OWASP SKF labs - 50+ examples of vulnerabilities and guides on how to exploit them

Zerocopter’s CTO Riccardo ten Cate and his brother Glenn ten Cate have been working on and donated an entire knowledge framework solely dedicated to help developers make their code secure by design to OWASP

Riccardo specializes in application security and has extensive knowledge in securing applications in multiple coding languages. Riccardo has many years of experience in training and guiding development teams becoming more mature and making their applications secure by design.

Glenn who is a coder, hacker, speaker, trainer and security researcher employed at ING Belgium Glenn has over 15 years experience in the field of security. And one of the founders of defensive development def[dev]eu a security training and conference series dedicated to helping you build and maintain secure software and also speaking at multiple other security conferences in the world. Glenns goal is to create an open-source software development life cycle with the tools and knowledge gathered over the years. 

Over the last couple of weeks they have seen a noticeable increase in downloads for the OWASP Security Knowledge Framework, it seems like people are looking for new resources to educate themselves and their teams. In this blog Riccardo and Glenn will tell you more about the OWASP Security Knowledge Framework.

How to effectively exploit vulnerabilities

Good examples on how to effectively exploit vulnerabilities can be found everywhere on the internet. There are good resources out there that will teach you a great deal of what you want to learn. However, we also see that they are all not always well documented.

Therefore, we want to present to you the OWASP SKF Labs!

In the OWASP SKF Lab repository you can find over 50+ examples of vulnerabilities and guides that will show you step by step how to exploit them. Running the labs is really easy since all the labs have been containerized, all you have to do is run the following commands and you are good to go!

Not a big Docker fan?

No problem, the alternative is to pull the SKF-labs repository from Github and run them as flask applications directly on your host machine! You can find the repository here. Running the apps on your local machine by means of pulling the repository is no rocket science either, 95% of the demo’s consist out of small lightweight Python Flask applications that are easy to run as this:

Let’s get started

Now that we have everything to get started, let’s look at a bit more detail at the type of vulnerabilities that are covered by the SKF labs! Each lab is always described in two different phases.

1. Reconnaissance 

2. Exploitation

3. Additional resources


The reconnaissance phase is used to give you pointers to look at when trying to find different types of vulnerabilities. It will give you more details in where to look at, and how to fuzz for errors.

The exploitation phase is where we get into more detail of actually exploiting the vulnerability (what else was there to expect ^^)

The additional resources you can use to educate yourself and apply your new knowledge on a broader scope, i.e. take this classic example of a SQL injection taken from SKF. It shows you how to perform a SQL injection on a database with SQLite. But of course in the wild you will find different systems with different syntax or nuance which you need to figure out in order to successfully leverage a SQL injection. To help you with figuring this out, the resources are included! Below you will find a lab from the SKF lab write-ups page as an example. The link to the full write-ups pages will be provided by the end of this blog!

Reconnaissance

Step 1

The first step is to identify parameters which could be potentially used in an SQL query to communicate with the underlying database. In this example we find that the "/home" method grabs data by pageID and displays the content.

Step 2

Now let's see if we can create an error by injecting a single quote

By doing so the SQL query syntax is now faulty. This is due to the fact that the user supplied
input is being directly concatenated into the SQL query.

Step 3

Now we can also use logical operators to determine whether we can actually manipulate the SQL statements. We start with a logical operator which is false (and 1=2). The expected behaviour for injecting a false logical operator would be an error.

After that we inject a logical operator which is true (and 1=1). This should result in the application run as intended without errors.

Exploitation

Now that we know that the application is vulnerable for SQL injections we are going to use this vulnerability to read sensitive information from the database. This process could be automated with tools such as SQLMAP. However, for this example let's try to exploit the SQL injection manually.

Step 1

The UNION operator is used in SQL injections to join a query, purposely forged to the original query. This allows us to obtain the values of columns of other tables. First we need to determine the number of columns used by the original query. We can do this by trial and error.

This query results in an error, this is due to the fact that the original query started with 3 columns namely

* pageId

* title

* content

Notice how "title" and "content" became placeholders for data we want to retrieve from the database

Step 2

Now that we determined the number of columns we need to take an educated guess for the table we want to steal sensitive information from. Again we can see if we try to query a non existent table we get an error. For a correct table we see the application function as intended.

Additional sources

Please refer to the OWASP testing guide for a full complete description about SQL injection with all the edge cases over different platforms!

https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005)

Finally

And there you have it, a full write-up about how to do a basic SQL injection on a python Flask application that uses a SQLite database. If this is too easy for you, take a look at the write-up pages to see what else is there for you to find. You can find labs ranging from a simple SQL injection to more sophisticated attacks like insecure object deserialization attacks.

The write-ups can be found here

Written by Zerocopter

April 3, 2020