try hack me
  • what is this repo?
  • Pre Security
    • Introduction to Cyber Security
    • Linux Fundamentals
  • pre security Tools
    • gobuster
    • ping (ICMP)
    • nslookup
    • basic Linux commands
    • basic Linux operators
    • some Linux web command
    • processes
    • cron tabs (schedule)
    • Important Directories
    • basic CMD command
    • ssh
    • ftp
    • simple digital forensics commands
  • Complete Begginer
    • CVE tracking websites
    • traceroute
    • whois
    • dig
    • nmap
    • smb
    • Telnet
      • tcpdump listener & reverse shell
    • ftp
    • hydra
    • NFS
    • smtp
    • mysql
    • 🅱️Burp Suite
      • Proxy
      • target
      • intruder
      • simple XSS attack
    • OWASP top 10 : 2021
      • 1. Broken Access Control
      • 2. Cryptographic Failures
      • 3. Injection
      • 4. Insecure Design
      • 5. Security Misconfiguration
      • 6. Vulnerable and Outdated Components
      • 7. Identification and Authentication Failures
      • 8. Software and Data Integrity Failures
        • Software Integrity Failures
        • Data Integrity Failures
      • 9. Security Logging and Monitoring Failures
      • 10. Server-Side Request Forgery (SSRF)
    • file type recognition
      • How to change magic numbers
    • upload vulnerability exploiting
    • about hash
    • john the ripper
      • /etc/shadow
      • Single Crack Mode
      • Custom Rules
      • rar and zip
      • SSH Key Passwords
      • GPG/PGP
    • Encryption
      • SSH authentication
      • SSH configuration (sort of)
      • GnuPG (very basic)
    • metasploit
      • mian components
      • Scanner
      • The Metasploit Database
      • Vulnerability Scanning
      • exploiting
      • Msfvenom
      • Meterpreter>
        • Commands
        • Post-Exploitation
    • Shell
      • netcat
      • socat
      • common shell payloads
      • Next steps
    • privilege esclation
      • Exploiting Writeable /etc/passwd
      • Vi, sudo -l, GTFOBin
      • Cron tab exploitation
      • Exploiting PATH Variable
      • some checklists
      • windows
        • miscellaneous
      • Examples
        • mysql running as root
        • Weak File Permissions
        • Sudo
        • Cron Jobs
        • SUID / SGID Executables
        • Passwords & Keys
        • NFS
        • Kernel Exploits
    • file transfer between two machines
  • SQL injection
  • Google Dorking
  • Web hacking intro
    • Walking an application
    • Content Discovery(ffuf, dirb, gobuster)
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR
    • File Inclusion
Powered by GitBook
On this page
  • Insecure Design
  • Insecure Password Resets
  1. Complete Begginer
  2. OWASP top 10 : 2021

4. Insecure Design

Previous3. InjectionNext5. Security Misconfiguration

Last updated 7 months ago

Insecure Design

Insecure design refers to vulnerabilities which are inherent to the application's architecture. They are not vulnerabilities regarding bad implementations or configurations, but the idea behind the whole application (or a part of it) is flawed from the start. Most of the time, these vulnerabilities occur when an improper threat modelling is made during the planning phases of the application and propagate all the way up to your final app. Some other times, insecure design vulnerabilities may also be introduced by developers while adding some "shortcuts" around the code to make their testing easier. A developer could, for example, disable the OTP validation in the development phases to quickly test the rest of the app without manually inputting a code at each login but forget to re-enable it when sending the application to production.

Insecure Password Resets

A good example of such vulnerabilities occurred on Instagram a while ago. Instagram allowed users to reset their forgotten passwords by sending them a 6-digit code to their mobile number via SMS for validation. If an attacker wanted to access a victim's account, he could try to brute-force the 6-digit code. As expected, this was not directly possible as Instagram had rate-limiting implemented so that after 250 attempts, the user would be blocked from trying further.

However, it was found that the rate-limiting only applied to code attempts made from the same IP. If an attacker had several different IP addresses from where to send requests, he could now try 250 codes per IP. For a 6-digit code, you have a million possible codes, so an attacker would need 1000000/250 = 4000 IPs to cover all possible codes. This may sound like an insane amount of IPs to have, but cloud services make it easy to get them at a relatively small cost, making this attack feasible.

Notice how the vulnerability is related to the idea that no user would be capable of using thousands of IP addresses to make concurrent requests to try and brute-force a numeric code. The problem is in the design rather than the implementation of the application in itself.

Since insecure design vulnerabilities are introduced at such an early stage in the development process, resolving them often requires rebuilding the vulnerable part of the application from the ground up and is usually harder to do than any other simple code-related vulnerability. The best approach to avoid such vulnerabilities is to perform threat modelling at the early stages of the development lifecycle.