as most of you know my previous role was
around hacker education with hacker one
and just recently i have moved to
working as vp of research and community
at hadrian so i'm telling you all this
because a big portion of my day-to-day
job was to explain cyber security things
or hacking or bug binding terms to
people with a non-technical background
in sales marketing or customer success
and with doing that i've thought about
the fact that there aren't a lot of
resources that explain these things in a
short format for other people to learn
so with that said hi i'm the hamsek and
today i want to talk about oas top 10
2021 and try and teach it to you in
under 10 minutes
before we jump into the video i wanted
to read a message from our sponsor
detectify with software evolving faster
than ever it's becoming increasingly
difficult to keep track of what you're
exposing online and where your
organization's weaknesses are hackers
have long been monitoring the web to
find vulnerabilities in places where
organizations aren't looking or even
know exist they have eyes on areas where
companies don't and that's where
detective fight comes in powered by a
community of leading ethical hackers
detectify helps security defenders stay
on top of web security and thrive in a
digital landscape it captures scales and
automates testing with the latest active
attack vectors from hackers into your
daily development processes detectify
maps out your growing attack surface and
conducts vulnerability tests to find
exploitable anomalies across your
surface it goes beyond os top 10 and
looks for unknown assets like subdomains
to prevent supplement takeovers
alongside third-party software risks
with your attack surface under control
you'll be able to make more informed
security decisions and prioritize your
scarce security resources hacking
yourself is the best way to protect your
attack surface so go hack yourself if
you're not familiar with osp owasp is
the open web application security
project also known as olasp it's a
non-profit and an online community that
creates free available articles
methodologies documentation tools and
testing frameworks in the field of
application security every few years os
releases a new top 10 category for web
vulnerabilities i think the last one was
in 2017.
uh this one is in 2021. i'm not really a
big fan of it it pretty much tells you
what bugs are the most critical or more
common vulnerabilities in today's
applications when i say i'm not a big
fan of it it doesn't mean that it's not
good
but it means based on my background i
think they could have done a better job
of categorizing these
in comparison to the last years but
again it's a great resource for you
especially if you're getting into web
application hacking and pen testing it's
a great place to go and you will learn a
ton
all right let's try and do this in 10
minutes so the #1 first one is broken
access control so imagine you're part of
your company's hr platform as a employee
of the company with someone who doesn't
have hr access you shouldn't be able to
see privately identifiable information
belonging to other users so that means
you shouldn't be able to see other
people's salaries their social security
number or any other information that's
private to them but what if you could
what if you found a vulnerability where
you change a user id in an api call or
in a page where it says one two three
four five as your user id and you change
that to one two three four five seven
instead of your current one three three
four five six and it actually splits out
and shows you the information for
another user that could be potentially
one of these things that screams broken
access control so think of this as being
able to access data that doesn't belong
to your user or your user group it
doesn't always have to be about data it
could also be functionality and things
that doesn't really belong to you these
types of online videos could usually
happen with a either where you change
the object id by fuzzing an api using
brute forces like ff or w fuzz or
anything else that you use or going as
far as tampering your json id or your
json cookie headers this type of attacks
usually happens in the form of an idler
for example when you can change the
object id when you fuzz for an api and
find hidden endpoints maybe you dig
through javascript or you go as far as
tampering with your json web token and
accessing things beyond your resources
if you're a bug bounty hunter this is a
good vulnerability class to learn as
it's very common to find these types of
vulnerabilities in today's web
applications the #2 second vulnerability
cost is cryptographic failures i'm not
really sure why this one was ranked as
number two typically with this type of
vulnerability you want to check and make
sure that the server is doing everything
it can its power to protect the data
you're sending between you and the web
server and it's not balancers so in
other words this could be things like
having the proper http headers sending
things in clear text making sure that
it's properly being encrypted using
https in some cases and that sort of
stuff as a bug bounty hunter i don't
really think you're gonna really be able
to find these kinds of vulnerabilities
to get paid for them as bug bound is
more focused on impact versus actual
vulnerabilities that are best practices
third class and this is probably one of
my favorites it's #3 a3 injections
this one you may have heard of some of
these vulnerabilities things like a sql
injection rce or command or code
injection or execution
xss
anything that you can pretty much
execute code onto the server or the web
browser okay that was a lot for a
vulnerability class i'm not sure why
obas put all of these all at once but
let's break it down so i mentioned
server or browser let's talk about
server first a server-side vulnerability
allows you to serve code or a sql query
for example on the host where the actual
website is being served to you so for
example if you find a sql injection it
allows you to query data from the
database and get information about the
server itself the mysql server for
example or other users data so this is
things that are hosted on the server and
not actually the user who's looking at
this webpage which brings to the next
one which is a web browser where it
allows you to execute some sort of
javascript or html or malicious code on
a user visiting a particular website and
you can control their behaviors while
they're on that page so for example if i
have a cross-site scripting in a website
and i link you to go to that website i
could do things like change your
password make an order for you or
anything on the browser or target it to
a specific user or users that visit that
particular web page as a bug bounty
hunter i think this might be the best
one out of them all to really focus on
you have cross-site scripting you have
sql injection you have xxc you have all
these server-side vulnerabilities that
are very critical and they could pay you
out a lot of money now i'm not saying
that because the other vulnerabilities
aren't as common i'm just saying this is