Misconfigurations in the RFH can lead to security weaknesses across any of these systems. An attacker can control the power state of a device via radio frequency. They could exploit this by performing a Denial of Service (DoS) attack, preventing the owner of the vehicle from turning their vehicle on or off, as well as allowing for remote control of the vehicle during use. -## Business Impact +**Business Impact** This RFH misconfiguration can result in reputational damage and indirect financial loss for the business through the impact to customers’ trust in the security and safety of the automotive vehicle. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup {{hardware}} and {{software}} to interact with the RF layer of {{target}} 1. Turn on {{target}} using {{hardware}} and/or {{software}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The image(s) below demonstrates the RFH misconfiguration: diff --git a/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md b/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md index 2b844f00..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md +++ b/submissions/description/automotive_security_misconfiguration/rsu/sybil_attack/template.md @@ -1,14 +1,10 @@ -# Automotive Security Misconfiguration - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/rsu/template.md b/submissions/description/automotive_security_misconfiguration/rsu/template.md index 9ff8e881..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/rsu/template.md +++ b/submissions/description/automotive_security_misconfiguration/rsu/template.md @@ -1,14 +1,10 @@ -# Roadside Unit (RSU) - Sybil Attack - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/automotive_security_misconfiguration/template.md b/submissions/description/automotive_security_misconfiguration/template.md index 3197c8c7..32e95b11 100644 --- a/submissions/description/automotive_security_misconfiguration/template.md +++ b/submissions/description/automotive_security_misconfiguration/template.md @@ -1,14 +1,10 @@ -# Automotive Security Misconfiguration - Roadside Unit (RSU) - -## Overview of the Vulnerability - Automotive security misconfigurations can occur within the software, firmware, or network settings of vehicles, leading to security vulnerabilities. These misconfigurations can stem from default settings, inadequate security measures, or improper configurations during the manufacturing or maintenance processes. An attacker can exploit this misconfiguration and gain unauthorised access to data, or manipulate the vehicle system's integrity. -## Business Impact +**Business Impact** This vulnerability can lead to data breaches, unauthorized access to sensitive information, remote exploitation or manipulation of vehicle systems, or compromise of driver safety, privacy, and vehicle integrity. Additionally, it may result in reputational damage, legal liabilities, and financial losses for automotive manufacturers and service providers. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the software, firmware, and network components present in the vehicle: {{Vulnerable component}} @@ -16,7 +12,7 @@ This vulnerability can lead to data breaches, unauthorized access to sensitive i 3. Exploit the misconfiguration to gain unauthorized access, manipulate vehicle systems, or intercept communications. 4. Observe that it is possible to {{vulnerable action}}, demonstrating the misconfiguration. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md index c42ccacf..f85e1125 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_android_intent/template.md @@ -1,15 +1,11 @@ -# Exposed Sensitive Android Intent - -## Overview of the Vulnerability - An `Intent` is a messaging object used within an Android application to request action from a different component of the application. When a request occurs and information is retrieved, a lack of validation can result in access controls being bypassed and sensitive information being leaked. The application has an exposed sensitive Android `Intent` which an attacker can query to gather sensitive information from the application which they could use to perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +18,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md index d492545e..780216c5 100644 --- a/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md +++ b/submissions/description/broken_access_control/exposed_sensitive_ios_url_scheme/template.md @@ -1,16 +1,12 @@ -# Exposed Sensitive iOS URL Scheme - -## Overview of the Vulnerability - A URL Scheme helps facilitate the transfer of a limited amount of data between iOS applications on Apple mobile devices. iOS applications operate in separate sandboxes to limit the access and transfer of data between applications. However, it is possible to perform an App-in-the-Middle (AitM) attack where a malicious application sends a manipulated URL Scheme to trick a legitimate application into sharing a user’s sensitive data, bypassing access controls of the legitimate application. The application has an exposed sensitive iOS URL Scheme, which an attacker can take advantage of to perform an AitM attack, bypass the access controls of the application, and gather sensitive user data. This data could be used to perform further attacks on the application, the business, or its users, including account takeover. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md index bcf20d08..8c19340e 100644 --- a/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,10 @@ -# Edit/Delete Sensitive Information/Iterable Object Identifiers - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to alter sensitive information by iterating through object identifiers. -## Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md index dc2c1ca6..2bb71e30 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_non_sensitive_information/template.md @@ -1,14 +1,10 @@ -# Read/Edit/Delete Non-Sensitive Information - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to bypass access controls, manipulate and read non-sensitive information. -## Business Impact +**Business Impact** IDOR can result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can result in reputational damage for the business through the impact to cu {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md index 961e1a49..1152e84f 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_guid/template.md @@ -1,14 +1,10 @@ -# Read/Edit/Delete Sensitive Information/Complex Object Identifiers(GUID) - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application leads to unauthorized access to, and manipulation of, sensitive data. An attacker is able to bypass access controls, by retrieving another user's Globally Unique Identifier (GUID). -## Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md index c652589e..8b49d9d9 100644 --- a/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_edit_delete_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,10 @@ -# Read/Edit/Delete Sensitive Information/Iterable Object Identifiers - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read Personally Identifiable Information (PII) by iterating through object identifiers. -## Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md index 569b05d0..eb1f8b10 100644 --- a/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md +++ b/submissions/description/broken_access_control/idor/read_sensitive_information_iterable_object_identifiers/template.md @@ -1,14 +1,10 @@ -# Read Sensitive Information/Iterable Object Identifiers - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application allows an attacker to read sensitive information by iterating through object identifiers. -## Business Impact +**Business Impact** IDOR can lead to reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can lead to reputational damage for the business through the impact to cust {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/idor/template.md b/submissions/description/broken_access_control/idor/template.md index 0e4b6a9f..b21ed7c4 100644 --- a/submissions/description/broken_access_control/idor/template.md +++ b/submissions/description/broken_access_control/idor/template.md @@ -1,14 +1,10 @@ -# Insecure Direct Object Reference (IDOR) - -## Overview of the Vulnerability - Insecure Direct Object Reference (IDOR) occurs when there are no access control checks to verify if a request to interact with a resource is valid. An IDOR vulnerability within this application can be leveraged by an attacker to manipulate, destroy, or disclose data through their ability to bypass access controls, horizontally or vertically escalate their privileges, and gain access to sensitive information or take over users' accounts. -## Business Impact +**Business Impact** IDOR can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to User Account A @@ -20,7 +16,7 @@ IDOR can lead to indirect financial loss through an attacker accessing, deleting {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the exposed object executing: diff --git a/submissions/description/broken_access_control/privilege_escalation/template.md b/submissions/description/broken_access_control/privilege_escalation/template.md index 1177fcdf..cf136231 100644 --- a/submissions/description/broken_access_control/privilege_escalation/template.md +++ b/submissions/description/broken_access_control/privilege_escalation/template.md @@ -1,14 +1,10 @@ -# Privilege Escalation via Broken Access Control - -## Overview of the Vulnerability - Access controls can be bypassed through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. The access controls for this application can be bypassed by an attacker who can gain access to a privileged user’s account and functionality. As a result, the attacker has access to more resources or functionality within the application. This could include viewing or editing sensitive customer data, and viewing or editing other user permissions. -## Business Impact +**Business Impact** The impact of this vulnerability can vary in severity depending on the degree of access to resources or functionality the attacker is able to gain. An attacker with the ability to access, delete, or modify data from within the application could result in reputational damage for the business through the impact to customers’ trust. This can also result in indirect financial cost to the business through fines and regulatory bodies if sensitive data is accessed. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -30,7 +26,7 @@ The impact of this vulnerability can vary in severity depending on the degree of 1. Forward the request then turn off interception in the proxy 1. Observe that User Account A now has additional Administrator privileges and user functionality it was previously not authorized to access -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the access controls being bypassed. diff --git a/submissions/description/broken_access_control/template.md b/submissions/description/broken_access_control/template.md index 6cfbaaa2..7fe684a8 100644 --- a/submissions/description/broken_access_control/template.md +++ b/submissions/description/broken_access_control/template.md @@ -1,14 +1,10 @@ -# Generic Broken Access Control - -## Overview of the Vulnerability - When access controls are broken, users are able to perform functions outside of their intended user functionality within the application. Access controls help enforce users' access and how they interact with applications and APIs through authorization. There can be vertical, horizontal, and conditional access controls which give a user their intended permissions within an application. Broken access control in this application can be leveraged by an attacker to elevate privileges, or manipulate, destroy, or disclose data, depending on the type of access control vulnerability being exploited. -## Business Impact +**Business Impact** Broken access controls can lead to financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +17,7 @@ Broken access controls can lead to financial loss through an attacker accessing, 1. Observe that the account now has additional user functionality and access to data it was previously not authorized to access -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken access control: diff --git a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md index c01d50bf..3d0f5927 100644 --- a/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md +++ b/submissions/description/broken_access_control/username_enumeration/non_brute_force/template.md @@ -1,20 +1,16 @@ -# Username Enumeration (Non-Brute Force) - -## Overview of the Vulnerability - Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through a difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to identify the username or email of a user without brute forcing it, allowing an attacker to gain this user information for all users within the application in a short period of time. -## Business Impact +**Business Impact** Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the response from the server: diff --git a/submissions/description/broken_access_control/username_enumeration/template.md b/submissions/description/broken_access_control/username_enumeration/template.md index f4dd995d..ed2c9193 100644 --- a/submissions/description/broken_access_control/username_enumeration/template.md +++ b/submissions/description/broken_access_control/username_enumeration/template.md @@ -1,20 +1,16 @@ -# Username Enumeration - -## Overview of the Vulnerability - Username enumeration is a vulnerability where an attacker is able to confirm or guess correct usernames through the difference in the server’s response to input. It often occurs on login, registration, and password reset pages. This application has a username enumeration vulnerability which allows an attacker to brute force passwords, stuff credentials, or for further attacks such as social engineering. -## Business Impact +**Business Impact** Username enumeration can result in reputational damage for the business through the impact to customers’ trust in the application’s security of user accounts. If an attacker is able to chain this vulnerability with another it can lead to user account compromise and data exfiltration. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to authenticate 1. Observe the response from the server indicating that the username/email is valid or not -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the response from the server: diff --git a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md index 033f210e..33a7ef5e 100644 --- a/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/authentication_bypass/template.md @@ -1,22 +1,18 @@ -# Authentication Bypass - -## Overview of the Vulnerability - Authentication bypass vulnerabilities allow an attacker to gain access to an account without having to go through the application's authentication procedure. Authentication bypass often occurs through logic flaws and incomplete implementation of authentication mechanisms. Bypassing the authentication mechanisms of this application allows an attacker to view or edit data or other user's permissions, take over user accounts, access unauthorized endpoints, or expose critical data, depending on the authorization of the account they gain access to. -## Business Impact +**Business Impact** Authentication bypass can lead to data loss or theft through an attacker's access to data. The severity of which is dependent on the sensitivity of the data within the application. It can also result in reputational damage to the application or the company due to legitimate users not trusting the security of the application if the application's data becomes publicly available. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to: {{URL}} and login as a regular user 1. In the URL, change the `/user` to `/user/administrator` 1. Observe that the application now allows the user to view other user's profile details. These actions are usually restricted to an authenticated user -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following image(s) show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md index 501ec921..fabc7c3d 100644 --- a/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md +++ b/submissions/description/broken_authentication_and_session_management/cleartext_transmission_of_session_token/template.md @@ -1,14 +1,10 @@ -# Cleartext Transmission of Session Token - -## Overview of the Vulnerability - Session tokens help a server trust that the requests it is receiving come from a specific authenticated user. When a session token is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. This application transmits the session token via a cleartext transmission which can allow an attacker to access the session token via a PitM attack and send requests to the server pretending to be the legitimate user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft through the attacker’s ability to manipulate data through their ability to make requests to the server through a legitimate session token. However, the attacker is limited by the legitimate user’s privileges within the application/ -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Observe the `Secure` flag is not set 1. Observe that cookies are sent in cleartext -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the session token being transmitted via cleartext: diff --git a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md index 29fabdb4..af6e537a 100644 --- a/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md +++ b/submissions/description/broken_authentication_and_session_management/concurrent_logins/template.md @@ -1,21 +1,17 @@ -# Concurrent Logins - -## Overview of the Vulnerability - Having multiple concurrent logins can allow an attacker to reuse stolen or acquired session tokens to hijack requests. Old sessions are commonly found in open source intelligence efforts or through sniffed requests via Person-in-The-Middle (PitM) attacks. An attacker can use previously acquired sessions to exploit the privacy of a user of this application by continually accessing their account. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login to the application 1. Using an incognito tab or another browser, login using the same credentials 1. Observe that both sessions remain valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the concurrent logins: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md index ab2cf912..97f7b1f7 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/all_sessions/template.md @@ -1,16 +1,12 @@ -# Failure to Invalidate Sessions on All Sessions - -## Overview of the Vulnerability - Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md index 2c9fe4c8..a353ad12 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/long_timeout/template.md @@ -1,16 +1,12 @@ -# Failure to Invalidate Sessions via Long Timeout - -## Overview of the Vulnerability - Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. Due to the application’s long timeout expiration on sessions, an attacker has a longer window of opportunity to use valid user sessions maliciously. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md index dd8f9b94..f9caacf1 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_email_change/template.md @@ -1,16 +1,12 @@ -# Failure to Invalidate Sessions via Email Change - -## Overview of the Vulnerability - Sessions commonly fail to invalidate active sessions. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user would not usually have access to. Even when a valid user changes their email address within the application, other user sessions are not invalidated. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +17,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the request using the HTTP interception proxy 1. Observe that the application responds to the request -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md index 4a5944e2..6f4418a9 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout/template.md @@ -1,18 +1,14 @@ -# Failure to Invalidate Session on Logout - -## Overview of the Vulnerability - Failure to invalidate a session when a user logs out is a vulnerability that increases the attack surface for session hijacking attacks, such as Cross-Site Scripting (XSS), session sniffing, and other client-side attacks. Most users have the expectation that when they logout, no one else can access their account. When sessions are not invalidated on logout, the user’s trust is broken. This application fails to invalidate a user’s session on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -27,7 +23,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md index d4d2035e..490ba793 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_logout_server_side_only/template.md @@ -1,18 +1,14 @@ -# Failure to Invalidate Session on Logout (Server-Side) - -## Overview of the Vulnerability - Failure to invalidate a session when a user logs out is a vulnerability that increases the attack surface for session hijacking attacks, such as Cross-Site Scripting (XSS), session sniffing, and other client-side attacks. Most users have the expectation that when they logout, no one else can access their account. When sessions are not invalidated on logout, the user’s trust is broken. This application fails to invalidate a user’s session server-side on logout, leaving the account vulnerable to session hijacking. An attacker may compromise a user’s session then be able to change the password of the account and lock out the legitimate user. Once the attacker has gained access to an account their actions are only limited by the privileges of the user’s account that they have gained access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Failure to invalidate a session on logout may also lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -27,7 +23,7 @@ Failure to invalidate a session on logout may also lead to data theft through th 1. Observe that the session token was not invalidated on logout -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below show the logout occurring and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md index 2b96ebe7..e05c610b 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_password_change/template.md @@ -1,21 +1,17 @@ -# Failure to Invalidate Session on Password Change - -Failure to invalidate a session after a password change is a vulnerability which allows an attacker to maintain access on a service. Most users have the expectation that when they reset their password, no one else can access their account. When sessions are not invalidated upon a password reset, the user's trust is broken. Applications that fail to invalidate sessions when the password is changed are more susceptible to account takeover by an attacker who has gained a foothold in a legitimate user's account. - An attacker may compromise a user's session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker's actions are limited by the privileges of the user's account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. Additionally, this can cause escalations where a user knows that their account is compromised, but have no means of evicting an attacker by changing their password. -## Steps to Reproduce +**Steps to Reproduce** 1. Using one browser (Browser A), sign into a user's account using the login page: {{URL}} 1. Using a different browser (Browser B), sign into the same user's account 1. Using Browser A, change the password of the account 1. Using Browser B, observe that the user session is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the password change and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md index c9d094a1..7723e07d 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/on_two_fa_activation_change/template.md @@ -1,16 +1,12 @@ -# Failure to Invalidate Session on Two-Factor Authentication Activation or Change - -## Overview of the Vulnerability - Failure to invalidate a session after a change in Two-Factor Authentication (2FA) can allow an attacker, who has access to the session cookies, full account access where they can perform actions that the user can. Most users have the expectation that when they reset, change, or activate 2FA, no one else can access their account. When sessions are not invalidated upon 2FA activation or change, the user’s trust is broken. Applications that fail to invalidate sessions when 2FA activated or changed are more susceptible to account takeover by an attacker who has gained a foothold in a legitimate user’s account. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password or set their own 2FA on the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) @@ -18,7 +14,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Using Browser B, perform an authenticated action, such as changing the profile name 1. Observe that the authenticated action is successful and that the user session is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show 2FA being set and the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md index 6ba5b897..00bf6700 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/permission_change/template.md @@ -1,19 +1,15 @@ -# Failure to Invalidate Session on Permission Change - -Failure to invalidate a session after permission change is a vulnerability which allows an attacker to maintain access on a service. An attacker can use previously acquired sessions to continue accessing an account upon permission level change, including the revoking of permissions. This allows an attacker to gather information about an application’s endpoints an unauthenticated user will not usually have access to. The attacker's actions are limited by the privileges of the user account that they have access to. This could include viewing or editing sensitive customer data, or, viewing or editing other user permissions. - -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Using one browser (Browser A), sign into a user's account using the login page: {{URL}} 1. Using a different browser (Browser B), sign into the same user's account 1. Using Browser A, change the permission level of the account 1. Using Browser B, observe that the user session is still valid with elevated account permissions -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md index 5713227e..a2cf7681 100644 --- a/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md +++ b/submissions/description/broken_authentication_and_session_management/failure_to_invalidate_session/template.md @@ -1,22 +1,18 @@ -# Failure to Invalidate Session - -## Overview of the Vulnerability - Failure to invalidate a session is a vulnerability which allows an attacker to maintain access to a service. An attacker can use previously acquired sessions to exploit the privacy of a targeted user by continually accessing their account and gathering information about an application’s endpoints an unauthenticated user will not usually have access to. An attacker may compromise a user’s session through a variety of ways including, calling an internal post authentication page, modifying the given URL parameters, phishing a user, by manipulating a form, or by counterfeiting sessions. Once they have gained account access, an attacker may be able to change the password of the account and lock out the legitimate user. The attacker’s actions are limited by the privileges of the user’s account that they gain access to. This could include viewing or editing sensitive customer data, viewing or editing other user permissions. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Sign into a user’s account (Browser A) 1. Sign into the same user’s account, using a different browser (Browser B) 1. Observe that both user sessions are valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the the application failing to invalidate the session: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md index e99a8926..57c6b9a6 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/local_attack_vector/template.md @@ -1,14 +1,10 @@ -# Session Fixation using Local Attack Vector - -## Overview of the Vulnerability - Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with local access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md index 6acebcf4..b2932317 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/remote_attack_vector/template.md @@ -1,14 +1,10 @@ -# Session Fixation using Remote Attack Vector - -## Overview of the Vulnerability - Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with remote access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies.This can be performed remotely by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -19,7 +15,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Perform {{action}} to send the request in an incognito browser and login using the same user credentials -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md index 6367a756..d1d593ac 100644 --- a/submissions/description/broken_authentication_and_session_management/session_fixation/template.md +++ b/submissions/description/broken_authentication_and_session_management/session_fixation/template.md @@ -1,14 +1,10 @@ -# Session Fixation - -## Overview of the Vulnerability - Session fixation occurs when there is an error in the way the application manages session IDs for users. An attacker with access to the application can set the session or cookies manually to force the targeted user’s browser to fixate on using the attacker's session cookies. This can be performed by setting a token in the URL or a hidden form by chaining vulnerabilities. -## Business Impact +**Business Impact** This vulnerability could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability could lead to data theft through the attacker’s ability to 1. Open another container or incognito session and set the cookie manually 1. Observe the application does {{action}} to show that the session is fixated -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below shows the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/template.md b/submissions/description/broken_authentication_and_session_management/template.md index 2dc692dc..580f3fd0 100644 --- a/submissions/description/broken_authentication_and_session_management/template.md +++ b/submissions/description/broken_authentication_and_session_management/template.md @@ -1,16 +1,12 @@ -# Broken Authentication and Session Management - -## Overview of the Vulnerability - Broken authentication and session management vulnerabilities exist when a user is able to access resources or perform actions not intended for their user role. Identity and access controls can be bypassed through a variety of ways including but not limited to, calling an internal post authentication page, modifying the given URL parameters, by manipulating the form, or by counterfeiting sessions. This application has authentication and session management controls which an attacker can bypass to access a user account. The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -## Business Impact +**Business Impact** Broken authentication and session management could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +18,7 @@ Broken authentication and session management could lead to data theft through th 1. Observe that the authentication method or session management has been compromised in some way -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the broken authentication and session management: diff --git a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md index b23cecba..57d2e09a 100644 --- a/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md +++ b/submissions/description/broken_authentication_and_session_management/two_fa_bypass/template.md @@ -1,16 +1,12 @@ -# Second Factor Authentication (2FA) Bypass - -## Overview of the Vulnerability - Incorrectly implemented Second Factor Authentication (2FA) mechanisms can be bypassed through manipulation of the form, modifying the given URL parameters, or by counterfeiting the session. The 2FA mechanism for this application can be bypassed by an attacker who can gain access to the application through a user’s account and impersonate users. The attacker is only limited by the permissions of the user account they access, including Administrator users. This could include viewing or editing sensitive customer data, viewing or editing other user permissions, and taking over other user accounts or elevating privileges. -## Business Impact +**Business Impact** Bypassing 2FA mechanisms could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +20,7 @@ Bypassing 2FA mechanisms could lead to data theft through the attacker’s abili 1. Observe that the 2FA mechanism has been bypassed and a successful login has occurred -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates that 2FA has been bypassed: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/guidance.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/guidance.md index 217fc707..be1a750e 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/guidance.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/guidance.md @@ -1,5 +1,5 @@ # Guidance -Your submission must include evidence of the vulnerability and not be theoretical in nature. For a broken authentication or session management vulnerability, please include a simple URL or HTTP payload that can be executed to easily demonstrate and reproduce the issue. This can also include a cURL response from the website. For example, showing that HTTP is default or HTTPS is not available. +Your submission must include evidence of the vulnerability and not be theoretical in nature. For a broken authentication or session management vulnerability, please include a simple URL or HTTP payload that can be executed to easily demonstrate and reproduce the issue. This can also include a curl response from the website. For example, showing that HTTP is default or HTTPS is not available. Attempt to escalate the broken authentication or session management to perform additional actions (such as an account takeover or CSRF bypass to perform a sensitive action). If this is possible, provide a full Proof of Concept (PoC). diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md index adf08550..959b43f7 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/http_and_https_available/template.md @@ -1,21 +1,17 @@ -# Weak Login Function: HTTP and HTTPS Available - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the login page to load over both a HTTP and a HTTPS connection. This means that it is possible for web requests to be transmitted over HTTP in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted HTTPS, but are also accessible on HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md index a29d2a82..fb76a722 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/https_not_available_or_http_by_default/template.md @@ -1,21 +1,17 @@ -# Weak Login Function: HTTPS Not Available or HTTP by Default - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP by default or doesn’t have HTTPS available, all web requests are transmitted over HTTP in plaintext. This allows any attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete or modify the users data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP by default -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md index 327754c4..8bcb6b9f 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/lan_only/template.md @@ -1,14 +1,10 @@ -# Weak Login Function: via LAN Only - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as the login is only available via a LAN connection. A malicious attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the LAN to steal administrative credentials and login to the system using admin privileges. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. On the LAN, poison the DNS and ARP tables of the target: @@ -20,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Forward the request to see that the requests are unencrypted in transit -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md index 96f6cddd..3283ea22 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/not_operational/template.md @@ -1,14 +1,10 @@ -# Weak Login Function on Non-Operational Endpoint - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows a login function to load on a non-operational endpoint that is not intended for public access. An attacker can Person-in-the-Middle (PiTM) communication between the user and the application on the specified IP to steal administrative credentials and login to the system using admin privileges. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gaining access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the vulnerable endpoint: {{URL or x.x.x.x}} @@ -20,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the requests are unencrypted in transit -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md index def73ee8..55dec947 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/other_plaintext_protocol_no_secure_alternative/template.md @@ -1,21 +1,17 @@ -# Weak Login Function: Other Plaintext Protocol Does Not Implement Secure Alternative - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This application does not protect the security of users’ credentials as it allows the authentication to be transmitted over a plaintext protocol and does not implement a secure alternative. This means that it is possible for user credentials to be transmitted in plaintext, allowing an attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over an unsecure protocol and there is no option for HTTPS -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md index ceccc40e..d6bf7d39 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/over_http/template.md @@ -1,21 +1,17 @@ -# Weak Login Function: Over HTTP - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. When this application loads the login page over HTTP all web requests are transmitted in plaintext, allowing any attacker on the same network to observe these requests, and obtain the login credentials. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing login credentials and gain access to the user’s account. From here, the attacker could delete, or modify data. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Attempt to sign into the website using the login button 1. In the HTTP interception proxy, observe that the credentials are submitted over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md index 96a051f5..0bc402c1 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_login_function/template.md @@ -1,14 +1,10 @@ -# Weak Login Function - -## Overview of the Vulnerability - Weak login functionality arises from improperly configured authentication practices which weakens the security of the authentication process of an application. This can lead to an attacker gaining access to user data and functionality of the application by taking advantage of the broken authentication and session management mechanisms. -## Business Impact +**Business Impact** Weak login function can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ Weak login function can lead to indirect financial loss through an attacker acce 1. Observe in the HTTP interception proxy a 200 OK in the HTTP response indicating valid access -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenhots show the full exploit: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md index ca4d7d92..4f53a1bf 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/over_http/template.md @@ -1,20 +1,16 @@ -# Weak Registration Implementation Over HTTP - -## Overview of the Vulnerability - When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application sends a registration or confirmation link over an unsecure HTTP connection. An attacker with local network access can intercept and read the content of the HTTP connection, allowing them to abuse the registration process and misuse user accounts. -## Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register a new user account 1. Observe that the registration implementation is connected over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md index 391b9263..96397da4 100644 --- a/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md +++ b/submissions/description/broken_authentication_and_session_management/weak_registration_implementation/template.md @@ -1,20 +1,16 @@ -# Weak Registration Implementation - -## Overview of the Vulnerability - When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -## Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md index 4bb97356..c3258163 100644 --- a/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/no_privilege_escalation/template.md @@ -1,14 +1,10 @@ -# Client-Side Injection via Binary Planting (No Privilege Escalation) - -## Overview of the Vulnerability - Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md index 2c8ba6d6..c01d0d6b 100644 --- a/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/non_default_folder_privilege_escalation/template.md @@ -1,14 +1,10 @@ -# Client-Side Injection via Binary Planting (Non-Default Folder Privilege Escalation) - -## Overview of the Vulnerability - Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md b/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md index 00f89505..57630d08 100644 --- a/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md +++ b/submissions/description/client_side_injection/binary_planting/privilege_escalation/template.md @@ -1,14 +1,10 @@ -# Client-Side Injection via Binary Planting (Default Folder Privilege Escalation) - -## Overview of the Vulnerability - Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to elevate their privileges in the default folder location. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. It could also result in privacy violations, fraud, or account takeover depending on the type of privilege escalation obtained by the attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/binary_planting/template.md b/submissions/description/client_side_injection/binary_planting/template.md index da6d339a..c3258163 100644 --- a/submissions/description/client_side_injection/binary_planting/template.md +++ b/submissions/description/client_side_injection/binary_planting/template.md @@ -1,14 +1,10 @@ -# Client-Side Injection via Binary Planting - -## Overview of the Vulnerability - Client-side injection via binary planting is a vulnerability that results from client-side untrusted data, in the form of a binary file, being interpreted and executed by the system. Within the application an attacker is able to load a planted binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Upload binary file using {{action}} 1. {{action}} to see permissions executed by the system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the binary planting: diff --git a/submissions/description/client_side_injection/template.md b/submissions/description/client_side_injection/template.md index 5c09dc05..9cd9cfed 100644 --- a/submissions/description/client_side_injection/template.md +++ b/submissions/description/client_side_injection/template.md @@ -1,20 +1,16 @@ -# Client-Side Injection +Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of JavaScript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. -## Overview of the Vulnerability - -Client-side injection is a vulnerability that results from untrusted client-side data being interpreted and executed by the system without any checks. Within the application an attacker is able to inject data in the form of Javascript, or a binary file on a local or remote file system, which is then loaded and executed by the application. As a result, the attacker is able to invoke code remotely on the machine. - -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Notice that {{value}} is loaded by the application when doing {{action}} 1. Perform {{action}} to see the injected code executed by the system -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the client-side injection: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md index db4f6ef8..6b60933d 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/authenticated_action/template.md @@ -1,16 +1,12 @@ -# Cross-Site Request Forgery (Authenticated Action) - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application for an authenticated user action, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md index e46142bf..912f04f2 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/logout/template.md @@ -1,16 +1,12 @@ -# Cross-Site Request Forgery For Logout Functionality - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible within this application, allowing an attacker to log-out a valid user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain, logging the user out of their session. An attacker can deny service to users using this CSRF vector to prevent access to the application and constantly logging users out. -## Business Impact +**Business Impact** CSRF could lead to reputational damage for the business through the impact to customers’ trust due to not being able to reliably access the application. This could also cause indirect financial impacts to the business. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +23,7 @@ and forward the request to the endpoint: 1. Observe the user was logged out, proving that the CSRF POC code was successful -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md index 7754026e..9b9fc686 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/template.md @@ -1,18 +1,14 @@ -# Cross-Site Request Forgery (Authenticated Action) - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application for a specific action, such as a logout, login, or other specific user action, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to the application at: {{URL}} @@ -32,7 +28,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md index bc222efb..fdb75eee 100644 --- a/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/action_specific/unauthenticated_action/template.md @@ -1,16 +1,12 @@ -# Cross-Site Request Forgery For Unauthenticated Action - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of a user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. CSRF is possible for this application for an unauthenticated user action, allowing an attacker to submit requests to the application on behalf of an unauthenticated user. This can include actions such as registration which can result in multiple fake accounts, or a login action which can login accounts uneccisarily. -## Business Impact +**Business Impact** CSRF could lead to reputational damage for the business through the impact to customers’ trust in the application. Not having CSRF protection on unauthenticated actions means the application is more susceptible to XSS attacks which can involve an attacker gaining access to user data. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -27,7 +23,7 @@ CSRF could lead to reputational damage for the business through the impact to cu 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md index 43efc662..6a4c3163 100644 --- a/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/application_wide/template.md @@ -1,16 +1,12 @@ -# Cross-Site Request Forgery (Application-Wide) - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. Application-wide CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user on multiple endpoints. This can include changing the password and email associated with the account, or deleting the user account. These actions can severely disrupt a user's experience and lead to account takeover. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code: @@ -28,7 +24,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} 1. Repeat the above steps for every user action on the application, demonstrating that the lack of CSRF protection is an application-wide issue -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md index a9f9913b..8c5c7a0d 100644 --- a/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/csrf_token_not_unique_per_request/template.md @@ -1,16 +1,12 @@ -# Cross-Site Request Forgery Token is Not Unique Per Request - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application as the CSRF token is not unique per request, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -30,7 +26,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md index d42af775..a1d6d3ac 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/high_impact/template.md @@ -1,16 +1,12 @@ -# Flash-Based Cross-Site Request Forgery (High Impact) - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. A high impact flash-based CSRF is possible for this application allowing an attacker to submit requests to the application on behalf of an authenticated privileged user. An attacker is able to perform the actions of a privileged user through their account. This could include modifying, adding, or removing data from the application. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** High impact CSRF could lead to data modification or theft leading to indirect financial impact to the business. An attacker is also able to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate privileged user. These malicious actions could result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +23,7 @@ High impact CSRF could lead to data modification or theft leading to indirect fi 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md index e72d6a15..1557ff24 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/low_impact/template.md @@ -1,16 +1,12 @@ -# Flash-Based Cross-Site Request Forgery (Low Impact) - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. A low impact flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application for non-sensitive actions on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md index 98be434b..cea09c52 100644 --- a/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/flash_based/template.md @@ -1,16 +1,12 @@ -# Flash-Based Cross-Site Request Forgery - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. Flash-based CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Modify the request with the following CSRF POC code which uses a `.SWF` file: @@ -27,7 +23,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe within the HTTP interception proxy that the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_request_forgery_csrf/template.md b/submissions/description/cross_site_request_forgery_csrf/template.md index d9c513cf..1d5833c5 100644 --- a/submissions/description/cross_site_request_forgery_csrf/template.md +++ b/submissions/description/cross_site_request_forgery_csrf/template.md @@ -1,18 +1,14 @@ -# Cross-Site Request Forgery - -## Overview of the Vulnerability - Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user. CSRF is possible for this application, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. The attacker’s actions are limited by the privileges of the user, as well as the application’s capabilities and the data stored within it. -## Business Impact +**Business Impact** CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to sign into the application at: {{URL}} @@ -32,7 +28,7 @@ CSRF could lead to data theft through the attacker’s ability to manipulate dat 1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Please view the proof of concept CSRF HTML code below: diff --git a/submissions/description/cross_site_scripting_xss/cookie_based/template.md b/submissions/description/cross_site_scripting_xss/cookie_based/template.md index 12ecc4f9..46bf76a7 100644 --- a/submissions/description/cross_site_scripting_xss/cookie_based/template.md +++ b/submissions/description/cross_site_scripting_xss/cookie_based/template.md @@ -1,16 +1,12 @@ -# Cookie-Based Cross-Site Scripting - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Cookie-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser in the context of this domain. This is possible as an attacker could chain this vulnerability with a Carrige Return Line Feed (CRLF) injection attack and split the HTTP response, allowing the attacker to write data into the HTTP response body. Alternatively, an attacker could socially engineer the user to add the cookie containing malicious JavaScript into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Cookie-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser in the context of this domain. This is possible as an attacker could chain this vulnerability with a Carrige Return Line Feed (CRLF) injection attack and split the HTTP response, allowing the attacker to write data into the HTTP response body. Alternatively, an attacker could socially engineer the user to add the cookie containing malicious JavaScript into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Refresh the page and observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/flash_based/template.md b/submissions/description/cross_site_scripting_xss/flash_based/template.md index a1b90a9c..b31306da 100644 --- a/submissions/description/cross_site_scripting_xss/flash_based/template.md +++ b/submissions/description/cross_site_scripting_xss/flash_based/template.md @@ -1,16 +1,12 @@ -# Flash-Based Cross-Site Scripting - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Flash-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Flash-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Flash-based XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following URL and login: {{URL}} @@ -23,7 +19,7 @@ Flash-based XSS could lead to data theft through the attacker’s ability to man 1. Refresh the page and observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/ie_only/template.md b/submissions/description/cross_site_scripting_xss/ie_only/template.md index 0aa3e8c3..4cc08d17 100644 --- a/submissions/description/cross_site_scripting_xss/ie_only/template.md +++ b/submissions/description/cross_site_scripting_xss/ie_only/template.md @@ -1,14 +1,10 @@ -# Cross-Site Scripting (Internet Explorer Only) - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. This instance of XSS can be found on the domain which allows an attacker to control code that is executed within a user’s Internet Explorer browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -## Business Impact +**Business Impact** XSS could result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use an Internet Explorer browser to navigate to: {{URL}} @@ -21,7 +17,7 @@ XSS could result in reputational damage for the business through the impact to c 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md index c6f800c1..c7d9906c 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/data_uri/template.md @@ -1,16 +1,12 @@ -# Cross-Site Scripting Off Domain via Data URI - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to input data into the URL that can be interpreted as a JavaScript payload. The data is then executed in the context of a domain which is off the primary domain. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to input data into the URL that can be interpreted as a JavaScript payload. The data is then executed in the context of a domain which is off the primary domain. This carries the risk of an attacker being able to trigger an exploit on a seperate domain. By controlling code that is executed within a user’s browser, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +20,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/off_domain/template.md b/submissions/description/cross_site_scripting_xss/off_domain/template.md index 80d34eaf..d748ff65 100644 --- a/submissions/description/cross_site_scripting_xss/off_domain/template.md +++ b/submissions/description/cross_site_scripting_xss/off_domain/template.md @@ -1,16 +1,12 @@ -# Cross-Site Scripting Off Domain - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to control code that is executed within a user’s browser in the context of a domain which is off the primary domain. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. XSS can be found in this application which allows an attacker to control code that is executed within a user’s browser in the context of a domain which is off the primary domain. This carries the risk of an attacker being able to trigger an exploit on a separate domain, where only cookies scoped for that domain are at risk. By controlling code that is executed within a user’s browser, an attacker could carry out any action that the user is able to perform. This could include accessing any of the user's data and modifying information within the user’s permissions, assuming that there is a misconfiguration of the scoping for cookies and Cross-Origin Resource Sharing (CORS). -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to: {{URL}} 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/referer/template.md b/submissions/description/cross_site_scripting_xss/referer/template.md index 1e6be3ad..c68e5622 100644 --- a/submissions/description/cross_site_scripting_xss/referer/template.md +++ b/submissions/description/cross_site_scripting_xss/referer/template.md @@ -1,16 +1,12 @@ -# Referer-Based Cross-Site Scripting - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. Referer-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This occurs as the referer HTTP header is vulnerable to manipulation. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. Referer-based XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This occurs as the referer HTTP header is vulnerable to manipulation. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md index 7aa9da55..18831a85 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/non_self/template.md @@ -1,16 +1,12 @@ -# Reflected Cross-Site Scripting (Non-self) - -## Overview of the Vulnerability - -Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary Javascript within that user's browser in the context of this domain. +Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user's browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL which when opened by a user will execute arbitrary JavaScript within that user's browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +18,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/self/template.md b/submissions/description/cross_site_scripting_xss/reflected/self/template.md index 90c5105b..1ffd790f 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/self/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/self/template.md @@ -1,16 +1,12 @@ -# Reflected Cross-Site Scripting (Self) - -## Overview of the Vulnerability - Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Self-reflected XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute temporarily within that user’s browser in the context of the domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Self-reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -22,7 +18,7 @@ Self-reflected XSS could lead to data theft through the attacker’s ability to 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/reflected/template.md b/submissions/description/cross_site_scripting_xss/reflected/template.md index 05a6d240..3a7cd298 100644 --- a/submissions/description/cross_site_scripting_xss/reflected/template.md +++ b/submissions/description/cross_site_scripting_xss/reflected/template.md @@ -1,16 +1,12 @@ -# Reflected Cross-Site Scripting - -## Overview of the Vulnerability - -Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL. When opened by a user, this URL will execute arbitrary Javascript within that user’s browser in the context of the domain. +Reflected Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript code is injected into a website. When a user visits the affected web page, the JavaScript code executes and its input is reflected in the user’s browser. Reflected XSS can be found on this domain which allows an attacker to create a crafted URL. When opened by a user, this URL will execute arbitrary JavaScript within that user’s browser in the context of the domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Reflected XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -22,7 +18,7 @@ Reflected XSS could lead to data theft through the attacker’s ability to manip 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md index 2af66a8b..eda4d4a4 100644 --- a/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/non_admin_to_anyone/template.md @@ -1,18 +1,14 @@ -# Stored Cross-Site Scripting (Non-Privileged User to Anyone) - -## Overview of the Vulnerability - Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. to create a crafted JavaScript payload. When a user navigates to the page, the arbitrary JavaScript executes within that user’s browser in the context of this domain. -## Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Navigate to {{URL}} @@ -26,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Observe the JavaScript payload being executed, capturing the cookies of User A 1. Logout of User A’s account -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md index 463e3c02..0c5df807 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_no_privilege_elevation/template.md @@ -1,16 +1,12 @@ -# Stored Cross-Site Scripting (Privileged User to No Privilege Elevation) - -## Overview of the Vulnerability - -Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and gain access to an account of a user with the same privilege level. +Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and gain access to an account of a user with the same privilege level. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with an account (User A) @@ -26,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of User B and log into the account of User A 1. Observe the account for User A has access to account information of User B -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md index 172e9946..13b3f1ab 100644 --- a/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/privileged_user_to_privilege_elevation/template.md @@ -1,16 +1,12 @@ -# Stored Cross-Site Scripting (Privileged User to Privilege Elevation) - -## Overview of the Vulnerability - -Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user. +Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from a privileged user to a higher privileged user, which could include an Administrator level user. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Log into the application at with the privileged user account (User B) @@ -26,7 +22,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log out of the higher-privileged account (User A) and log into the privileged account (User B) 1. Observe the privileged account (User B) has gained escalated privileges -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint, {{URL}}: diff --git a/submissions/description/cross_site_scripting_xss/stored/self/template.md b/submissions/description/cross_site_scripting_xss/stored/self/template.md index d5f267ab..512a3f7c 100644 --- a/submissions/description/cross_site_scripting_xss/stored/self/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/self/template.md @@ -1,16 +1,12 @@ -# Stored Cross-Site Scripting (Self) - -## Overview of the Vulnerability - -Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Self-stored XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. +Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Self-stored XSS can be found on this domain which allows an attacker to create crafted JavaScript payload. Additionally, the attacker needs to socially engineer the user to paste the JavaScript payload into the user’s browser. If successful, the JavaScript will execute within that user’s browser in the context of this domain. When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Self-stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Login as a user @@ -22,7 +18,7 @@ Self-stored XSS could lead to data theft through the attacker’s ability to man 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing at the vulnerable endpoint: diff --git a/submissions/description/cross_site_scripting_xss/stored/template.md b/submissions/description/cross_site_scripting_xss/stored/template.md index d9ffb48f..e37b4400 100644 --- a/submissions/description/cross_site_scripting_xss/stored/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/template.md @@ -1,16 +1,12 @@ -# Stored Cross-Site Scripting - -## Overview of the Vulnerability - -Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. +Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md index bc2c2449..089d0b2f 100644 --- a/submissions/description/cross_site_scripting_xss/stored/url_based/template.md +++ b/submissions/description/cross_site_scripting_xss/stored/url_based/template.md @@ -1,16 +1,12 @@ -# URL-Based Stored Cross-Site Scripting - -## Overview of the Vulnerability - -Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser. +Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ Stored XSS could lead to data theft through the attacker’s ability to manipula 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/template.md b/submissions/description/cross_site_scripting_xss/template.md index 62013fa3..73e64fd6 100644 --- a/submissions/description/cross_site_scripting_xss/template.md +++ b/submissions/description/cross_site_scripting_xss/template.md @@ -1,16 +1,12 @@ -# Cross-Site Scripting - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. From here, an attacker could carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/trace_method/template.md b/submissions/description/cross_site_scripting_xss/trace_method/template.md index bd3557dc..10855d27 100644 --- a/submissions/description/cross_site_scripting_xss/trace_method/template.md +++ b/submissions/description/cross_site_scripting_xss/trace_method/template.md @@ -1,16 +1,12 @@ -# Cross-Site Scripting via the TRACE Method - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This is possible in legacy browsers as an attacker is able to use the TRACE HTTP method to bypass the `HttpOnly` flag set on the authorisation cookie. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. XSS can be found on this domain which allows an attacker to control code that is executed within a user’s browser. This is possible in legacy browsers as an attacker is able to use the TRACE HTTP method to bypass the `HttpOnly` flag set on the authorisation cookie. From here, an attacker could hijack a user’s session and carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md index ddca723c..9c7caba1 100644 --- a/submissions/description/cross_site_scripting_xss/universal_uxss/template.md +++ b/submissions/description/cross_site_scripting_xss/universal_uxss/template.md @@ -1,16 +1,12 @@ -# Universal Cross-Site Scripting - -## Overview of the Vulnerability - -Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of the domain. An instance of Universal XSS can be found on this domain, this allows an attacker to create a crafted URL, which when opened by a user, executes arbitrary Javascript within that user’s browser affecting any user session opened or cached in the browser. +Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of the domain. An instance of Universal XSS can be found on this domain, this allows an attacker to create a crafted URL, which when opened by a user, executes arbitrary JavaScript within that user’s browser affecting any user session opened or cached in the browser. From here, an attacker could carry out any actions that the user is able to perform in the context of the domain for this application, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session. -## Business Impact +**Business Impact** XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ XSS could lead to data theft through the attacker’s ability to manipulate data 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/template.md index 67616363..187bc853 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/template.md @@ -1,21 +1,17 @@ -# Broken Cryptography - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses broken, weak, or otherwise flawed cryptography which can allow an attacker to decrypt sensitive information. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md index 139d0d8f..89bd37ff 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_broken_cryptographic_primitive/template.md @@ -1,21 +1,17 @@ -# Use of Broken Cryptographic Primitive - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a broken cryptographic primitive which can allow an attacker to decrypt sensitive information. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md index 743a1232..f3a57c36 100644 --- a/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md +++ b/submissions/description/cryptographic_weakness/broken_cryptography/use_of_vulnerable_cryptographic_library/template.md @@ -1,21 +1,17 @@ -# Use of Vulnerable Cryptographic Library - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses a vulnerable cryptographic library which can allow an attacker to decrypt sensitive information. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md index 108e0d54..5351764b 100644 --- a/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md +++ b/submissions/description/cryptographic_weakness/incomplete_cleanup_of_keying_material/template.md @@ -1,21 +1,17 @@ -# Incomplete Cleanup of Keying Material - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cleanup of keying material is incomplete and it retains sensitive cryptographic data in memory longer than is necessary. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md index 4a351db7..b007efe8 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/improper_following_of_specification/template.md @@ -1,21 +1,17 @@ -# Improper Following of Specification (Other) - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the implementation of cryptography improperly follows specifications, which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper following of specification: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md index 7433f6a2..2ae90ce0 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/missing_cryptographic_step/template.md @@ -1,21 +1,17 @@ -# Missing Cryptographic Step - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Missing computational steps during the implementation of cryptography was identified which degrades security. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the missing cryptographic step: diff --git a/submissions/description/cryptographic_weakness/insecure_implementation/template.md b/submissions/description/cryptographic_weakness/insecure_implementation/template.md index 7bd4509b..31dc4da0 100644 --- a/submissions/description/cryptographic_weakness/insecure_implementation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_implementation/template.md @@ -1,21 +1,17 @@ -# Insecure Implementation - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. Insecure implementation of cryptography was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insecure implementation: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md index 681173b6..b72cbed7 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_exponent_selection/template.md @@ -1,21 +1,17 @@ -# Improper Asymmetric Exponent Selection - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves improper asymmetric exponent selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper asymmetric exponent selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md index b7ebe013..1b4e8b76 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/improper_asymmetric_prime_selection/template.md @@ -1,21 +1,17 @@ -# Improper Asymmetric Prime Selection - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves improper asymmetric prime selection. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the improper asymmetric prime selection: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md index 02895f2b..8a6765ce 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_space/template.md @@ -1,21 +1,17 @@ -# Insufficient Key Space - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that has insufficient key space. This can allow an attacker to use brute-force techniques to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient key space: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md index 073f5424..057edcdc 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/insufficient_key_stretching/template.md @@ -1,21 +1,17 @@ -# Insufficient Key Stretching - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that has insufficient key stretching. This can allow an attacker to identify keys and break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient key stretching: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md index 8ab599eb..058d1bd9 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/key_exchange_without_entity_authentication/template.md @@ -1,21 +1,17 @@ -# Key Exchange Without Entity Authentication - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism that involves key exchange without entity authentication. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the key exchange without entity authentication: diff --git a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md index cf0577ca..72b530fd 100644 --- a/submissions/description/cryptographic_weakness/insecure_key_generation/template.md +++ b/submissions/description/cryptographic_weakness/insecure_key_generation/template.md @@ -1,21 +1,17 @@ -# Insecure Key Generation - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the endpoint contains an insecure key generation mechanism which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insecure key generation: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md index 443423bd..e0706934 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/initialization_vector_reuse/template.md @@ -1,21 +1,17 @@ -# Initialization Vector (IV) Reuse - -## Overview of the Vulnerability - Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is reused for multiple encryptions, an attacker can identify the IV from the original data within the encryption. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the initialization vector reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md index 7b9aec93..5fd4a30a 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/limited_rng_entropy_source/template.md @@ -1,21 +1,17 @@ -# Limited Random Number Generator (RNG) Entropy Source - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of a Random Number Generator (RNG) was identified which can create predictable random numbers. This can allow an attacker to guess the session ID or cryptographic key and gain access to restricted data or functionality. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient entropy of the RNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md index 5554ed73..15386ed1 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_initialization_vector/template.md @@ -1,21 +1,17 @@ -# Predictable Initialization Vector (IV) - -## Overview of the Vulnerability - Cryptographic algorithms use an initial block of data (called an initialization vector) alongside the plaintext data that is encrypted. When this IV is predictable, an attacker can identify the IV from the original data within the encryption. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictability of the initialization vector: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md index e5a2d81e..7aed0015 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/predictable_prng_seed/template.md @@ -1,21 +1,17 @@ -# Predictable Pseudo-Random Number Generator (PRNG) Seed - -## Overview of the Vulnerability - A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is predictable in full or in part, it is possible to determine the random numbers produce by the PRNG. The PRNG seed value is predictable, allowing an attacker to guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md index 22bed27a..2fcd5eaa 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/prng_seed_reuse/template.md @@ -1,21 +1,17 @@ -# Pseudo-Random Number Generator (PRNG) Seed Reuse - -## Overview of the Vulnerability - A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is known, it is possible to determine the random numbers produce by the PRNG. An attacker with access to the seed value can predict or guess the random numbers which can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the PRNG seed reuse: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md index a574b83c..93ac913c 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/small_seed_space_in_prng/template.md @@ -1,21 +1,17 @@ -# Small Seed Space in Pseudo-Random Number Generator (PRNG) - -## Overview of the Vulnerability - A Pseudo-Random Number Generator (PRNG) uses an initial seed value to generate random number through a complex algorithm. When this seed value is small in size, it is possible to bruteforce all possible seeed values. An attacker who can guess the seed value can predict or guess the random numbers generated by the PRNG. This can lead to unauthorized access if that seed value is used for authorization and authentication. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the small seed space in the PRNG: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md index d80d37dc..3aa0f51b 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/template.md @@ -1,21 +1,17 @@ -# Insufficient Entropy - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. When insufficient entropy is used to generate cryptographic keys, it is possible to predict or guess the keys. Insufficient entropy of cryptographic algorithm generation was identified which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient entropy: diff --git a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md index df7df0ac..cbd5f01c 100644 --- a/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_entropy/use_of_trng_for_nonsecurity_purpose/template.md @@ -1,21 +1,17 @@ -# Use of True Random Number Generator (TRNG) for Non-Security Purpose - -## Overview of the Vulnerability - Most True Random Number Generators (TRNG) have a finite limit to their random number generation rate. Therefore, a TRNG should only be used when entropy is required for security purposes. When an application draws from a TRNG for a non-security purpose, it depletes the entropy of the source, increasing the likelihood that an attacker would be able to predict of guess number generated. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the True Random Number Generator being used for a non-security purpose: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md index b61636a6..7aee61a0 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/cryptographic_signature/template.md @@ -1,21 +1,17 @@ -# Cryptographic Signature - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application fails to verify the cryptographic signature. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient validation of the cryptographic signature: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md index 4b823ad5..3a8579a6 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/identity_check_value/template.md @@ -1,21 +1,17 @@ -# Integrity Check Value (ICV) - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the Integrity Check Value (ICV) is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient verification of the ICV: diff --git a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md index f2064f49..49095962 100644 --- a/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md +++ b/submissions/description/cryptographic_weakness/insufficient_verification_of_data_authenticity/template.md @@ -1,21 +1,17 @@ -# Insufficient Verification of Data Authenticity - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the authenticity of the data used in the cryptographic processes is not verified which can lead to data corruption. Ths can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the insufficient verification of data authenticity: diff --git a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md index a314185f..65e53b18 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/inter_environment/template.md @@ -1,21 +1,17 @@ -# Inter-Environment Key Reuse - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys across different environment (inter-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the inter-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md index f316ec50..c813b677 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/intra_environment/template.md @@ -1,21 +1,17 @@ -# Intra-Environment Key Reuse - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys within the same environment (intra-environment). This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the intra-environment key reuse: diff --git a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md index 29a3aac8..7c10bf31 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/lack_of_perfect_forward_secrecy/template.md @@ -1,21 +1,17 @@ -# Lack of Perfect Forward Secrecy - -## Overview of the Vulnerability - It was identified that the application's cryptographic mechanism lacks the use of Perfect Forward Secrecy (PFS). PFS involves the negotiation of an ephemeral key pair for each newly create session between two parties. Without PFS, an attacker would be able to compromise all past and future sessions based on a set of keys that they can decrypt. They can then leverage the keys to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the lack of PFS: diff --git a/submissions/description/cryptographic_weakness/key_reuse/template.md b/submissions/description/cryptographic_weakness/key_reuse/template.md index 35f9564d..ba28732d 100644 --- a/submissions/description/cryptographic_weakness/key_reuse/template.md +++ b/submissions/description/cryptographic_weakness/key_reuse/template.md @@ -1,21 +1,17 @@ -# Key Reuse - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application's cryptographic mechanism reuses keys. This can allow an attacker to leverage the key to gain access to information or privileges within the application that are protected by the same key. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the key reuse: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md index 925eeeca..a4724afe 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/differential_fault_analysis/template.md @@ -1,21 +1,17 @@ -# Differential Fault Analysis - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a differential fault analysis attack as there are changes to the system's response to specially crafted fault conditions during specific steps of cryptographic operations. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md index 1ce90a0c..6203f39c 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/emanations_attack/template.md @@ -1,21 +1,17 @@ -# Emanations Attack - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a emanations attack as there are changes to the electromagnetic emanations across the physical system when it is performing different steps of cryptographic operations. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the power emanations attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md index 437e33a9..f01e235c 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/padding_oracle_attack/template.md @@ -1,21 +1,17 @@ -# Padding Oracle Attack - -## Overview of the Vulnerability - A cryptographic weakness was identified which can allow an attacker to use a padding oracle attack to derive the encryption key. This is due to the application revealing information during the decryption process about the validity of the padding data. This can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the padding oracle attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md index 9ef55158..e6841047 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/power_analysis_attack/template.md @@ -1,21 +1,17 @@ -# Power Analysis Attack - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a power analysis attack as there is uneven power consumption across the system when performing different steps of cryptographic operations. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the power analysis attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/template.md index 7d8abc56..8b7afdfc 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/template.md @@ -1,21 +1,17 @@ -# Side-Channel Attack - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A cryptographic weakness was identified which can allow an attacker to use a side-channel attack to break the confidentiality and integrity of requests sent to and from the endpoint by deriving the encryption key through various methods. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the side-channel attack: diff --git a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md index e5c1dafe..66e825d4 100644 --- a/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md +++ b/submissions/description/cryptographic_weakness/side_channel_attack/timing_attack/template.md @@ -1,21 +1,17 @@ -# Timing Attack - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application is vulnerable to a timing attack as the time it takes to complete a cryptographic operation directly relates to user-supplied data. This allows an attacker to use a timing attack to derive the encryption key. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the timing attack: diff --git a/submissions/description/cryptographic_weakness/template.md b/submissions/description/cryptographic_weakness/template.md index 834f9601..77607aa9 100644 --- a/submissions/description/cryptographic_weakness/template.md +++ b/submissions/description/cryptographic_weakness/template.md @@ -1,21 +1,17 @@ -# Cryptographic Weakness - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. The application uses broken, weak, or otherwise flawed cryptography which can allow an attacker to decrypt sensitive information, or otherwise compromise the confidentiality, integrity, or authenticity of data. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. Perform {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md index ebd18946..186ee5ea 100644 --- a/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md +++ b/submissions/description/cryptographic_weakness/use_of_expired_cryptographic_key_or_cert/template.md @@ -1,21 +1,17 @@ -# Use of Expired Cryptographic Key (or Certificate) - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the application uses an expired cryptographic key or certificate which can allow an attacker to break the confidentiality of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md index ec70bf99..5e98627c 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/lack_of_salt/template.md @@ -1,21 +1,17 @@ -# Lack of Salt - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. It was identified that the hash does not have a salt which can allow an attacker to use rainbow table attacks. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the lack of salt: diff --git a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md index d7f58f3e..99f21c9e 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/predictable_hash_collision/template.md @@ -1,21 +1,17 @@ -# Predictable Hash Collision - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable hash collision was identified where the same hash value is generated by a hashing algorithm for different plaintext inputs. This can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictable hash collision: diff --git a/submissions/description/cryptographic_weakness/weak_hash/template.md b/submissions/description/cryptographic_weakness/weak_hash/template.md index cb93b17b..cc1425aa 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/template.md @@ -1,21 +1,17 @@ -# Weak Hash - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A weak hash was identified which can allow an attacker to break the confidentiality and integrity of requests sent to and from the endpoint. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the weak hash: diff --git a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md index 28c57659..50bb3d08 100644 --- a/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md +++ b/submissions/description/cryptographic_weakness/weak_hash/use_of_predictable_salt/template.md @@ -1,21 +1,17 @@ -# Use of Predictable Salt - -## Overview of the Vulnerability - Cryptography is used to ensure secure storage and transmission of data. However, there are a number of best practices that must be followed to ensure the cryptography in use remains secure and does not result in the exposure of sensitive data. A predictable salt in the hashing mechanism was identified which can allow an attacker to use rainbow table attacks. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage of the company through the impact to customers’ trust, and the ability of an attacker to view data. The severity of the impact to the business is dependent on the sensitivity of the accessible data being transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Setup {{software}} to intercept and log requests 1. Use a browser to navigate to: {{URL}} 1. {{action}} to view unencrypted requests -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the predictable salt: diff --git a/submissions/description/data_biases/pre_existing_bias/template.md b/submissions/description/data_biases/pre_existing_bias/template.md index 2b02f03c..12e85152 100644 --- a/submissions/description/data_biases/pre_existing_bias/template.md +++ b/submissions/description/data_biases/pre_existing_bias/template.md @@ -1,20 +1,16 @@ -# Pre-existing Bias (Historical Bias) - -## Overview of the Vulnerability - Pre-existing bias occurs when historical or societal prejudices are present in the training data. This can look like a lack of certain data points, over representation or under representation of groups, a bias in the selection of data points that make up the AI model, or data labels that are discriminatory or subjective. Outputs from AI models that have a pre-existing bias can result in inferior performance and outcomes that disadvantage certain groups. -## Business Impact +**Business Impact** Pre-existing bias in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, showing a pre-existing bias. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/data_biases/representation_bias/template.md b/submissions/description/data_biases/representation_bias/template.md index 479fee5e..b04c452f 100644 --- a/submissions/description/data_biases/representation_bias/template.md +++ b/submissions/description/data_biases/representation_bias/template.md @@ -1,20 +1,16 @@ -# Representation Bias - -## Overview of the Vulnerability - Representation bias occurs when the training data of an AI model has an omission, or insufficient representation, of certain groups which the AI model intends to serve. Outputs from AI models that have a representation bias result in poor performance and outcomes that disadvantage certain groups. -## Business Impact +**Business Impact** Representation bias in this AI model can result in reputational damage and indirect financial loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, demonstrating a representation bias. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/data_biases/template.md b/submissions/description/data_biases/template.md index a4ad6f9b..d028a22b 100644 --- a/submissions/description/data_biases/template.md +++ b/submissions/description/data_biases/template.md @@ -1,20 +1,16 @@ -# Data Biases - -## Overview of the Vulnerability - Data biases occurs when the data used train the AI model is flawed, unrepresentative or systematically skewed. Biases can stem from different sources, such as sampling errors, historical prejudices, or a lack of diversity in the dataset. Outputs from AI models that have a data bias can result in inaccurate, unfair, or otherwise discriminatory predictions or decisions. -## Business Impact +**Business Impact** Data biases in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Input the following text into the model. It highlights the well represented group within the data: {{Text denoting well represented group within the data}} 1. Input the following text into the model. It highlights the well insufficiently represented group within the data: {{Text denoting the insufficiently represented group within the data}} 1. Note that the output of the AI model classifies these two groups disparately, showing a bias in the data. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/developer_biases/implicit_bias/template.md b/submissions/description/developer_biases/implicit_bias/template.md index 244a90f8..6f49d4b9 100644 --- a/submissions/description/developer_biases/implicit_bias/template.md +++ b/submissions/description/developer_biases/implicit_bias/template.md @@ -1,19 +1,15 @@ -# Implicit Bias - -## Overview of the Vulnerability - Implicit bias occurs when there are biases present within the training data of an AI model that affects its decision-making. These implicit biases are usually introduced into the AI model via the developers who affect the design, implementation, and deployment of the AI system. -## Business Impact +**Business Impact** Implicit bias in this AI model can result in unintended discrimination and unfairness which can lead to reputational damage and a loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Provide the AI model with data containing subtle, implicit biases. 1. Observe the model's decisions and identify instances where it unintentionally favors certain groups or viewpoints. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/developer_biases/template.md b/submissions/description/developer_biases/template.md index 0ffafab4..996fd615 100644 --- a/submissions/description/developer_biases/template.md +++ b/submissions/description/developer_biases/template.md @@ -1,19 +1,15 @@ -# Developer Biases - -## Overview of the Vulnerability - Developer biases occurs when AI model developers' perspectives, assumptions, and decisions influence the behaviour and design of an the model. Biases stem from developer's background and experiences, and subconscious prejudices. Outputs from AI models that have a developer bias can result in skewed or otherwise unfair outcomes. -## Business Impact +**Business Impact** Implicit bias in this AI model can result in unintended discrimination and unfairness which can lead to reputational damage and a loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Provide the AI model with data containing subtle, implicit biases. 1. Observe the model's decisions and identify instances where it unintentionally favors certain groups or viewpoints. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md index fc55d726..0e2dfd98 100644 --- a/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md +++ b/submissions/description/external_behavior/browser_feature/aggressive_offline_caching/template.md @@ -1,19 +1,15 @@ -# Aggressive Offline Caching - -## Overview of the Vulnerability - Browsers implement features such as service workers to offer offline features for an application. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these offline workers can cause issues like high CPU usage or overly aggressive offline caching, as seen in this instance. Depending on the implementation of the service worker, aggressive offline caching can act as a vector for Denial of Service (DoS) to regular application users by consuming compute to overly write to the offline cache. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ access to the application and its functions. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile when service worker is active and compare to when the server worker is not active -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the aggressive offline caching: diff --git a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md index 845877fe..d578a502 100644 --- a/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocomplete_enabled/template.md @@ -1,21 +1,17 @@ -# Autocomplete Enabled - -## Overview of the Vulnerability - Browsers implement features such as autocomplete to offer form filling features for end users. Autocomplete is an HTML attribute that saves previously entered text within the input Document Object Model (DOM) fields. An attacker can leverage the cached input for this application locally to login as a user or expose critical pieces of data. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter text within the input field and submit the form 1. Use `Inspect` from the developer tools to verify the input parameter has `autocomplete=on` 1. {{action}} to see the text saved into the input field -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the autocomplete enabled: diff --git a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md index 8b952aa4..241a79a8 100644 --- a/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md +++ b/submissions/description/external_behavior/browser_feature/autocorrect_enabled/template.md @@ -1,14 +1,10 @@ -# Autocorrect Enabled - -## Overview of the Vulnerability - Browsers implement features such as autocorrect to offer predictive spelling and grammar features for end users. The applications implementation of autocorrect for sensitive fields can enable an attacker with local access to login as a user, or leverage critical pieces of information to impersonate the user or make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Fill and {{action}} to submit form @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the autocorrect enabled on a sensitive field: diff --git a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md index d5f4da87..374375c9 100644 --- a/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md +++ b/submissions/description/external_behavior/browser_feature/plaintext_password_field/template.md @@ -1,14 +1,10 @@ -# Plaintext Password Field - -## Overview of the Vulnerability - The password field for the login form of the application reveals the password in plaintext. An attacker with local access can shoulder surf or otherwise tailgate a user and watch them login to the application. From here, an attacker could login as a user to impersonate them or make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter text within the password field @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the password field rendering in plaintext: diff --git a/submissions/description/external_behavior/browser_feature/save_password/template.md b/submissions/description/external_behavior/browser_feature/save_password/template.md index 98ffdbdc..affd8216 100644 --- a/submissions/description/external_behavior/browser_feature/save_password/template.md +++ b/submissions/description/external_behavior/browser_feature/save_password/template.md @@ -1,21 +1,17 @@ -# Password is Saved in Input Field - -## Overview of the Vulnerability - Browsers implement features such as saving input field text to reduce the time it takes for a user to fill in forms. For this application, the password is saved in the input field. An attacker with local access to the application and computer can impersonate a user and make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Enter username and password within the login form and submit 1. Logout of application and navigate back to the login page 1. Observe that the username and password is saved -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the password saved in the input field: diff --git a/submissions/description/external_behavior/browser_feature/template.md b/submissions/description/external_behavior/browser_feature/template.md index c0236d60..9aa6ec84 100644 --- a/submissions/description/external_behavior/browser_feature/template.md +++ b/submissions/description/external_behavior/browser_feature/template.md @@ -1,19 +1,15 @@ -# Browser Feature - -## Overview of the Vulnerability - Browsers implement features to offer users both online and offline features to enhance the user experience of the browser and applications. For example, a browser can offer offline features such as caching, notifications, as well as offloading computation for applications, such as Progressive Web Applications (PWA). Occasionally, these browser features can cause security issues depending on their implementation. A local attacker can take advantage of the browser feature to impersonate a user and make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the browser feature that is showing sensitive user information -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the misconfigured browser feature: diff --git a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md index 7ac2e4f0..2c280f91 100644 --- a/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md +++ b/submissions/description/external_behavior/captcha_bypass/crowdsourcing/template.md @@ -1,19 +1,15 @@ -# Captcha Bypass via Crowdsourcing - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. Powerful Optical Artificial Intelligence (OAI) enabled tools require a large amount of data to create models to break implementations of CAPTCHA. An attacker can leverage OAI tools to bypass captcha and make requests to critical functionality without rate limit. Forms that are often firewalled by a CAPTCHA can even be a vector for Denial of Service executing read and write from the database multiple times. -## Business Impact +**Business Impact** CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/captcha_bypass/template.md b/submissions/description/external_behavior/captcha_bypass/template.md index a5e4e719..a44380eb 100644 --- a/submissions/description/external_behavior/captcha_bypass/template.md +++ b/submissions/description/external_behavior/captcha_bypass/template.md @@ -1,21 +1,17 @@ -# CAPTCHA Bypass - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is improperly configured, or when software can be used to bypass the challenge. An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -## Business Impact +**Business Impact** CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/external_behavior/csv_injection/template.md b/submissions/description/external_behavior/csv_injection/template.md index 70415c5c..65c6e8d9 100644 --- a/submissions/description/external_behavior/csv_injection/template.md +++ b/submissions/description/external_behavior/csv_injection/template.md @@ -1,14 +1,10 @@ -# Comma Separated Values (CSV) Injection - -## Overview of the Vulnerability - Applications will often embed unsafe input in exported spreadsheets targeting desktop applications such as Excel or LibreOffice, or their cloud application equivalents. A malicious attacker can leverage this unsafe input to exfiltrate data from users, or deliver malicious binary to users downloading their input controlled file. Unsafe CSV formulas in CSV files within the application allow malicious attackers to deliver payloads or exfiltrate data using specifically crafted input. -## Business Impact +**Business Impact** CSV injection can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business if an attacker is able to exfiltrate data. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint: {{value}} 1. {{action}} to export a CSV file @@ -22,7 +18,7 @@ CSV injection can lead to reputational damage for the business due to a loss in 1. Upload to publicly accessible endpoint -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CSV injection: diff --git a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md index b1244019..de550267 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/shared_links/template.md @@ -1,14 +1,10 @@ -# System Clipboard Leak (Shared Link) - -## Overview of the Vulnerability - The system clipboard leaks sensitive information when performing a copy and paste function within the application. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/system_clipboard_leak/template.md b/submissions/description/external_behavior/system_clipboard_leak/template.md index 34d27452..de550267 100644 --- a/submissions/description/external_behavior/system_clipboard_leak/template.md +++ b/submissions/description/external_behavior/system_clipboard_leak/template.md @@ -1,14 +1,10 @@ -# System Clipboard Leak - -## Overview of the Vulnerability - The system clipboard leaks sensitive information when performing a copy and paste function within the application. An attacker could abuse this clipboard leak to steal sensitive information that a user copied to their clipboard in the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Create and install the following malicious application capable of accessing the clipboard: {{malicious application}} 1. Log in to {{application}} @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage for the business due to a los 1. Copy some sensitive information to the clipboard 1. Within the malicious application, observe the sensitive information through the clipboard -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the leak from the system clipboard: diff --git a/submissions/description/external_behavior/template.md b/submissions/description/external_behavior/template.md index 40535930..63ff7e4c 100644 --- a/submissions/description/external_behavior/template.md +++ b/submissions/description/external_behavior/template.md @@ -1,19 +1,15 @@ -# External Behavior - -## Overview of the Vulnerability - Behavior external from the application is leaking user sensitive information due to misconfiguration errors of system or browser features. A local attacker can take advantage of these external behavior errors to gather sensitive user information and impersonate a user or make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Use {{software}} to profile the external behavior that is showing sensitive user information -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the misconfigured external behavior: diff --git a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md index 047be757..2696aefa 100644 --- a/submissions/description/external_behavior/user_password_persisted_in_memory/template.md +++ b/submissions/description/external_behavior/user_password_persisted_in_memory/template.md @@ -1,22 +1,18 @@ -# User Password Persisted in Memory - -## Overview of the Vulnerability - The user’s password is kept in memory after the application has ceased utilizing it. An attacker can abuse this to read the user password in memory and login as the user, impersonate them, or make requests on their behalf. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Utilize some software that allows computer memory to be accessed in a human-readable format 1. Log in to the application -1. Navigate to {{url}} and perform {{action}} +1. Navigate to the following URL: {{URL}} and perform {{action}} 1. Cease using the application 1. Using the computer memory viewer, view the password of the user that remained in memory after use -## Proof of Concept (PoC) +**Proof of Concept (PoC)** You can observe the plaintext password that remained in memory after utilization below: diff --git a/submissions/description/indicators_of_compromise/template.md b/submissions/description/indicators_of_compromise/template.md index 2746f45b..f2e551f7 100644 --- a/submissions/description/indicators_of_compromise/template.md +++ b/submissions/description/indicators_of_compromise/template.md @@ -1,14 +1,10 @@ -# Indicators of Compromise - -## Overview of the Vulnerability - Indicators of compromise (IoC) comprise of vulnerabilities in the detection, analysis, or response mechanisms used to identify potential security breaches, or compromises within, an organization's network or systems. This vulnerability may stem from inadequate IoC management, ineffective threat intelligence integration, or improper incident response procedures. -## Business Impact +**Business Impact** The impact of Indicators of Compromise (IoC) Vulnerability can be severe. It can lead to undetected security breaches, prolonged exposure to threats, or ineffective incident response, compromising the confidentiality, integrity, or availability of assets and data. Additionally, it may result in legal liabilities, regulatory penalties, and reputational damage to the organization. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the IoC detection and response mechanisms deployed within the organization, including security tools, monitoring systems, and incident response procedures: {{Vulnerable component}} @@ -18,7 +14,7 @@ The impact of Indicators of Compromise (IoC) Vulnerability can be severe. It can {{Identify what is lacking here}} 4. Observe the impact of successful exploitation of the IoC vulnerabilities on the organization's security posture and incident response capabilities. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md index 39e82811..612cf635 100644 --- a/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/non_sensitive_application_data_stored_unencrypted/template.md @@ -1,21 +1,17 @@ -# Non-Sensitive Application Data Stored Unencrypted - -## Overview of the Vulnerability - Insecure data storage can occur in both the client and server sides of an application. Non-sensitive data from the application is stored unencrypted and is susceptible to being identified and used maliciously. An attacker with access to the unencrypted non-sensitive data can leverage the data to gather further information on users and the application, and use it to perform further attacks. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Observe the application data that is stored unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md index 5b5c75a2..6fcd31be 100644 --- a/submissions/description/insecure_data_storage/screen_caching_enabled/template.md +++ b/submissions/description/insecure_data_storage/screen_caching_enabled/template.md @@ -1,20 +1,16 @@ -# Screen Caching Enabled - -## Overview of the Vulnerability - Screen caching occurs when an application is sent to the background and a screenshot is taken in order to make it appear that the application is shrinking while moving between applications on the mobile screen. Personal information can be unknowingly captured in this screen cache and stored unencrypted on the phone. An attacker could abuse this screen caching being enabled to steal sensitive information that is captured and stored unencrypted when a user exits the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Log in to the mobile application and access a screen where sensitive information is displayed 1. Click the home button, and navigate to where the mobile operating system stores cached application screenshots 1. Observe the screenshot taken that captures sensitive information when the home button was clicked -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the screen caching displaying sensitive information: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md index 4ba7aabb..c2e465d5 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_external_storage/template.md @@ -1,20 +1,16 @@ -# Sensitive Application Data Stored Unencrypted on External Storage - -## Overview of the Vulnerability - When sensitive application data is stored insecurely on external storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md index d284292f..089a10f6 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/on_internal_storage/template.md @@ -1,20 +1,16 @@ -# Sensitive Application Data Stored Unencrypted on Internal Storage - -## Overview of the Vulnerability - When sensitive application data is stored insecurely on internal storage it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md index 811c65a3..0505b069 100644 --- a/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md +++ b/submissions/description/insecure_data_storage/sensitive_application_data_stored_unencrypted/template.md @@ -1,20 +1,16 @@ -# Sensitive Application Data Stored Unencrypted - -## Overview of the Vulnerability - Insecure data storage can occur in both the client and server sides of an application. When sensitive application data is stored insecurely it is susceptible to being identified and used maliciously. An attacker could abuse this unencrypted data storage to steal sensitive information that a user inputted. With this sensitive information, a malicious attacker could perform further attacks on the application or impersonate the user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input personal, sensitive data so that it is stored by the application 1. Navigate to where the application stores the gathered information 1. Observe the sensitive application data that is stored unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md index d51fabbb..3c40bc98 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/plaintext/template.md @@ -1,21 +1,17 @@ -# Server-Side Plaintext Credential Storage - -## Overview of the Vulnerability - When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the plaintext credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server in plaintext -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md index dbeeefdb..a4a18d0d 100644 --- a/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md +++ b/submissions/description/insecure_data_storage/server_side_credentials_storage/template.md @@ -1,21 +1,17 @@ -# Server-Side Credential Storage - -## Overview of the Vulnerability - When sensitive application data is stored insecurely in server-side storage it is susceptible to being identified and used maliciously. An attacker can abuse server-side credential storage by using another vulnerability to gain access to the server of the application and exfiltrating all the credentials. With these plaintext credentials, an attacker can take over user accounts or impersonate users within the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. If an attacker is successful in exfiltrating user credentials from the server it can lead to fraud and data loss for the company. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Register an account in the application and create credentials for the account 1. Use a browser to navigate to: {{URL}} 1. Using the HTTP interception proxy, observe that the application is storing user credentials on their server -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_storage/template.md b/submissions/description/insecure_data_storage/template.md index a4dc69a2..9458dd56 100644 --- a/submissions/description/insecure_data_storage/template.md +++ b/submissions/description/insecure_data_storage/template.md @@ -1,21 +1,17 @@ -# Insecure Data Storage - -## Overview of the Vulnerability - Insecure data storage can occur in both the client and server sides of an application. When data from the application is stored insecurely it is susceptible to being identified and used maliciously. An attacker with access to the insecurely stored data of this application can leverage the data to gather further information on users and the application, and use it to perform further attacks. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application and input data so that it is stored by the application 1. Navigate to where the application stores the gathered information -1. Navigate to {{url}} +1. Navigate to the following URL: {{URL}} 1. Observe the application data that is stored unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below demonstrate the insecure data storage: diff --git a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md index fa9a8ecf..b8c1306e 100644 --- a/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md +++ b/submissions/description/insecure_data_transport/cleartext_transmission_of_sensitive_data/template.md @@ -1,14 +1,10 @@ -# Cleartext Transmission of Sensitive Data - -## Overview of the Vulnerability - When sensitive data is transmitted in cleartext over an unencrypted channel, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can send requests to the server pretending to be the legitimate user by using a PitM attack to access the sensitive data. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +13,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show sensitive data being transmitted via cleartext: diff --git a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md index 99de807c..492e7dba 100644 --- a/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/no_secure_integrity_check/template.md @@ -1,21 +1,17 @@ -# Executable File Download Without Secure Integrity Check - -## Overview of the Vulnerability - Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption or a secure integrity check, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted and does not go through an integrity check -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md index 45ecc1b0..5ccdb596 100644 --- a/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md +++ b/submissions/description/insecure_data_transport/executable_download/secure_integrity_check/template.md @@ -1,21 +1,17 @@ -# Executable File Download with Secure Integrity Check - -## Overview of the Vulnerability - Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application without encryption, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded unencrypted -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file is downloaded unencrypted: diff --git a/submissions/description/insecure_data_transport/executable_download/template.md b/submissions/description/insecure_data_transport/executable_download/template.md index 5f2486b7..e1adb9b3 100644 --- a/submissions/description/insecure_data_transport/executable_download/template.md +++ b/submissions/description/insecure_data_transport/executable_download/template.md @@ -1,21 +1,17 @@ -# Executable File Download - -## Overview of the Vulnerability - Risk levels for an application are raised when executable files are able to be downloaded as it increases the chances of malicious files being downloaded and executing in the system, or on an end user’s device. An executable file can be downloaded within this application, enabling an attacker to observe the contents of the downloaded file through a network sniffing or Person-in-the-Middle (PitM) attack. An attacker could also download a malicious executable instead of the intended file. If the downloaded file contains sensitive information, the attacker could use this to perform further attacks on the application or impersonate a user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft depending on the content on the downloadable executable files in the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Route all application traffic through a HTTP interception proxy 1. Use a browser to navigate to: {{URL}} 1. Observe within the HTTP interception proxy that an executable file is downloaded -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows that an executable file can be downloaded: diff --git a/submissions/description/insecure_data_transport/template.md b/submissions/description/insecure_data_transport/template.md index 6e8ae748..36d83900 100644 --- a/submissions/description/insecure_data_transport/template.md +++ b/submissions/description/insecure_data_transport/template.md @@ -1,14 +1,10 @@ -# Insecure Data Transport - -## Overview of the Vulnerability - When data is transmitted over unencrypted channels, it can be intercepted via a Person-in-the-Middle (PitM) attack. An attacker can then gather user data and potentially send requests to the server pretending to be the legitimate user, or otherwise collect sensitive user data. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. It can also lead to data theft via an attacker’s ability to manipulate data through their ability to make requests to the server using a legitimate session token. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +13,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Replay the cookie and hijack the authenticated session 1. Modify user's personal identifiable information (PII) -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show sensitive data being transmitted insecurely: diff --git a/submissions/description/insecure_os_firmware/command_injection/template.md b/submissions/description/insecure_os_firmware/command_injection/template.md index 6ecb0f07..462d2796 100644 --- a/submissions/description/insecure_os_firmware/command_injection/template.md +++ b/submissions/description/insecure_os_firmware/command_injection/template.md @@ -1,15 +1,11 @@ -# Insecure OS Firmware (Command Injection) - -## Overview of the Vulnerability - When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. An attacker could abuse this command injection vulnerability in the application to execute arbitrary commands on the user's operating system. -## Business Impact +**Business Impact** -This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Start {{application}} on the operating system and navigate to {{url}} 1. Observe that the OS firmware is insecure by {{action}} @@ -17,7 +13,7 @@ This vulnerability can lead to direct financial loss to the company due to data {{Payload}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the steps required to exploit the command injection: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md index a002a00f..0c0cc584 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/non_sensitive/template.md @@ -1,21 +1,17 @@ -# Data Not Encrypted at Rest (Non-Sensitive) - -## Overview of the Vulnerability - The device stores non-sensitive data that is not encrypted at rest. Despite the data not being directly exploitable, its accessibility due to lack of encryption allows attackers with physical access to the device to retrieve this information. This exposure could facilitate reverse engineering efforts or aid in future exploitation attempts, indirectly compromising the system's security. -## Business Impact +**Business Impact** While the data in question is classified as non-sensitive, its exposure still poses security risks. Unauthorized access to this data can provide attackers with insights into the device's operations or architecture, potentially leading to vulnerabilities being uncovered. This situation can undermine the security posture of the device, leading to increased susceptibility to targeted attacks, erosion of customer confidence, and potential reputational damage. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. 1. Locate the hard drive on the device, and remove it. 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md index cf27c0e6..8becfd57 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/sensitive/template.md @@ -1,21 +1,17 @@ -# Data Not Encrypted at Rest (Sensitive) - -## Overview of the Vulnerability - The device stores sensitive data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials. -## Business Impact +**Business Impact** The absence of encryption for sensitive data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. 1. Locate the hard drive on the device, and remove it. 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md index ec191266..f54a4039 100644 --- a/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md +++ b/submissions/description/insecure_os_firmware/data_not_encrypted_at_rest/template.md @@ -1,14 +1,10 @@ -# Data Not Encrypted at Rest - -## Overview of the Vulnerability - The device stores data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials. -## Business Impact +**Business Impact** The absence of encryption for data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover as seen in the images below. {{screenshot}} @@ -16,7 +12,7 @@ The absence of encryption for data at rest on the device poses a significant ris 1. Using a external hard drive caddy, mount the device. 1. Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md b/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md index fe49e02a..04e8bb0d 100644 --- a/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md +++ b/submissions/description/insecure_os_firmware/failure_to_remove_sensitive_artifacts_from_disk/template.md @@ -1,20 +1,16 @@ -# Failure to Remove Sensitive Artifacts from Disk - -## Overview of the Vulnerability - During the deployment or configuration phases of the device, sensitive artifacts (which can include: configuration information, secrets, or credentials) are transferred to and stored on the device's storage medium. These artifacts are not adequately removed post-deployment or configuration. As a result, an attacker gaining access to the device could view these sensitive artifacts. -## Business Impact +**Business Impact** The persistence of sensitive artifacts on the device's storage poses a significant risk to data confidentiality and system integrity. Unauthorized access to these artifacts can lead to security breaches, unauthorized system access, and the potential leakage of confidential information. The implications include not only immediate operational and financial losses but also long-term damage to the organization's reputation and trustworthiness, alongside potential regulatory non-compliance. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the device using the credentials supplied. 2. Open the file found at: {{filepath}} 3. You'll see that the file is a deployment script, viewing the variable, {{variable}} you'll see secrets used during deployment. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md index dde550d6..0f7c41c6 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/non_privileged_user/template.md @@ -1,21 +1,17 @@ -# Insecure OS Firmware (Hard-Coded Password for Non-Privileged User) - -## Overview of the Vulnerability - When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. A hard-coded password for a non-privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a non-privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -## Business Impact +**Business Impact** -This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md index 861aa566..713db94c 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/privileged_user/template.md @@ -1,21 +1,17 @@ -# Insecure OS Firmware (Hard-Coded Password for Privileged User) - -## Overview of the Vulnerability - When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. A hard-coded password for a privileged user was identified in the source code of the application. An attacker could abuse the hard-coded password for a privileged user to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, or gather sensitive data from within the application. -## Business Impact +**Business Impact** -This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/hardcoded_password/template.md b/submissions/description/insecure_os_firmware/hardcoded_password/template.md index d25bd4a0..c76d59db 100644 --- a/submissions/description/insecure_os_firmware/hardcoded_password/template.md +++ b/submissions/description/insecure_os_firmware/hardcoded_password/template.md @@ -1,21 +1,17 @@ -# Insecure OS Firmware (Hard-Coded Password) - -## Overview of the Vulnerability - When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. Hard-coded passwords were identified in the source code of the application. An attacker could abuse the hard-coded passwords to gain access to aspects of the application they normally would not have access to. With this increased access, a malicious attacker could perform other attacks on the application, elevate their privileges, or gather sensitive data from within the application. -## Business Impact +**Business Impact** -This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that a password is hard-coded into the source code and does not require external validation -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the hard-coded password within the application source files: diff --git a/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md b/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md index b91f7d76..17ed7f02 100644 --- a/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md +++ b/submissions/description/insecure_os_firmware/kiosk_escape_or_breakout/template.md @@ -1,20 +1,16 @@ -# Kiosk Escape or Breakout - -## Overview of the Vulnerability - A kiosk escape or breakout occurs when an exploit allows users to bypass the software package serving as the frontend for an application on a system, gaining unauthorized access to the underlying operating system. This vulnerability varies in impact depending on the operating system and the level of hardening applied to the system. In cases where the system uses administrator-level access, the consequences can include defacement, installation of malicious software, or breaches of data integrity, potentially affecting stored customer data. -## Business Impact +**Business Impact** This vulnerability can lead to unauthorized access, data breaches, and malicious activities, including the installation of unwanted software and alteration of stored data. Such incidents can result in significant financial losses, damage to the organization's reputation, and erosion of customer trust, especially if sensitive customer information is compromised. -## Steps to Reproduce +**Steps to Reproduce** 1. Turn the {{hardware}} on and wait for the software to run. 1. Constantly click on the bottom right of the touch screen, revealing the desktop. 1. Observe that there is an administrator level user on the device. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshots demonstrate the process of escaping from the application's controlled environment to access the underlying operating system. This may include screenshots or a description of the exploit technique used, the access gained to system settings or files, and any unauthorized actions performed as a result: diff --git a/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md b/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md index 7b1192bc..92d40d4c 100644 --- a/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md +++ b/submissions/description/insecure_os_firmware/local_administrator_on_default_environment/template.md @@ -1,14 +1,10 @@ -# Local Administrator on Default Environment - -## Overview of the Vulnerability - The current configuration of the device uses a local administrator account as the default environment setting. This configuration inherently provides administrator-level access to the running processes and access, posing a significant security risk. If an attacker compromises the application or device, they can gain elevated privileges automatically, allowing for extensive control over the device's functions and data. -## Business Impact +**Business Impact** Operating devices under local administrator accounts by default increases the risk of severe security breaches. An attacker with administrator-level access can disable security measures, install malicious software, and access or alter sensitive information. This could lead to operational disruptions, data breaches involving sensitive customer or business information, and significant financial and reputational damage to the organization. Furthermore, this practice may fail to comply with security standards and regulatory compliance requirements. -## Steps to Reproduce +**Steps to Reproduce** 1. Open the device and use a TTY Cable to connect to the header pins found in the screenshot below: {{screenshot}} @@ -24,7 +20,7 @@ or 3. Now on the desktop, open a terminal and type the command: {{command}}. 4. You'll see the response shows the user is a local administrator account. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md b/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md index c28504ea..7a96c5d9 100644 --- a/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md +++ b/submissions/description/insecure_os_firmware/over_permissioned_credentials_on_storage/template.md @@ -1,14 +1,10 @@ -# Over-Permissioned Credentials on Storage - -## Overview of the Vulnerability - The device contains a set of credentials stored on its storage medium that are over-permissioned for their intended use. While these credentials are designed to access a specific shared service, their excessive permissions allow for broader unauthorized access. If the device is compromised or falls into the hands of unauthorized user, these over-permissioned credentials could be used to access not only the intended service but also additional services and data that should be segregated. -## Business Impact +**Business Impact** Storing over-permissioned credentials on the device presents a significant security risk, amplifying the potential damage from unauthorized access. Attackers could exploit these credentials to gain extensive control over the system's resources and sensitive data, including customer information and proprietary secrets. Such breaches can lead to financial losses, regulatory penalties, erosion of customer trust, and long-term reputational damage to the organization. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover, as seen in the images below: {{screenshot}} @@ -26,7 +22,7 @@ or 1. Using the HTTP request below, send the request with the token: {{HTTP request}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md b/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md index 686d4ea9..7259608b 100644 --- a/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md +++ b/submissions/description/insecure_os_firmware/poorly_configured_disk_encryption/template.md @@ -1,20 +1,16 @@ -# Poorly Configured Disk Encryption - -## Overview of the Vulnerability - The device uses a disk encryption to protect stored data from being accessed while at rest. However, due to a poor configuration of the encryption mechanism, an unauthorized attacker with physical access to the device can decrypt the disk's contents. This vulnerability could expose secrets, customer data, or other sensitive information stored on the device. -## Business Impact +**Business Impact** A flaw in the disk encryption configuration significantly undermines the device's data security, posing a high risk to the confidentiality and integrity of stored data. If exploited, this vulnerability can lead to the exposure of sensitive information, potentially resulting in financial losses, damage to the organization's reputation, and erosion of customer trust. Furthermore, it may result in non-compliance with data protection regulations. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and start the boot process. 2. Once the device has reached the boot menu and asks for a password, type `A` 257 times and press enter. 3. The device will decrypt the disk and you can access its contents, including any sensitive data stored on the device. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md b/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md index 74b75c12..8df340ab 100644 --- a/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md +++ b/submissions/description/insecure_os_firmware/poorly_configured_operating_system_security/template.md @@ -1,19 +1,15 @@ -# Poorly Configured Operating System Security - -## Overview of the Vulnerability - The device employs a standard operating system where the configuration fails to adequately secure the device. This poor configuration can expose the device to various security vulnerabilities, making it susceptible to unauthorized access, data breaches, and other malicious activities. An attacker with access to the operating system can gain access to the applications and data on the device. -## Business Impact +**Business Impact** The inadequate security configuration of the operating system can lead to significant risks, including the compromise of sensitive information, operational disruptions, and financial losses. Moreover, it can damage the organization's reputation and customer trust. Ensuring compliance with security standards and regulatory requirements becomes challenging under these conditions, potentially resulting in legal and financial repercussions. -## Steps to Reproduce +**Steps to Reproduce** 1. Power on the device and login, then open the settings menu. 2. You'll see issues which deviate from hardening recommendations, including unnecessary services running, default passwords unchanged, or insufficient access controls. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md b/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md index 48ef930b..bd5e4848 100644 --- a/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md +++ b/submissions/description/insecure_os_firmware/recovery_of_disk_contains_sensitive_material/template.md @@ -1,20 +1,16 @@ -# Recovery of Disk Contains Sensitive Material - -## Overview of the Vulnerability - The device's storage medium fails to adequately delete data when a factory reset is performed due to a flaw in the process. An attacker with access to the storage medium post-reset can recover and exploit the sensitive information. -## Business Impact +**Business Impact** The incomplete deletion of sensitive data during a factory reset poses a substantial risk of data breaches. If exploited, this vulnerability can lead to the unauthorized disclosure of confidential information, undermining customer trust and violating privacy regulations. The consequent legal, financial, and reputational damages can significantly impact the organization's standing and operations. -## Steps to Reproduce +**Steps to Reproduce** 1. Perform a factory reset on the device to initiate the data removal process. 2. Access the storage medium of the device after the reset. 3. Use {{tool}} to retrieve previously stored sensitive information. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md b/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md index 27bbd6e8..4c776f78 100644 --- a/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md +++ b/submissions/description/insecure_os_firmware/shared_credentials_on_storage/template.md @@ -1,14 +1,10 @@ -# Shared Credentials on Storage - -## Overview of the Vulnerability - The device in question stores a set of shared credentials on its storage medium. These credentials are intended for accessing a shared service. However, should the device be compromised or acquired by unauthorized parties, an attacker could use these shared credentials to gain access to services that are normally restricted. -## Business Impact +**Business Impact** The presence of shared credentials stored on the device poses a significant security risk. Unauthorized access to shared services can lead to data breaches, unauthorized transactions, or the manipulation of sensitive information. Such incidents can severely impact the organization's operational security, result in financial losses, and damage the organization's reputation, especially if customer data or critical business operations are compromised. -## Steps to Reproduce +**Steps to Reproduce** 1. Gain physical access to the device and remove the cover, as seen in the images below: @@ -25,7 +21,7 @@ or 4. Using the HTTP request below, send the request with the token: {{HTTP request}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/template.md b/submissions/description/insecure_os_firmware/template.md index 0c9adbc4..3cbe830e 100644 --- a/submissions/description/insecure_os_firmware/template.md +++ b/submissions/description/insecure_os_firmware/template.md @@ -1,14 +1,10 @@ -# Insecure OS Firmware - -## Overview of the Vulnerability - When Operating System (OS) firmware is insecure, it broadens the application’s attack surface and gives an attacker more opportunity to maintain persistence and achieve a high level of privilege within the application. Firmware can be exploited via network, software, or hardware layers. Once compromised, an attacker can establish persistence, capture sensitive data, exfiltrate data, impact application performance, or pivot into attacking the company’s wider network. -## Business Impact +**Business Impact** -This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to direct financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Start {{application}} on the operating system and navigate to {{url}} 1. Input the following payload into {{parameter}}: @@ -18,7 +14,7 @@ This vulnerability can lead to direct financial loss to the company due to data 1. Observe that the OS firmware is insecure -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows insecure OS firmware: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md index 9f78f59a..16dd8810 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_cannot_be_updated/template.md @@ -1,21 +1,17 @@ -# Firmware Cannot be Updated - -## Overview of the Vulnerability - The hardware lacks the capability for firmware updates, leaving the system exposed to unpatched vulnerabilities and security risks. These limitations prevents effective maintenance and security management, rendering the device obsolete against evolving threats. An attacker can leverage the lack of firmware updates to gain access to sensitive information. -## Business Impact +**Business Impact** Inability to perform firmware updates directly affects operational resilience and security posture, leading to potential system integrity and reliability issues. It elevates the risk of operational disruptions and could necessitate increased expenditures for device replacement or additional security measures. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the specific {{Hardware}} model: {{Hardware name and model number}} 2. Check the user interface or official documentation for firmware update options. 3. Verify the lack of an update mechanism by attempting to locate or execute a firmware update process within the device's settings or configuration portal. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md index 3df1e74f..33a2cee8 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_does_not_validate_update_integrity/template.md @@ -1,20 +1,16 @@ -# Firmware Update Integrity Not Validated - -## Overview of the Vulnerability - The hardware fails to validate the authenticity and integrity of the update file. Without proper validation, the system is susceptible to accepting and installing corrupted or malicious updates, compromising the device's security and functionality. -## Business Impact +**Business Impact** The direct impact includes potential compromise of device functionality, unauthorized access to sensitive data, and the introduction of malware, leading to operational disruptions. This vulnerability undermines the trust in the device's security measures, potentially resulting in significant financial costs for mitigation and recovery, alongside damaging the organization's reputation for safeguarding user data and system integrity. -## Steps to Reproduce +**Steps to Reproduce** 1. Prepare a modified or corrupted firmware update file for the {{hardware version}}. 2. Initiate the firmware update process using the compromised file. 3. Observe the lack of validation checks for the update's authenticity or integrity during the update process. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md index 5b5aff81..07907825 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/firmware_is_not_encrypted/template.md @@ -1,20 +1,16 @@ -# Firmware Not Encrypted - -## Overview of the Vulnerability - The firmware used for the hardware is stored or transmitted without encryption. This lack of encryption allows for easier reverse engineering and analysis, enabling unauthorized individuals to more readily identify security vulnerabilities within the device's firmware. -## Business Impact +**Business Impact** The absence of encryption on the firmware heightens the risk of security vulnerabilities being discovered and exploited. This can lead to unauthorized access and data breaches, compromising the integrity of the device. The subsequent detection and exploitation of these vulnerabilities can cause significant financial, operational, and reputational damage to the organization, diminishing customer trust and potentially violating regulatory compliance. -## Steps to Reproduce +**Steps to Reproduce** 1. Browse to the following URL and download the firmware: {{URL}} 2. Open the firmware file using {{Tool}} and {{techniques}}, due to its unencrypted state. 3. Observe that the firmware appears unencrypted, simplifying the process for reverse engineering and vulnerability identification. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md index 050cf3b4..8d6cde25 100644 --- a/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md +++ b/submissions/description/insecure_os_firmware/weakness_in_firmware_updates/template.md @@ -1,21 +1,17 @@ -# Weakness in Firmware Updates - -## Overview of the Vulnerability - There is a weakness in firmware updates that leaves the system exposed to unpatched vulnerabilities and security risks. These limitations prevents effective maintenance and security management, rendering the device obsolete against evolving threats. An attacker can leverage the weakness in firmware updates to gain access to sensitive information. -## Business Impact +**Business Impact** Weaknesses in firmware updates directly affects operational resilience and security posture, leading to potential system integrity and reliability issues. It can lead to unauthorized access and data breaches, compromising the integrity of the device. The subsequent detection and exploitation of these vulnerabilities can cause significant financial, operational, and reputational damage to the organization, diminishing customer trust and potentially violating regulatory compliance. -## Steps to Reproduce +**Steps to Reproduce** 1. Identify the specific {{Hardware}} model: {{Hardware name and model number}} 2. Check the user interface or official documentation for firmware update options. 3. Verify the weakness in the firmware update process within the device's settings or configuration portal. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md index 1c58ff98..955d3d93 100644 --- a/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md +++ b/submissions/description/insufficient_security_configurability/lack_of_notification_email/template.md @@ -1,20 +1,16 @@ -# Lack of Notification Email - -## Overview of the Vulnerability - The overall security of an application is diminished when accounts are not properly configured to include a notification email upon important account changes, such as a password or email address change. A lack of notification email on account changes allows an attacker who has gained access to a user's account through other means to make changes without notifying the user. -## Business Impact +**Business Impact** A lack of a notification email upon important account changes as a single vulnerability does not have a strong impact. However, chained with other vulnerabilities, it could lead to data theft through the attacker’s ability to manipulate data via their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify an account variable, such as the password or username 1. Observe that no notification email is sent to the associated account email address to notify the owner of the change -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/no_password_policy/template.md b/submissions/description/insufficient_security_configurability/no_password_policy/template.md index cf18df16..1d66782a 100644 --- a/submissions/description/insufficient_security_configurability/no_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/no_password_policy/template.md @@ -1,20 +1,16 @@ -# No Password Policy - -## Overview of the Vulnerability - When there is no password policy set, the strength of the overall authentication process for an application is diminished. No password policy is present within this web application, allowing for weak passwords to be used by any user, including Administrator accounts. This makes it relatively easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -## Business Impact +**Business Impact** Having no password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords, such as `a` -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that there is no password policy: diff --git a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md index 5d2df81a..91d43f64 100644 --- a/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md +++ b/submissions/description/insufficient_security_configurability/password_policy_bypass/template.md @@ -1,14 +1,10 @@ -# Password Policy Bypass - -## Overview of the Vulnerability - When there is no password policy set, or the password policy can be bypassed, the overall strength of the authentication process for an application is diminished. A password policy bypass is present within this web application, allowing for weak passwords to be used by any user. This makes it easy for an attacker to use password spraying or brute forcing methods to guess users passwords, with minimal effort required to compromise multiple users’ accounts. -## Business Impact +**Business Impact** Having a password policy bypass present within the application can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login @@ -16,7 +12,7 @@ Having a password policy bypass present within the application can result in rep ​​{{parameter}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the bypass of the password policy: diff --git a/submissions/description/insufficient_security_configurability/template.md b/submissions/description/insufficient_security_configurability/template.md index abe1faf4..59b402e8 100644 --- a/submissions/description/insufficient_security_configurability/template.md +++ b/submissions/description/insufficient_security_configurability/template.md @@ -1,19 +1,15 @@ -# Insufficient Security Configurability - -## Overview of the Vulnerability - Insufficient security configurability refers to the lack of options or flexibility in configuring security settings within a system or application. This vulnerability may arise from hardcoded security configurations, limited options for customization, or inadequate documentation. Due to this, an attacker can manipulate data and perform actions that appear to originate from a legitimate user. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 2. Perform {{action}} and observe that the security configuration is weak -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the vulnerability: diff --git a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md index a5e2c794..56ba2060 100644 --- a/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md +++ b/submissions/description/insufficient_security_configurability/verification_of_contact_method_not_required/template.md @@ -1,20 +1,16 @@ -# Verification of Contact Method Not Required - -## Overview of the Vulnerability - The overall security of an application is diminished when accounts are not properly verified upon creation of a new contact method, such as an email address. The lack of verification for the contact method allows an attacker to associate their own email address with a user's account which can lead to phishing and impersonation attacks, or account squatting. -## Business Impact +**Business Impact** A lack of a verification email for an updated contact method can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login to a valid account and navigate to: {{URL}} 1. Modify a contact method of the account, such as the phone number of email address 1. Observe that no verification email is sent to the new contact method before it is associated with the account -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The lack of notification email can be seen below below:: diff --git a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md index f14e53be..a579136f 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_policy/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_policy/template.md @@ -1,20 +1,16 @@ -# Weak Password Policy - -## Overview of the Vulnerability - When the password policy for an application is weak, the strength of the overall authentication process for the application is diminished. Not having complexity requirements for passwords, password history checks, or enforcing account lockouts, all weaken the password policy. This application’s weak password policy decreases the time it takes an attacker to successfully guess account passwords through manual or automated processes. This can lead to account take over for accounts with weak passwords set. -## Business Impact +**Business Impact** Having a weak password policy can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Attempt to login 1. Observe that the application allows the use of weak passwords -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password policy: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md index 2b2218bb..e4e3146d 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/template.md @@ -1,14 +1,10 @@ -# Weak Password Reset Implementation - -## Overview of the Vulnerability - When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to intercept the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -16,7 +12,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md index b7172516..a541b8ed 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_has_long_timed_expiry/template.md @@ -1,23 +1,19 @@ -# Weak Password Reset Implementation (Token Has Long Timed Expiry) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it has a long timed expiry, giving an attacker more time to discover an unexpired reset password token and use it to take over its account. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Initiate a password reset 1. Observe within the HTTP interception proxy that the password reset token has a long timed expiry -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot specifies the long timed expiry of the password reset token below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md index 91a356a6..b3c8d0e5 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_email_change/template.md @@ -1,23 +1,19 @@ -# Weak Password Reset Implementation (Token is Not Invalidated After Email Change) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application’s password reset implementation is weak as it allows an email that is no longer associated with the account to perform a password reset. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Navigate to the following URL and modify the account email address 1. Observe that the password reset token that was received in the earlier step is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after email change below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md index 5a997736..57358d67 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_login/template.md @@ -1,25 +1,21 @@ -# Weak Password Reset Implementation (Token is Not Invalidated After Login) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after the user successfully resets their password and login to the application. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Login to the application with the new password 1. Observe that the password reset token that was received in the earlier step is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after login below: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md index 8d01fb2f..36285565 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_new_token_is_requested/template.md @@ -1,25 +1,21 @@ -# Weak Password Reset Implementation (Token is Not Invalidated After New Token is Requested) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after a new token is requested. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset (request_1) 1. Initiate a password reset (request_2) 1. Open the received request_1 and observe that the password reset token is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after a subsequent request for a password reset: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md index adabb6fc..00acb1d7 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_password_change/template.md @@ -1,25 +1,21 @@ -# Weak Password Reset Implementation (Token is Not Invalidated After Password Change) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after a password change. If an attacker were to gain access to the system used to store the reset token, they could use this unused token to reset the user's password and gain access to the account. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Modify the password for the account 1. Observe that the password reset token received earlier is still valid -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after a password change: diff --git a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md index e1c0c636..0d9e1eed 100644 --- a/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md +++ b/submissions/description/insufficient_security_configurability/weak_password_reset_implementation/token_is_not_invalidated_after_use/template.md @@ -1,25 +1,21 @@ -# Weak Password Reset Implementation (Token is Not Invalidated After Use) - -## Overview of the Vulnerability - The password reset implementation needs to involve a unique, temporary high-entropy token that has a short expiry and can only be used once. When these conditions are not met, the password reset implementation is considered weak. This diminishes the strength of the overall authentication process for the application and can lead to account takeover. The application does not invalidate the password reset token after its use. If an attacker were to gain access to the system used to store the reset token, or the email of the user, they could reset the users password again. -## Business Impact +**Business Impact** Weak password reset implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. If an attacker successfully takes over an account by capturing a password reset token, it can lead to data theft from the business. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the level of access gained by an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to login and navigate to: {{URL}} 1. Initiate a password reset 1. Utilize the password reset token received to reset the password 1. Observe that the password reset token received earlier is still valid after being used -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows that the password reset token is not invalidated after use: {{screenshot}} diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md index a0e4e489..4e03753f 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/allows_disposable_email_addresses/template.md @@ -1,20 +1,16 @@ -# Allows Disposable Email Addresses - -## Overview of the Vulnerability - When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. The application allows users to submit a disposable or alias email address to register an account. An attacker can abuse this weakness to bulk register fake user profiles and use them to launch spam campaigns. -## Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account using a disposable email service 1. Observe that the account is created -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md index 391b9263..96397da4 100644 --- a/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_registration_implementation/template.md @@ -1,20 +1,16 @@ -# Weak Registration Implementation - -## Overview of the Vulnerability - When the registration implementation for an application is weak, it diminishes the integrity of the overall authentication process. An application's registration process can be weakened by a connection over HTTP, or by allowing users to submit a disposable or alias email address to register an account, for example.The weak registration implementation for this application could allow an attacker to abuse the registration process and bulk register fake user profiles to launch spam campaigns. -## Business Impact +**Business Impact** Having a weak registration implementation can result in reputational damage for the business through the impact to customers’ trust as they could believe that the business doesn’t take their account security seriously or trust that their data within will remain secure. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Register an account 1. {{action}} and observe that the registration implementation is weak -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak registration implementation: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md index 9b98b167..a592b5b7 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/missing_failsafe/template.md @@ -1,20 +1,16 @@ -# 2FA Missing Failsafe - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. Not providing a failsafe in the 2FA implementation in the application could prevent a user who has lost their 2FA device to an attacker from resetting the password of their account. An attacker can take advantage of this and potentially take over user accounts. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Navigate to the 2FA registration page at: {{url}} 1. Register for 2FA, and observe that the implementation provides no failsafe login methods, such as offline backup codes -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the missing 2FA failsafe: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md index 66937eb6..668f39af 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/old_two_fa_code_is_not_invalidated_after_new_code_is_generated/template.md @@ -1,14 +1,10 @@ -# Old 2FA Code is Not Invalidated After New Code is Generated - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. An older 2FA code is not invalidated when a new code is generated in the application. This could allow an attacker to perform a replay attack. In this kind of attack, an attacker can use older unused 2FA codes to bypass the 2FA implementation of the application. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. Input the first, older code into the 2FA input 1. Observe that the application allows the use of the first code after the second was generated, meaning it was not invalidated -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the old 2FA code not being invalidated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md index d232bf90..70ce6b95 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/template.md @@ -1,20 +1,16 @@ -# Weak 2FA Implementation - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The application’s implementation of 2FA is weak which makes user accounts more susceptible to compromise. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the two factor authentication step of the login is reached, request a code 1. Perform {{action}} and observe that the 2FA implementation is weak -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the weak implementation of 2FA: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md index 6a993260..81c26468 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_code_is_not_updated_after_new_code_is_requested/template.md @@ -1,21 +1,17 @@ -# 2FA Code is Not Updated After New Code is Requested - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. A 2FA code is not updated when a new code is requested in the application which does not follow best practice for 2FA implementation. An attacker can take advantage of this weak 2FA implementation and potentially take over user accounts. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. When the 2FA step of the login is reached, request a code 1. When the first code is received, request a new code and verify that the second code is also received 1. Observe that the first and second code are identical, demonstrating that the 2FA code is not updated when a new code is requested -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates that the 2FA code is not updated when a new code is requested: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md index ffc17f44..9d2ec0a4 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_cannot_be_rotated/template.md @@ -1,20 +1,16 @@ -# 2FA Secret Cannot be Rotated - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret cannot be rotated in the application which does not follow best practice for 2FA implementation.If an attacker were able to compromise a user's 2FA system, the user would not be able to invalidate their 2FA secret. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After the 2FA secret is created, observe that there is no way in which the secret can be rotated -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates that the 2FA code can’t be rotated: diff --git a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md index 407c07fe..ace6a11a 100644 --- a/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md +++ b/submissions/description/insufficient_security_configurability/weak_two_fa_implementation/two_fa_secret_remains_obtainable_after_two_fa_is_enabled/template.md @@ -1,20 +1,16 @@ -# 2FA Secret Remains Obtainable After 2FA is Enabled - -## Overview of the Vulnerability - Two Factor Authentication (2FA) adds an extra layer of security to user accounts by prompting them to enter a uniquely generated one-time password (OTP) after they have successfully inputted their username and password. The 2FA secret remains obtainable after initial setup in the application. This could allow an attacker with account access or physical access to bypass the 2FA system. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Login to the application at: {{url}} 1. Setup two factor authentication 1. After initial setup, observe that the two factor authentication secret is still obtainable at: {{url}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the full exploit: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md index 19ca95bb..c91b2541 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_exploit_mitigations/template.md @@ -1,20 +1,16 @@ -# Lack of Exploit Mitigations - -## Overview of the Vulnerability - A lack of exploit mitigations in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of exploit mitigations in order to run known exploits on the application. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** -This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Run the following known exploit: {{payload}} 1. Observe that the application does not contain any mitigations to prevent this exploit -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of exploit mitigation: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/recommendations.md b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/recommendations.md index 0c64985c..4ad50dfb 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/recommendations.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/recommendations.md @@ -1,4 +1,5 @@ # Recommendation(s) + It is recommended to implement exploit mitigation controls within the application that prevent an attacker from analyzing, reverse engineering, or performing unauthorized code modifications. This can include leveraging jailbreak detection frameworks and libraries specifically designed to identify jailbroken (or rooted Android) devices. A good framework will monitor the runtime environment and check for the presence of known jailbreak files and directories. For further information, please refer to: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md index c267d891..20e5c677 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_jailbreak_detection/template.md @@ -1,20 +1,16 @@ -# Lack of Jailbreak Detections - -## Overview of the Vulnerability - A lack of jailbreak (iOS) or root access (Android) detections in an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse the lack of jailbreak (iOS) or root access (Android) detections to access the internal file system of the application, or inject unauthorized code into the application. -## Business Impact +**Business Impact** -This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Jailbreak (iOS) or gain root access (Android) to a mobile device 1. Install the application on the mobile device 1. Open the application and observe that the application does not prevent access or acknowledge that the mobile device has been jailbroken (iOS) or that root access (Android) has been gained, indicating it lacks a detection mechanism -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of jailbreak (iOS) or root access (Android) detections: diff --git a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md index c4299097..b5d4fcc0 100644 --- a/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md +++ b/submissions/description/lack_of_binary_hardening/lack_of_obfuscation/template.md @@ -1,19 +1,15 @@ -# Lack of Obfuscation - -## Overview of the Vulnerability - A lack of obfuscation of the source code of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker could abuse non-obfuscated source code of the application, read source code without any hindrances and perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** -This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no obfuscation in the source code -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of obfuscation: diff --git a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md index d03aa4f3..45ee1910 100644 --- a/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md +++ b/submissions/description/lack_of_binary_hardening/runtime_instrumentation_based/template.md @@ -1,19 +1,15 @@ -# Lack of Binary Hardening (Runtime Instrumentation-Based) - -## Overview of the Vulnerability - A lack of runtime instrumentation-based binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. When an application cannot detect changes in the code base at runtime compared to known integrity checks, the application can react in unpredictable ways. An attacker can take advantage of this lack of checks at runtime and alter the performance of the application, then also perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** -This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no integrity checking in the source code at runtime -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/lack_of_binary_hardening/template.md b/submissions/description/lack_of_binary_hardening/template.md index a2fb4091..ebcd21f8 100644 --- a/submissions/description/lack_of_binary_hardening/template.md +++ b/submissions/description/lack_of_binary_hardening/template.md @@ -1,19 +1,15 @@ -# Lack of Binary Hardening - -## Overview of the Vulnerability - A lack of binary hardening of an application increases its attack surface and leaves it open to code analysis, reverse engineering, or modification of the application. An attacker with access to the code of an application with a lack of binary hardening can reverse engineer it and perform unauthorized code modification. From here, the attacker can access sensitive data stored, transmitted or processed by the application and perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** -This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or denial of service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. +This vulnerability can lead to indirect financial loss to the company due to data theft, application manipulation and corruption, or Denial of Service to customers and users of the application. It can also lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the source code files of the application 1. Observe that there is no binary hardening for the application -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the lack of binary hardening: diff --git a/submissions/description/misinterpretation_biases/context_ignorance/template.md b/submissions/description/misinterpretation_biases/context_ignorance/template.md index 218f74ab..45f9d609 100644 --- a/submissions/description/misinterpretation_biases/context_ignorance/template.md +++ b/submissions/description/misinterpretation_biases/context_ignorance/template.md @@ -1,19 +1,15 @@ -# Context Ignorance - -## Overview of the Vulnerability - Context ignorance occurs when AI models do not consider the broader context when making decisions, leading to uninformed or unfair decision making. This can be a result of the AI model's design or the training data it has been trained on. Outputs from AI models that have context ignorance can result in discrimination, reinforcement of stereotypes, or viewpoints that disadvantage certain groups. -## Business Impact +**Business Impact** Context ignorance in this AI model can result in a lack of fairness and objectivity which can lead to reputational damage and a loss of customer trust in the output of the model. Additionally, business decisions that rely on this AI model are also affected due to suboptimal outcomes and missed opportunities. -## Steps to Reproduce +**Steps to Reproduce** 1. Present the AI model with scenarios where it needs to consider broader context. 1. Observe the model's decisions and its inability to account for the context in its choices. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/misinterpretation_biases/template.md b/submissions/description/misinterpretation_biases/template.md index a9d53c35..2613f920 100644 --- a/submissions/description/misinterpretation_biases/template.md +++ b/submissions/description/misinterpretation_biases/template.md @@ -1,19 +1,15 @@ -# Misinterpretation Biases - -## Overview of the Vulnerability - Misinterpretation biases can occur when AI models incorrectly interpret the context or data, leading the model to make inaccurate decisions or predictions. These misinterpretation biases can stem from inadequate training data, or limitations in the model's design, resulting in outputs that to do not align with the context of the inputs. -## Business Impact +**Business Impact** Misinterpretation biases in this AI model can result in reputational damage and indirect monetary loss due to the loss of customer trust in the output of the model. -## Steps to Reproduce +**Steps to Reproduce** 1. Present the AI model with scenarios where it needs to consider broader context. 1. Observe the model's decisions and its inability to account for the context in its choices. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md index c7cdaa1d..ea723989 100644 --- a/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md +++ b/submissions/description/mobile_security_misconfiguration/auto_backup_allowed_by_default/template.md @@ -1,23 +1,19 @@ -# Auto Backup Allowed by Default - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When automatic backup is allowed by default, sensitive user data can be unknowingly stored on the mobile device. An attacker could abuse an application that has auto backup allowed by default to access this sensitive data from the application once they have physical access to the device. This could allow the attacker to bypass any in-app authentication and access sensitive data which they could abuse to perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Install the application on an android mobile device 1. In the mobile device, enable USB debugging 1. Use the android ADB tool to backup the data of the mobile device 1. In this backup, view that sensitive data from the application was included in the backup automatically -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md index 29a3f4d4..3ab0d859 100644 --- a/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md +++ b/submissions/description/mobile_security_misconfiguration/clipboard_enabled/template.md @@ -1,22 +1,18 @@ -# System Clipboard Enabled - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. When the system clipboard is enabled, sensitive user data, such as passwords, can be unknowingly stored on the mobile device. An attacker could abuse the system clipboard being enabled to steal sensitive information that a user copied to their clipboard from within the application. With access to this sensitive data they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device -1. Navigate to {{url}} and copy some sensitive account information +1. Navigate to the following URL: {{URL}} and copy some sensitive account information 1. Paste this data in some other area of your mobile device and observe that access to the clipboard was enabled in the application -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md index 535a4930..f8dd0963 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/absent/template.md @@ -1,22 +1,18 @@ -# Mobile Security Misconfiguration (SSL Certificate Pinning Absent) - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. Without SSL certificate pinning, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the application does not implement certificate pinning -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md index 204693c4..96696d40 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/defeatable/template.md @@ -1,16 +1,12 @@ -# Mobile Security Misconfiguration (SSL Certificate Pinning Defeatable) - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. When SSL certificate pinning is defeatable, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -20,7 +16,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning was defeated -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md index 58f34e24..20f85bda 100644 --- a/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md +++ b/submissions/description/mobile_security_misconfiguration/ssl_certificate_pinning/template.md @@ -1,16 +1,12 @@ -# Mobile Security Misconfiguration (SSL Certificate Pinning) - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. SSL pinning adds an extra layer of security for an application as it forces the application to validate the server’s CA certificate against a known copy. When SSL certificate pinning is misconfigured, an attacker could perform a Person-in-the-Middle (PitM) attack on the user. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Install the application on your mobile device 1. Route your mobile device's HTTP traffic through a proxy server and install/trust the proxy server's CA certificate @@ -20,7 +16,7 @@ This vulnerability can lead to reputational damage as customers may view the app 1. Open the application and observe that the HTTP traffic is routed through the proxy server, meaning the certificate pinning is misconfigured -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md index c4b77353..d6f5d696 100644 --- a/submissions/description/mobile_security_misconfiguration/tapjacking/template.md +++ b/submissions/description/mobile_security_misconfiguration/tapjacking/template.md @@ -1,21 +1,17 @@ -# Tapjacking - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. Tapjacking occurs when user input is captured by an application it was not intended for. This usually occurs through screen overlays that gather input when a user believes they are inputting information into a different screen. An attacker could abuse an application that does not protect sensitive UI functionality from tapjacking by stealing UI inputs from a user that uses the application on specific Android OS versions. With access to sensitive data through a tapjacking attack, an attacker could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. View the source code files of the application -1. Navigate to {{url}} and view the sensitive UI functionality does not have the attribute `"filterTouchesWhenObscured="true"`, thus allowing tapjacking attacks on certain Android OS versions +1. Navigate to the following URL: {{URL}} and view the sensitive UI functionality does not have the attribute `"filterTouchesWhenObscured="true"`, thus allowing tapjacking attacks on certain Android OS versions -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/mobile_security_misconfiguration/template.md b/submissions/description/mobile_security_misconfiguration/template.md index 0f94900f..6c181196 100644 --- a/submissions/description/mobile_security_misconfiguration/template.md +++ b/submissions/description/mobile_security_misconfiguration/template.md @@ -1,19 +1,15 @@ -# Mobile Security Misconfiguration - -## Overview of the Vulnerability - Mobile security misconfigurations can occur at any level of the application stack and can involve unpatched software, unprotected files or pages, or unauthorized access to the application. An attacker can take advantage of security misconfigurations within the mobile application to perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage as customers may view the application as insecure. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following filesystem/page within the application: {{location}} 1. Observe through an HTTP interception proxy or in-application tools that there is a mobile security misconfiguration -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below shows the mobile security misconfiguration: diff --git a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md index ef991197..18ccfc0d 100644 --- a/submissions/description/network_security_misconfiguration/telnet_enabled/template.md +++ b/submissions/description/network_security_misconfiguration/telnet_enabled/template.md @@ -1,19 +1,15 @@ -# Telnet Enabled - -## Overview of the Vulnerability - When telnet is enabled, all data sent over the connection is unsecured as telnet transmits all data via plain text. An attacker could perform a Person-in-the-Middle (PitM) attack and access sensitive data being transmitted via the telnet connection. With access to sensitive data through a PitM attack they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Issue the following command line in the terminal window: `telnet {{application}}` 1. Observe that a telnet connection is successfully established between the client computer and the application -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that a successful telnet connection can be made: diff --git a/submissions/description/network_security_misconfiguration/template.md b/submissions/description/network_security_misconfiguration/template.md index b2f02df5..94770abd 100644 --- a/submissions/description/network_security_misconfiguration/template.md +++ b/submissions/description/network_security_misconfiguration/template.md @@ -1,19 +1,15 @@ -# Network Security Misconfiguration - -## Overview of the Vulnerability - Network security misconfigurations can occur in network devices, services, or infrastructure and expose the organization to security risks. This vulnerability was identified due to default settings, inadequate access controls, or improper firewall rules. Due to this, an attacker can perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Issue the following command line in the terminal window: {{command}} 1. Observe that the network security is bypassed and a connection is successfully established between the client computer and the application -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrate(s) the vulnerability: diff --git a/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md b/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md index bbeb11b4..c504aec1 100644 --- a/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md +++ b/submissions/description/physical_security_issues/bypass_of_physical_access_control/template.md @@ -1,21 +1,17 @@ -# Bypass of Physical Access Control - -## Overview of the Vulnerability - The physical access control mechanisms implemented to secure the device are vulnerable to a bypass attack. This flaw allows unauthorized attacker to circumvent the designed physical security measures implemented, gaining access to the device's internal hardware and components that are intended to be restricted. -## Business Impact +**Business Impact** The ability to bypass physical access controls undermines the overall security of the device, exposing it to risks of tampering, data extraction, or the insertion of malicious components. Such breaches can lead to compromised device integrity, unauthorized access to sensitive information, and potential operational failures. The resulting damage can extend to financial losses, erosion of customer trust, and reputational harm, especially if the compromise leads to broader security incidents. -## Steps to Reproduce +**Steps to Reproduce** 1. Walk up to the front of the {{hardware}}, and notice the lock currently in place to prevent access to the machine. -2. Walk to the opposite side, and you'll notice a vent grill attached with phillips head screws. -3. Using a philips #1 screwdriver, unscrew the vent grill and pull it off the device. +2. Walk to the opposite side, and you'll notice a vent grill attached with Philips head screws. +3. Using a Philips #1 screwdriver, unscrew the vent grill and pull it off the device. 4. You now have bypassed the access control and gained access to the device's internal components. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md index de36f429..74b545b9 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/cloneable_key/template.md @@ -1,14 +1,10 @@ -# Cloneable Key - -## Overview of the Vulnerability - The physical access control system securing the device relies on a physical key that is susceptible to cloning. This design flaw allows attackers, with brief access to the key, to create an unauthorized copy. Access to the key could be obtained through various means, including insider threats or by employing teleduplication techniques, where a photograph of the key is used to replicate it. Consequently, An attacker can gain unauthorised access by using a cloned key, circumventing intended security measures. -## Business Impact +**Business Impact** The possibility of key cloning poses a considerable security threat, undermining the physical security of the device and the safeguarding of the data and systems it contains. Unauthorized access achieved through a cloned key can lead to significant adverse outcomes, such as data breaches, unauthorized changes to the device, and the theft of sensitive or proprietary information. The repercussions of such incidents include financial losses, reputational damage to the organization, and diminished confidence from customers and business partners. -## Steps to Reproduce +**Steps to Reproduce** 1. Obtain access to the physical key for a short period of time (2 minutes). 2. Using a clay mold, dust the key with Talcum powder, and take an impression of the key briefly, and remove the key. @@ -22,7 +18,7 @@ or 3. With the image, look at the bow and you'll notice it says SC1, using the SC1 Depth and Space measurements which are public, we can identify the bitting as: {{bittingcode}} 4. Using a Key cutting machine or Impressioning file and Calipers, cut the key to the correct depth and space, and test to verify the key does work inside of the lock. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md index 92af5315..646910ba 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/commonly_keyed_system/template.md @@ -1,20 +1,16 @@ -# Commonly Keyed System - -## Overview of the Vulnerability - The physical access control deployed to secure the device was found to use a lock keyed alike to commonly used keys. This scenario typically arises when locks are mass-manufactured with the same key configuration by vendors, intended for low-risk applications, or when a specific key standard is adopted with an expectation of limited use. When these lock systems are employed in contexts requiring higher security, like the device in question, the security efficacy is substantially reduced. The widespread availability or public knowledge of these keys means unauthorized individuals could easily obtain a key to gain access. -## Business Impact +**Business Impact** Utilizing a commonly keyed system for securing devices intended to be secure significantly undermines the device's physical security. It opens avenues for unauthorized access, potentially leading to theft, data breaches, and compromise of the device's integrity. The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -## Steps to Reproduce +**Steps to Reproduce** 1. Looking at the lock, we can identify markings showing {{markings}} which indicate the lock in use is a {{locksystem}} 2. This lock matches to the key {{key}} which is commonly keyed to other systems. 3. Attempt to unlock the device using the key. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md index 92af5315..646910ba 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/commonly_keyed_system/template.md @@ -1,20 +1,16 @@ -# Commonly Keyed System - -## Overview of the Vulnerability - The physical access control deployed to secure the device was found to use a lock keyed alike to commonly used keys. This scenario typically arises when locks are mass-manufactured with the same key configuration by vendors, intended for low-risk applications, or when a specific key standard is adopted with an expectation of limited use. When these lock systems are employed in contexts requiring higher security, like the device in question, the security efficacy is substantially reduced. The widespread availability or public knowledge of these keys means unauthorized individuals could easily obtain a key to gain access. -## Business Impact +**Business Impact** Utilizing a commonly keyed system for securing devices intended to be secure significantly undermines the device's physical security. It opens avenues for unauthorized access, potentially leading to theft, data breaches, and compromise of the device's integrity. The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -## Steps to Reproduce +**Steps to Reproduce** 1. Looking at the lock, we can identify markings showing {{markings}} which indicate the lock in use is a {{locksystem}} 2. This lock matches to the key {{key}} which is commonly keyed to other systems. 3. Attempt to unlock the device using the key. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md index 4c552a57..ca73d96d 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/master_key_identification/template.md @@ -1,14 +1,10 @@ -# Master Key Identification - -## Overview of the Vulnerability - The physical access control system designed to secure the device utilizes a master keyed system. In such systems, locks can be opened by multiple keys, each cut differently, but all locks within the system can also be opened by a single master key. This configuration presents a significant security vulnerability. An attacker with access to a mastered lock, or who comes into possession of a key from the system, could derive the master key. With the master key, the attacker would have the capability to open all locks within the system, severely compromising security. -## Business Impact +**Business Impact** The potential for an attacker to derive the master key and gain unrestricted access to all areas secured by the system poses a considerable threat. It could lead to unauthorized access to sensitive areas, data breaches, theft of physical and intellectual property, and other security incidents. Such breaches can have far-reaching consequences, including financial losses, damage to the organization’s reputation, and loss of customer trust. The use of a master keyed system thereby introduces a critical point of failure in the physical security infrastructure. -## Steps to Reproduce +**Steps to Reproduce** 1. Obtain access to a lock from the master keyed system. 2. Apply a metal shim to the back of the lock cylinder where the key pins are binding. @@ -26,7 +22,7 @@ or 4. Using a tool, such as KeySpace, enter the details for the key system, and cut test keys to suit. 5. After testing each key, the key with the bitting {{bitting}} is our master key for this system. -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md b/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md index 1217af29..11a80f23 100644 --- a/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md +++ b/submissions/description/physical_security_issues/weakness_in_physical_access_control/template.md @@ -1,19 +1,15 @@ -# Weakness in Physical Access Control - -## Overview of the Vulnerability - A weakness has been identified in the physical access controls deployed to secure physical access to facilities, premises, or sensitive areas within an organization. This scenario typically arises from insufficient security measures, such as weak locks, ineffective surveillance, or lack of employee awareness. This vulnerability can result in unauthorized individuals could easily obtain a key to gain access. -## Business Impact +**Business Impact** The perceived ease of bypassing such a security measure can damage an organization's reputation, lead to financial losses, and erode customer trust, especially if sensitive information or valuable assets are compromised. -## Steps to Reproduce +**Steps to Reproduce** 1. Looking at the facility, it is possible to identify indications of physical access: {{indicators}} 1. Perform {{action}} to bypass {{security measure}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/privacy_concerns/template.md b/submissions/description/privacy_concerns/template.md index 7e4c0b17..1b57723d 100644 --- a/submissions/description/privacy_concerns/template.md +++ b/submissions/description/privacy_concerns/template.md @@ -1,20 +1,16 @@ -# Privacy Concerns - -## Overview of the Vulnerability - Privacy concerns arise when an application collects user or user device data that is not necessary for the functionality of the application. Unnecessary can range from personally identifiable user information to user device information that is not needed for use of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md index 1307312e..74aef083 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/template.md @@ -1,20 +1,16 @@ -# Unnecessary Data Collection - -## Overview of the Vulnerability - Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that unnecessary data is being collected -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md index 7fdc4cbf..b41443c9 100644 --- a/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md +++ b/submissions/description/privacy_concerns/unnecessary_data_collection/wifi_ssid_password/template.md @@ -1,20 +1,16 @@ -# Unnecessary Data Collection (WIFI SSID & Password) - -## Overview of the Vulnerability - Unnecessary data collection is where an application collects user or user device data that is not necessary for the functionality of the application. The WIFI SSID and password is not used by the application and therefore its collection is unnecessary. If an attacker were to gain access to this collected information they could perform further attacks on the application, the business, or its users. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. Observe in the HTTP interception proxy that the WIFI SSID and password is being collected -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating that unnecessary data collection: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md index a9eb580a..9d3bc742 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/password_disclosure/template.md @@ -1,14 +1,10 @@ -# Critically Sensitive Data Exposure: Password Disclosure - -## Overview of the Vulnerability - Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses the password of a user’s account which an attacker could use to take over the account and access, delete, or modify data from within the application. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +17,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Verify that the password is valid and allows authenticated actions to be performed in the user’s account -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md index 82e4c44c..42a09029 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/private_api_keys/template.md @@ -1,16 +1,12 @@ -# Critically Sensitive Data Exposure: Private API Keys - -## Overview of the Vulnerability - Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses private API keys which an attacker could use to abuse the API access and retrieve, delete, or modify data using the API functionality. -## Business Impact +**Business Impact** Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If the API is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the API key is valid and allows access to sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the API key disclosed: diff --git a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md index 0e646e9b..6749f70b 100644 --- a/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md +++ b/submissions/description/sensitive_data_exposure/critically_sensitive_data/template.md @@ -1,16 +1,12 @@ -# Critically Sensitive Data Exposure - -## Overview of the Vulnerability - Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This data exposure can be described as critically sensitive as its exposure would likely cause a high priority incident. -## Business Impact +**Business Impact** Critically sensitive data exposure can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. If a private API key is accessed and is pay-per-use, this could lead to a direct financial cost to the business if an attacker were to repeatedly request resources from the API. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application and the API. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -23,7 +19,7 @@ This could also result in reputational damage for the business through the impac 1. Verify that the critical sensitive data is valid and allows access to other data or functionality -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the password disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md index 61870bf9..3ef2220b 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_known_public_information/template.md @@ -1,21 +1,17 @@ -# Sensitive Data Exposure: Disclosure of Known Public Information - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Known public information is disclosed by this application which can be used by an attacker to build a profile of the business, the application, and its users for further attacks. -## Business Impact +**Business Impact** Disclosure of known public information can result in reputational damage for the business through an attacker’s ability to impact customers' trust through further attack methods, such as social engineering. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Observe that publicly known information is being disclosed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the publicly known information disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md index a696755b..dead9aa4 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/data_traffic_spam/template.md @@ -1,14 +1,10 @@ -# Disclosure of Secrets in Data Traffic Spam - -## Overview of the Vulnerability - Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses data within data traffic spam which can enable an attacker to use secrets for privilege escalation within the application, or to send API requests on behalf of the user. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ Disclosure of secrets can lead to indirect financial loss through an attacker ac 1. Observe the disclosure of sensitive data in the HTTP interception proxy -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md index 72d0269f..c2a351b4 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_internal_asset/template.md @@ -1,16 +1,12 @@ -# Disclosure of Secrets for Internal Asset - -## Overview of the Vulnerability - Disclosure of secrets for internal assets occurs when sensitive data for the internal assets is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Disclosure of secrets for this internal asset could be leveraged by an attacker to access the internal application or the environment where the application is hosted. -## Business Impact +**Business Impact** Disclosure of secrets for internal assets can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. This could happen through an insider threat, existing data breaches, or a malicious internal attacker escalating their privileges. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Setup a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{url}}/data/ @@ -19,7 +15,7 @@ Disclosure of secrets for internal assets can lead to indirect financial loss du {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below show the full exploit: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md index a7a9594b..82fed3f7 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/for_publicly_accessible_asset/template.md @@ -1,14 +1,10 @@ -# Disclosure of Secrets for a Publicly Accessible Asset - -## Overview of the Vulnerability - Disclosure of secrets for a publicly available asset occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed external assets. Disclosure of secrets for publicly available assets could be leveraged by an attacker to gain privileged access to the application or the environment where the application is hosted. From here, an attacker could execute functions under the guise of an Administrator user, depending on the permissions level they are able to access. -## Business Impact +**Business Impact** Disclosure of secrets for a publicly available asset can lead to indirect financial loss due to an attacker accessing, deleting, or modifying data from within the application. Reputational damage for the business can also occur via the impact to customers’ trust that these events create. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed @@ -19,7 +15,7 @@ Disclosure of secrets for a publicly available asset can lead to indirect financ {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The exposed secrets for this publicly accessible asset can be seen in the screenshot below: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md index 3c83cb6b..07187b26 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/intentionally_public_sample_or_invalid/template.md @@ -1,21 +1,17 @@ -# Disclosure of Secrets for an Invalid or Intentionally Publicly Sample - -## Overview of the Vulnerability - Disclosure of critically sensitive data occurs when the data is not properly secured, allowing critically sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses an invalid, or intentionally public sample, of secrets that are used for the application. While seemingly harmless, an attacker can use these examples to build wordlists, which can be used to bruteforce requests to the application until a valid secret is processed successfully. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Observe the following invalid/Intentionally public secret was revealed: {{value}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md index 988a682a..5f6e796a 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/non_corporate_user/template.md @@ -1,21 +1,17 @@ -# Disclosure of Secrets for Non-Corporate User - -## Overview of the Vulnerability - Disclosure of secrets occurs when the data is not properly secured. When secrets are exposed it can place the application at further risk of compromise. This application discloses secrets for a non-corporate user which can be leveraged by an attacker to access the application and make requests on the legitimate user’s behalf. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application via the access gained using the non-corporate user account. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following URL: {{URL}} 1. Observe the following secret for a non-corporate user was revealed: {{value}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md index 5b8eccc0..5b019944 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pay_per_use_abuse/template.md @@ -1,14 +1,10 @@ -# Disclosure of Secrets Pay-Per-Use Abuse - -## Overview of the Vulnerability - Disclosure of secrets occurs when the data is not properly secured, allowing sensitive data, such as secrets, API keys, or other data critical to business operation to be exposed. This application discloses sensitive data that could be used by an attacker to make repeated API requests on a user’s behalf without their knowledge. Additionally, if an attacker is able to chain this vulnerability with another, they could use their access to the API to escalate privileges on the application and its hosted environment. -## Business Impact +**Business Impact** Disclosure of secrets can lead to direct financial loss through an attacker making repeated requests to the API which are generally pay-per-use. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -24,7 +20,7 @@ Disclosure of secrets can lead to direct financial loss through an attacker maki 1. Observe the HTTP 200 OK success status response code -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md index 371ee144..8bfea50c 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/pii_leakage_exposure/template.md @@ -1,21 +1,17 @@ -# PII Leakage/Exposure - -## Overview of the Vulnerability - Personally Identifiable Information (PII) exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When PII is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: Social Security Numbers (SSN), medical data, banking information, and login credentials. Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +**Business Impact** Leakage or exposure of PII can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the PII disclosed: diff --git a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md index 2248ee10..3a37219f 100644 --- a/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md +++ b/submissions/description/sensitive_data_exposure/disclosure_of_secrets/template.md @@ -1,21 +1,17 @@ -# Disclosure of Secrets - -## Overview of the Vulnerability - Disclosure of secrets occurs when sensitive data is not behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, secrets committed to GitHub within public repositories, or exposed internal assets. Examples of secret data include, but are not limited to, vendor details, client information, Personally Identifiable Information (PII), Social Security Numbers, medical data, banking information, and credentials or authentication keys. Disclosure of secrets could be used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md index 5d305a9b..b51ec8ec 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/automatic_user_enumeration/template.md @@ -1,14 +1,10 @@ -# Automatic User Enumeration from EXIF Geolocation Data on Uploaded Images - -## Overview of the Vulnerability - Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to automatically enumerate users. -## Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified by the speed of which an attacker is able to enumerate geolocation data of users on the platform. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image @@ -16,7 +12,7 @@ When an application fails to remove the EXIF data from uploaded images, it break {{Software}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md index d3f41f82..3d8b55c9 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/manual_user_enumeration/template.md @@ -1,20 +1,16 @@ -# Manual User Enumeration from EXIF Geolocation Data on Uploaded Images - -## Overview of the Vulnerability - Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. Additionally, software can be used to automatically extract the EXIF geolocation data from multiple uploaded images, which can be used to manually enumerate users. -## Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. This impact is amplified as an attacker is able to manually enumerate geolocation data of users on the platform. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data for multiple users -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md index b65faa5c..0696107a 100644 --- a/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md +++ b/submissions/description/sensitive_data_exposure/exif_geolocation_data_not_stripped_from_uploaded_images/template.md @@ -1,20 +1,16 @@ -# EXIF Geolocation Data on Uploaded Images - -## Overview of the Vulnerability - Exchangeable Image File Format (EXIF) data is a standard used to specify the format of metadata in photographs. Most EXIF data contains the make, model and type of camera used, the lens settings, as well as the geolocation data. This application does not remove the EXIF data when a user uploads photographs, which could be used by an attacker to find and collect the geolocation data of users. -## Business Impact +**Business Impact** When an application fails to remove the EXIF data from uploaded images, it breaks the user’s trust in the application and can result in reputational damage to the business. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}} 1. Download the user uploaded image 1. Extract the EXIF geolocation data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the EXIF Geolocation Data: diff --git a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md index 1bc7d8dc..d0a46292 100644 --- a/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/internal_ip_disclosure/template.md @@ -1,20 +1,16 @@ -# Internal IP Address Disclosure - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses an internal IP address which an attacker could use to gather information, and carry out network-layer attacks, on the underlying system. -## Business Impact +**Business Impact** When an application fails to mask internal IP addresses it leaves the internal network more susceptible to future network based attacks. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} 1. In the HTTP interception proxy, observe the disclosed internal IP address -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the disclosed internal IP address: diff --git a/submissions/description/sensitive_data_exposure/json_hijacking/template.md b/submissions/description/sensitive_data_exposure/json_hijacking/template.md index b296820f..8b6932c8 100644 --- a/submissions/description/sensitive_data_exposure/json_hijacking/template.md +++ b/submissions/description/sensitive_data_exposure/json_hijacking/template.md @@ -1,16 +1,12 @@ -# Sensitive Data Disclosure via JSON Hijacking - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. JSON Hijacking allows a malicious attacker to exfiltrate sensitive data using Cross Site Request Forgery (CSRF) and overriding the Object prototype by using `__defineSetter__`. This application is susceptible to JSON hijacking which enables an attacker to retrieve sensitive data by tricking a user to click on a crafted link. Once a user clicks on the link, data from the user’s account is read and passed to the attacker. This allows an attacker to collect Personally Identifiable Information (PII) and sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -## Business Impact +**Business Impact** Sensitive data disclosure through JSON hijacking can result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Host the following payload on the attacker server: @@ -25,7 +21,7 @@ Sensitive data disclosure through JSON hijacking can result in reputational dama {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data disclosed: diff --git a/submissions/description/sensitive_data_exposure/mixed_content/template.md b/submissions/description/sensitive_data_exposure/mixed_content/template.md index 83a39816..b603ad57 100644 --- a/submissions/description/sensitive_data_exposure/mixed_content/template.md +++ b/submissions/description/sensitive_data_exposure/mixed_content/template.md @@ -1,21 +1,17 @@ -# Sensitive Data Exposure via Mixed Content - -## Overview of the Vulnerability - Mixed content is when a page is loaded over a HTTPS connection but the application pulls content using a mix of HTTP and HTTPS, leaving the page susceptible to sniffing and Person-in-The-Middle (PiTM) attacks. This application discloses sensitive data via mixed content, enabling an attacker to collect sensitive metadata to escalate privileges or launch phishing campaigns on targeted users. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application through a PiTM connection. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login as a user and navigate to: {{URL}} 1. Use Developer Tools, Network tab to see that sensitive content is being served over HTTP: {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data served over HTTP: diff --git a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md index c437cbcd..52a06885 100644 --- a/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/non_sensitive_token_in_url/template.md @@ -1,19 +1,15 @@ -# Sensitive Data Disclosure: Non-Sensitive Token in URL - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application discloses a non-sensitive token in the URL which an attacker can use to build word lists for brute-forcing valid tokens across the application environment. -## Business Impact +**Business Impact** When an application discloses a non-sensitive token in the URL it leaves the application more susceptible to future attacks. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the non-sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/password_reset_token/template.md b/submissions/description/sensitive_data_exposure/password_reset_token/template.md index 7d8aa8f7..3d22eb9f 100644 --- a/submissions/description/sensitive_data_exposure/password_reset_token/template.md +++ b/submissions/description/sensitive_data_exposure/password_reset_token/template.md @@ -1,14 +1,10 @@ -# Password Reset Token Leakage via Referer Header - -## Overview of the Vulnerability - The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user password reset tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed password reset token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can capture the password reset token and use it to escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -16,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the password token in the `Referer` header -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot(s) demonstrate(s) this vulnerability: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md index cd4250e3..b2da6df2 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/file_paths/template.md @@ -1,14 +1,10 @@ -# Hardcoded File Paths - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded file paths which can be used by an attacker to request files from the underlying system via directory traversal and can lead to exposure of data such as file naming conventions, system admin users, and permissions on the system. -## Business Impact +**Business Impact** This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +13,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded file path: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md index c2eac6cb..7898e7be 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/oauth_secret/template.md @@ -1,14 +1,10 @@ -# Hardcoded OAuth Secret - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has hardcoded OAuth secrets which can be used by an attacker to escalate privileges within the application via OAuth workflows. -## Business Impact +**Business Impact** This vulnerability can lead to sensitive data through the attacker’s ability to manipulate the application through their access to the hardcoded file paths. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +13,7 @@ This vulnerability can lead to sensitive data through the attacker’s ability t {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded OAuth secret: diff --git a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md index e62b4025..2b7a4b38 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_data_hardcoded/template.md @@ -1,14 +1,10 @@ -# Hardcoded Sensitive Data - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. This application has sensitive data that is hardcoded, such as API keys, credentials, or Personally Identifiable Information (PII). This hardcoded sensitive data can be used by an attacker to gain access to the application and escalate their privileges, which can lead to user account compromise and data exfiltration. -## Business Impact +**Business Impact** This vulnerability can lead to data exfiltration through the attacker’s ability to manipulate the application through their access to the hardcoded sensitive data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -17,7 +13,7 @@ This vulnerability can lead to data exfiltration through the attacker’s abilit {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the hardcoded sensitive data: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md index 631a9313..93ae98d8 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/in_the_background/template.md @@ -1,19 +1,15 @@ -# Sensitive Token Exposed in URL in Background - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL in background requests which are not seen in the main user interface. If captured by an attacker, these sensitive tokens can be used to escalate privileges or authorize API calls within the application. -## Business Impact +**Business Impact** Disclosure of a sensitive token in the URL in the background could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL of a background request -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md index dc92a841..1d356e0e 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/on_password_reset/template.md @@ -1,20 +1,16 @@ -# Sensitive Token Exposed in URL On Password Reset - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL upon the password reset function which, if captured by an attacker, can be used to reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Navigate to the password reset function 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md index 00b2bbf2..b56261fd 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/template.md @@ -1,19 +1,15 @@ -# Sensitive data disclosure: Sensitive Token in URL - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL, which, if captured by an attacker, can be used to gain access to the users account through this token, breaching the Confidentiality and Integrity of that account. -## Business Impact +**Business Impact** A sensitive token in the URL could lead to data manipulation through the attacker’s ability to manipulate the application through their access to the application. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md index 37478e5b..464df7b8 100644 --- a/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md +++ b/submissions/description/sensitive_data_exposure/sensitive_token_in_url/user_facing/template.md @@ -1,19 +1,15 @@ -# Sensitive Token Exposed in URL User Facing - -## Overview of the Vulnerability - Sensitive data can be exposed when it is not behind an authorization barrier. When this information is exposed it can place the application at further risk of compromise. The application discloses a sensitive token in the URL that is user facing which can be captured by an attacker. This allows the attacker to gain access to a legitimate user’s account, breaching the Confidentiality and Integrity of their account. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Login as a user and navigate to: {{URL}} 1. Observe the exposed token in the URL -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token in the URL: diff --git a/submissions/description/sensitive_data_exposure/template.md b/submissions/description/sensitive_data_exposure/template.md index 31584f4f..af7523e8 100644 --- a/submissions/description/sensitive_data_exposure/template.md +++ b/submissions/description/sensitive_data_exposure/template.md @@ -1,21 +1,17 @@ -# Sensitive Data Exposure - -## Overview of the Vulnerability - Sensitive data exposure can occur when sensitive data is not encrypted, or behind an authorization barrier. When this information is exposed it can place sensitive data, such as secrets, at risk. This can occur due to a variety of scenarios such as not encrypting data, SSL not being used for authenticated pages, or passwords being stored using unsalted hashes. Examples of such data include, but are not limited to: personally identifiable information (PII), Social Security numbers, medical data, banking information, and login credentials. Sensitive data relating to the business was exposed. This data could be exfiltrated and used by an attacker to sell access to databases and database content, or use credentials identified to take over accounts, amongst other attack vectors. -## Business Impact +**Business Impact** Disclosure of secrets can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact to the business is dependent on the sensitivity of the data being stored in, and transmitted by the application. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{url}}/data/ 1. Observe that secrets are being disclosed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshots below displays the secrets disclosed: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md index f2417a93..e8855061 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/over_http/template.md @@ -1,21 +1,17 @@ -# Token Leakage via Referer Header over HTTP - -## Overview of the Vulnerability - The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens that are transmitted over an unencrypted HTTP connection. This connection can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that the connection is over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md index b83602cb..0c0c1f01 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/template.md @@ -1,21 +1,17 @@ -# Token Leakage via Referer Header - -## Overview of the Vulnerability - The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens which can be intercepted by an attacker performing a Person-in-The-Middle (PiTM) attack, or by exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md index 2956dbbf..9fa0a4f3 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/trusted_third_party/template.md @@ -1,14 +1,10 @@ -# Token Leakage via Referer Header over Trusted Third-Party - -## Overview of the Vulnerability - The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens to a trusted third-party. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -16,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token is in `Referer` header and that the connection is over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md index 0ca5b668..3fa5fd56 100644 --- a/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md +++ b/submissions/description/sensitive_data_exposure/token_leakage_via_referer/untrusted_third_party/template.md @@ -1,14 +1,10 @@ -# Token Leakage via Referer Header over Untrusted Third-Party - -## Overview of the Vulnerability - The `Referer` HTTP request header is used to show the URL of the page a user requested the resource from. This application’s `Referer` headers leak valid user tokens over an untrusted third-party link. This token can be intercepted by a local attacker performing a Person-in-The-Middle (PiTM) attack, or by an attacker exploiting third-party vendors. With access to the exposed token in the `Referer` HTTP header, the attacker could escalate privileges and execute API calls on behalf of a user in the application. -## Business Impact +**Business Impact** Token Leakage via `Referer` header can lead to indirect financial loss through an attacker accessing, deleting, or modifying data from within the application, providing that they can escalate privileges and execute API calls. This could also result in reputational damage for the business through the impact to customers’ trust. The severity of the impact is dependent on the sensitivity of the data being stored in, and transmitted by the application, as well as the privileges of the account the attacker gains access to. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login and navigate to: {{URL}} @@ -16,7 +12,7 @@ Token Leakage via `Referer` header can lead to indirect financial loss through a 1. Capture the request using the HTTP interception proxy 1. Observe the token in `Referer` header and that theconnection is over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the token exposed within the `Referer` HTTP request header over a HTTP connection: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md index cbb7e8a3..d8b4aad6 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/non_sensitive_token/template.md @@ -1,14 +1,10 @@ -# Non-Sensitive Token Exposed in Local or Session Storage - -## Overview of the Vulnerability - Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a non-sensitive token in the local storage which is accessible by JavaScript. As a result, the token can be captured by an attacker using Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF), allowing them to gather relevant user data and leverage this information to build phishing campaigns. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive token -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the non-sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md index 61cd59b7..b5b3579c 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/sensitive_token/template.md @@ -1,14 +1,10 @@ -# Sensitive Token Exposed in Local or Session Storage - -## Overview of the Vulnerability - Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses a sensitive token in the local storage which is accessible by JavaScript. As a result, the sensitive token can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally reset a legitimate user’s account password to one they control, successfully taking over the user’s account. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ma 1. Observe the exposed sensitive token -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive token exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md index 97c1d352..aaa09c0e 100644 --- a/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md +++ b/submissions/description/sensitive_data_exposure/via_localstorage_sessionstorage/template.md @@ -1,14 +1,10 @@ -# Sensitive Data Exposed in Local or Session Storage - -## Overview of the Vulnerability - Local storage, also known as offline, web, or session storage, is the underlying storage mechanism which varies from one user agent to the next. This application discloses sensitive data in the local storage which is accessible by JavaScript. As a result, the sensitive data can be captured by an attacker using Cross-Site Scripting (XSS), allowing them to locally access the sensitive data and use it in further attacks. -## Business Impact +**Business Impact** This vulnerability can lead to data theft through the attacker’s ability to access and manipulate sensitive data through their access to the application's local session. These malicious actions can result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -20,7 +16,7 @@ This vulnerability can lead to data theft through the attacker’s ability to ac 1. Observe the exposed sensitive data -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the sensitive data exposed via the local storage: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md index a75f1f48..e9558ffc 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/descriptive_stack_trace/template.md @@ -1,21 +1,17 @@ -# Descriptive Stack Trace - -## Overview of the Vulnerability - Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The descriptive stack trace leaked by this application shows versions of software and implementation data. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -## Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing a descriptive stack trace -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the descriptive stack trace: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md index 25bf4e0a..32d1a190 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/detailed_server_configuration/template.md @@ -1,21 +1,17 @@ -# Detailed Server Configuration - -## Overview of the Vulnerability - Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The detailed server configuration leaked by this application shows which versions of software are running, physical paths, environmental variables, and the software configuration settings. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application or exploit specific versions of software that have known vulnerabilities. -## Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing detailed server configuration -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the detailed server configuration: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md index 72de1181..97381cfb 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/full_path_disclosure/template.md @@ -1,21 +1,17 @@ -# Full Path Disclosure - -## Overview of the VUlnerability - Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The full path disclosure leaked by this application displays implementation information which should not be publicly available. An attacker can collect this data and combine it with other attack vectors to increase the severity and impact of malicious attacks on the application and access the paths displayed. -## Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message showing the full path disclosure -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the full path disclosure: diff --git a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md index 190ee1a8..534d216e 100644 --- a/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md +++ b/submissions/description/sensitive_data_exposure/visible_detailed_error_page/template.md @@ -1,19 +1,15 @@ -# Visible Detailed Error Page - -## Overview of the Vulnerability - Visible detailed error pages are a result of improper error handling which introduces a variety of security problems for a website. Detailed internal error messages, such as error codes, stack traces and database dumps, can be displayed publicly, leaking implementation information. The detailed error pages leaked by this application can be collected by an attacker and combined with other attack vectors to increase the severity and impact of malicious attacks on the application. -## Business Impact +**Business Impact** This vulnerability can impact customers’ trust in the application which can result in reputational damage for the business and indirect financial losses. -## Steps to Reproduce +**Steps to Reproduce** 1. Use a browser to navigate to: {{URL}} 1. Observe detailed error message -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the data disclosed in the detailed error message: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md index 1b7ca250..dfa52eb3 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/password_reset_token_sent_over_http/template.md @@ -1,16 +1,12 @@ -# Password Reset Token Sent Over HTTP - -## Overview of the Vulnerability - When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application transmits the password reset token over an insecure HTTP connection, rather than HTTPS. An attacker could intercept this token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -18,7 +14,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe that the password reset token is being sent over HTTP -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the password reset token being sent over HTTP: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md index 8e1683b2..a6b6dfdb 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/template.md @@ -1,14 +1,10 @@ -# Weak Password Reset Implementation - -## Overview of the Vulnerability - When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. Tokens sent over HTTP, predictable reset tokens, and long expiry times create weak conditions for the password reset implementation. This application’s weak password reset implementation allows an attacker to abuse the password reset token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to login to a valid account and navigate to: {{URL}} @@ -16,7 +12,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. Capture the request using the HTTP interception proxy 1. Observe the weakness in the password reset implementation -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The following screenshot shows the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md index 981bac7a..769a767e 100644 --- a/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md +++ b/submissions/description/sensitive_data_exposure/weak_password_reset_implementation/token_leakage_via_host_header_poisoning/template.md @@ -1,14 +1,10 @@ -# Password Reset Token Leakage via Host Header Poisoning - -## Overview of the Vulnerability - When the password reset implementation is weak, the strength of the overall authentication process for the application is diminished. `Host` header poisoning occurs when the `Host` header is manipulated in a HTTP request to point to a domain an attacker controls. From here, when the user clicks on the password reset link sent to their email, the attacker can capture the the token and reset a user’s password, locking the user out of their account and achieving full account takeover. -## Business Impact +**Business Impact** Weak password reset implementation could lead to data theft from the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users. This includes them performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -18,7 +14,7 @@ Weak password reset implementation could lead to data theft from the attacker’ 1. From the user’s email account, click the password reset link 1. Observer that an attacker can capture the password reset token -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below displays the weak password reset implementation: diff --git a/submissions/description/sensitive_data_exposure/xssi/template.md b/submissions/description/sensitive_data_exposure/xssi/template.md index 390f02b8..c2afea4f 100644 --- a/submissions/description/sensitive_data_exposure/xssi/template.md +++ b/submissions/description/sensitive_data_exposure/xssi/template.md @@ -1,14 +1,10 @@ -# Sensitive Data Exposure via Cross-Site Script Inclusion - -## Overview of the Vulnerability - Cross-Site Script Inclusion (XSSI) is a client-side attack that uses JavaScript within an authenticated session to leak sensitive data. This sensitive data could be authentication related or user related sensitive data. XSSI can be found on this domain which allows an attacker to control code that is executed within a user’s authenticated session. -## Business Impact +**Business Impact** XSSI could lead to data theft and exfiltration through the attacker’s ability to manipulate data. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to: {{URL}} @@ -21,7 +17,7 @@ XSSI could lead to data theft and exfiltration through the attacker’s ability 1. Log into an account and navigate to URL which contains the payload 1. Observe the JavaScript payload being executed -## Proof of Concept (PoC) +**Proof of Concept (PoC)** Below is a screenshot demonstrating the injected JavaScript executing: diff --git a/submissions/description/server_security_misconfiguration/bitsquatting/template.md b/submissions/description/server_security_misconfiguration/bitsquatting/template.md index 872a31f1..f441a233 100644 --- a/submissions/description/server_security_misconfiguration/bitsquatting/template.md +++ b/submissions/description/server_security_misconfiguration/bitsquatting/template.md @@ -1,14 +1,10 @@ -# Bitsquatting - -## Overview of the Vulnerability - Bitsquatting is the act of registering domains with one bit flipped from the original domain name. This allows an attacker to hijack traffic from known domains via DNS queries from accidental key presses, as well as misconfigurations on hardware processing the queries. Bitflipping domains can allow an attacker to serve malicious content and collect data on behalf of the targeted application in the form of HTTP requests, binary data, and other sensitive data. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Register domain with one bitflipped e.g. Bugcrowd.com -> eugcrowd.com 1. {{action}} to collect data on the bitflipped domain @@ -16,7 +12,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t {{screenshot}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the bitsquatting: diff --git a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md index 10b8058e..0a2b8318 100644 --- a/submissions/description/server_security_misconfiguration/cache_poisoning/template.md +++ b/submissions/description/server_security_misconfiguration/cache_poisoning/template.md @@ -1,16 +1,12 @@ -# Cache Poisoning - -## Overview of the Vulnerability - A web cache allows for static and fast fetching of content in web applications. Content Delivery Networks (CDNs) are commonly used to serve content used by applications. A malicious attacker can take advantage of caching mechanisms to serve content or deny service to certain applications using X-Based Host headers (X-Forwarded-Host, etc.). Cache poisoning allows an attacker to serve content for cached pages on CDNs and websites with cache misconfigurations. This opens the application up to attacks like Cross-Site Request Forgery (CSRF), and to leakage of sensitive information. -## Business Impact +**Business Impact** This vulnerability can lead to reputational damage and indirect financial loss to the company through the impact to customers’ trust. -## Steps to Reproduce +**Steps to Reproduce** 1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP 1. Use a browser to navigate to the following url: {{URL}} @@ -27,7 +23,7 @@ This vulnerability can lead to reputational damage and indirect financial loss t 1. {{action}} to poison the cache -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot below demonstrates the cache poisoning: diff --git a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md index 8f5214d8..75b26aab 100644 --- a/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/brute_force/template.md @@ -1,21 +1,17 @@ -# CAPTCHA Can be Bruteforced - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA being bruteforced: diff --git a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md index 76c9d973..26c86c1b 100644 --- a/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/implementation_vulnerability/template.md @@ -1,21 +1,17 @@ -# CAPTCHA Implementation Vulnerability - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can leverage scripts and tools to bypass the CAPTCHA and make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA being bypassed: diff --git a/submissions/description/server_security_misconfiguration/captcha/missing/template.md b/submissions/description/server_security_misconfiguration/captcha/missing/template.md index f9ced0ff..97555ee8 100644 --- a/submissions/description/server_security_misconfiguration/captcha/missing/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/missing/template.md @@ -1,21 +1,17 @@ -# CAPTCHA is Missing - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. Due to the absence of a CAPTCHA, an attacker can leverage scripts and tools to make requests to critical functionality without a rate limit. Forms that are often firewalled by a CAPTCHA can also deny service for users when executing multiple read and write functions from the database. -## Business Impact +**Business Impact** A missing CAPTCHA can lead to reputational damage for the business due to a loss in confidence and trust by users. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Observe that CAPTCHA is missing for the following critical functionality: {{value}} -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the missing CAPTCHA: diff --git a/submissions/description/server_security_misconfiguration/captcha/template.md b/submissions/description/server_security_misconfiguration/captcha/template.md index dd825889..efec5df2 100644 --- a/submissions/description/server_security_misconfiguration/captcha/template.md +++ b/submissions/description/server_security_misconfiguration/captcha/template.md @@ -1,21 +1,17 @@ -# CAPTCHA Misconfiguration - -## Overview of the Vulnerability - A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. A CAPTCHA can be bypassed when the implementation or its workflow is misconfigured, or when software can be used to bypass the challenge. An attacker can bypass the CAPTCHA form and spam the website with queries for registration, login, as well as spam support teams with faulty requests. -## Business Impact +**Business Impact** CAPTCHA misconfiguration can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker. -## Steps to Reproduce +**Steps to Reproduce** 1. Navigate to the following endpoint with CAPTCHA: {{value}} 1. Use {{software}} to bypass CAPTCHA -## Proof of Concept (PoC) +**Proof of Concept (PoC)** The screenshot(s) below demonstrates the CAPTCHA bypass: diff --git a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md index 83b955dd..bf849e91 100644 --- a/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md +++ b/submissions/description/server_security_misconfiguration/clickjacking/form_input/template.md @@ -1,21 +1,17 @@ -# Clickjacking on Form Input - -## Overview of the Vulnerability - Clickjacking is a method of tricking a user into clicking on a link that performs an action, which is disguised as a legitimate link to something else. Usually, this is carried out by embedding a link into a transparent `