Skip to main content

From Low to p0wn (Part 2 of 3)

February 27, 2017

Remember to Remediate Those Low Severity Findings

This series explores the potential risk of de-prioritizing and ignoring low severity application vulnerabilities. In the first installment of this series, we discussed information disclosure due to security misconfiguration. In this installment we look at an example of vulnerability stacking. If an application is vulnerable to the right combination of low severity vulnerabilities, the result can be a situation where the risk of a successful attack is significantly increased.

In the scenario, we focus on session management. The most common session management mechanism is a session cookie. We commonly see session cookies without the secure flag. Issues like weak SSL encryption ciphers, the presence of an invalid SSL certificate or missing the HTTP Strict Transport Security (HSTS) header weaken the security posture of the application and increase the likelihood of an attacker being able to intercept and view the application communications.  

On a shared Wi-Fi network, like in a coffee shop, all an attacker needs to do is convince the victim to visit an application over an insecure HTTP connection. The application in question doesn’t host content over HTTP though, right? If the session cookies are not marked secure and the HSTS header is not set, an attacker can convince the user to access a specially crafted URL and the session cookies will be sent unencrypted.  As an example the URL would be http://www.example.com:443, the specially crafted URL connects to port 443 but does not utilize HTTPS. 

In another scenario, the victim is again on a shared network but the attacker this time is using a Wi-Fi Pineapple. In this scenario, the attacker is intercepting and controlling network traffic using Karma and SSLstrip, to remove any TLS protections from the victim’s request and thus observing their session cookies. Simply, the attacker is requesting the HTTPS page and sending them a HTTP version of the page. The user will most likely never notice that they are not seeing the HTTPS header on their browser.

p0wn 2.1

Versus:

p0wn 2.2

If the application hasn’t set the HSTS header in a previous session, the browser will proceed over the insecure connection, providing the attacker with the session information and all transmitted data.

Each of these vulnerabilities if taken individually pose little risk to the application or its users. Application vulnerability scanners commonly report all of these as a low severity. It is only with the addition of a trained penetration tester with the knowledge of how vulnerabilities are related that the true risk of combining these vulnerabilities can be assessed.

In our third and final installment of this series, we will investigate authentication issues including enumeration, password strength and missing account lockout mechanisms.


    Doug Rogahn

By: Doug Rogahn

Security Consultant

See More

Related Blogs

February 23, 2017

From Low to p0wn (Part 1 of 3)

There is a growing trend in the information security and risk management world of ignoring low severity findings from security testing. Perhaps it ste...

See Details

March 03, 2017

From Low to p0wn (Part 3 of 3)

In the final installment, we will again be looking at an instance of vulnerability stacking, this time, however, we’ll be focused on account managemen...

See Details

April 11, 2018

Quick Tips for Building an Effective AppSec Program – Part 1

An application security (AppSec) program can be defined as the set of risk mitigating controls and business functions that support the discovery, reme...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

July 21, 2015

Application Security Solutions

Learn how Optiv can help with web, email and application protection.

See Details

October 11, 2017

Managed Vulnerability Services

Optiv’s managed vulnerability services identify, prioritize and reduce network vulnerability exposure.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.