GMI German-Malaysian Institute

DIPLOMA PROGRAMME

PRACTICAL TEST
Academic Period: July 2023

Code NTC 1062 Course Network Vulnerability Assessment

Name
Title TOP 10 OWASP Examiner Ms. Noormelah Shamsul Anuar

Name Muhammad Hasif Firdaus bin Mohd Program/ NWS2

(Individual Halimi Group
/group) Muhammad Faizun Nazim bin Md
Fauzan
Level Full
No Assessment Criteria CLO PO of Score Marks Comment
diff Marks

1. Content of report 2 4 3
2. Demonstration 2 4 3
3. Knowledge of the Topic 2 4 3
4. Fluency & Clarity 3 4 3
5. Defence ability (Q&A 3 4 3

Total 15
Total Marks /20
Total PO 4 /10

Signature
NTC1062 NETWORK VULNERABILITY ASSESSMENT

Instruction:

Pick one topic of Top 10 OWASP as below. Prepare a report, slide, and demonstration.

OWASP Top 10: 2021

A01: 2021 – Broken Access Control

A02: 2021 – Cryptographic Failures
A03: 2021 – Injection
A04: 2021 – Insecure Desing
A05: 2021 – Security Misconfiguration
A06: 2021 – Vulnerable and Outdated Components
A07: 2021 – Identification and Authentication Failures
A08: 2021 – Software and Data Integrity Failures
A09: 2021 – Security Logging and Monitoring Failures
A010: 2021 – Server-Side Request Forgery

Contents of slide:

1) Introduction of the web application vulnerability and topic that you choose.
2) How is it occurring 🡪 any diagram/architecture showing examples of attack
3) Countermeasures/recommendations that can be taken into consideration.
4) Extra information on the topics
5) References
6) Any relevant diagrams/ figures

Submission:
1) Slide (in pdf format) – Max 10 pages
2) Report (in pdf format)

Grading:
1) Report
2) Demonstration & Presentation

Project Presentations:
Each team has 10 minutes’ presentations & Demo + 5 minutes Q&A (total 15 minutes per
team)

Group:
2 students per group

Main Reference
https://owasp.org/Top10/

Page 2 of 15
Copyright of German-Malaysian Institute. All rights reserved.
 Rubric for Practical Test

NO. CRITERIA APPROACHES EXPECTATIONS [1] MEETS EXPECTATIONS [2] EXCELLENT [3] WEIGHT MARKS

PRACTICAL TEST (20%)

The content was minimally The content was generally The content was very relevant to
1 Content of report M/3*20
relevant to the given task relevant to the given task the given task

Able to slightly demo the Able to demo the most of the Able to demo all the
2. Demonstration of tools M/3*30
demonstrations details demonstration’s details demonstration’s details

Students demonstrate Student demonstrate Student demonstrates well verse

3 Knowledge on the topic M/3*30
some knowledge of the topic sufficient level of the topic of the topic

Fluency and Most of the group members are All group members are very
None of the group members
Clarity fluent and voices are slightly fluent, and voices are easy to be
4 fluent and voice is not clear. M/3*10
easy to be heard clearly. heard clearly.

Defence ability/ Able to answer questions but Able to all answer questions very
Not able to answer questions, not
5 presentation with little preparation and well and confidently. Very well M/3*10
prepared and no confidence at all
confidence prepared

TOTAL 100
 NTC1062 NETWORK VULNERABILITY ASSESSMENT

TABLE OF CONTENTS

GMI German-Malaysian Institute 1

1) Introduction of the web application vulnerability and topic that you choose. 5
2) How is it occurring 🡪 any diagram/architecture showing examples of attack 8
3) Example of attacks 8
4) Countermeasures/recommendations that can be taken into consideration. 10
5) Extra information on the topics 12
6) Conclusion 13
7) References 14

Page 4 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

1) Introduction of the web application vulnerability and topic that you

choose.

a. Web Application Vulnerability

Web application vulnerabilities pertain to weaknesses or flaws within
web-based applications. These vulnerabilities have existed for a considerable period
and are primarily the result of inadequate validation or sanitization of form inputs,
misconfigurations in web servers, and design flaws within the application itself. They
can be exploited by malicious actors to compromise the security of the web
application.

It's worth noting that web application vulnerabilities differ from other
common vulnerability types, such as those related to networks or assets. These
vulnerabilities emerge because web applications must interact with numerous users
across various networks, providing ample opportunities for exploitation by hackers.

To address these issues, there exist specialized web application security

solutions. Therefore, it's essential to go beyond traditional vulnerability scanners
when assessing an organization's application security and identifying potential gaps.

In this document, we will discuss and explore the chosen topic, A02: 2021 –
Cryptographic Failures, with the aim of enhancing the security of web applications.

Page 5 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

b. A02: 2021 – Cryptographic Failures

Moving up to the second position in the OWASP list, we encounter what was
previously known as Sensitive Data Exposure. This issue is more of a general symptom
rather than a root cause, with the primary focus on failures related to cryptography or the
lack of it. These failures frequently result in the exposure of sensitive data, and some
notable Common Weakness Enumerations (CWEs) associated with this include CWE-259
(Use of Hard-coded Password), CWE-327 (Broken or Risky Crypto Algorithm), and CWE-331
(Insufficient Entropy).

According to the 2021 OWASP definition of cryptographic failure, it is seen as a

symptom rather than a cause itself. This failure is responsible for the exposure or leakage
of critical and sensitive data to malicious individuals or resources. Failure to adequately
protect such data can lead to theft, public disclosure, breaches, and other security issues.
In the 2017 list, this vulnerability was referred to as Sensitive Data Exposure, but it
transitioned to Cryptographic Failure OWASP in 2021 when the scope was narrowed down
to cryptography concerning business-critical data.

The most common CWEs encompassed by this issue are:

- CWE-259, which pertains to the use of hard-coded passwords by victims.

- CWE-331, which addresses the insufficiency of entropy when the randomizer
function does not work correctly.
- CWE-327, which is related to the utilization of a broken or risky cryptographic
algorithm.

It is crucial to understand that when managing sensitive data, both data at rest and
data in transit need to be considered.

Page 6 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

Data at rest refers to data that is not actively used by any application but remains
important. Examples of such data include:
- Stored passwords
- User information for accessing applications
- Unpublished offline data
- Old archives of an organization.

To mitigate the risk of cryptographic failures, it is advisable for businesses to use

well-encrypted or hashed storage solutions.

Data in transit, on the other hand, is data currently being processed or used by
an application. For instance, banking details sent through an encrypted channel during a
payment process can be vulnerable to attacks like man-in-the-middle attacks.

Page 7 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

2) How is it occurring 🡪 any diagram/architecture showing examples of

attack

- The intruder breaches an organization's network.

- By exploiting a flaw in an application, the intruder obtains a password

database.
Within this network, the attacker discovers a weakness or flaw in an application.
This flaw allows them to access a database that stores passwords.

- Due to the database using unsalted hashes for password encryption, the
intruder can employ a rainbow table to reveal the passwords.
The passwords in this database are encrypted using unsalted hashes. "Unsalted"
means that additional random data, known as a "salt," wasn't added to the
encryption process. Without a salt, passwords are more susceptible to decryption
using precomputed tables called rainbow tables.

The attacker uses a rainbow table—a large precomputed list of potential password
hashes—to quickly match encrypted passwords and reveal the original passwords.

Page 8 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

- Using credential stuffing tools, the intruder attempts credential

combinations on various other websites.
With access to these passwords, the attackers can use these same credentials
which are username and password combinations on any other websites or systems.
This is done through automated tools designed for rapid testing of username and
password pairs across various platforms. If users have reused the same credentials
across multiple sites, the attacker might gain access to those accounts elsewhere.

Page 9 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

3) Example of attacks

Scenario#1:
Imagine an application that employs automated database encryption to protect credit card
information but encounters difficulties when attempting to automatically decrypt the data
upon retrieval. This situation opens up the possibility of SQL injection attacks. In the event
of a successful SQL injection attack, a malicious actor could gain access to stored credit
card details and exploit them at their discretion.

Scenario#2:
When it comes to websites, a significant security risk arises from inadequate encryption and
the absence of TLS encryption across all web pages. Such websites become highly
attractive targets for attackers, as they can effortlessly eavesdrop on traffic, intercept all
requests, pilfer cookies, and coerce the connection to shift from HTTPS to less secure HTTP.

However, the problems don't stop there. Threat actors can exploit these stolen cookies to
gain unauthorized access to a user's sensitive data. Additionally, websites with subpar
encryption provide attackers with opportunities to tamper with transmitted data.

Scenario#3:
Password databases commonly store password data using basic, unsalted hashes. Any
occurrence of a file upload error in these databases presents an opening for attackers to
steal passwords for their own advantage. In such a scenario, passwords stored with
unsalted hashes are vulnerable to precomputed hash attacks, while even salted passwords
stored using simple hashes can be cracked by the computational power of GPUs.

Page 10 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

4) Countermeasures/recommendations that can be taken into

consideration.

To mitigate the risk of cryptographic failures and the exposure of sensitive data in web
applications, consider implementing the following countermeasures:

1. Use Strong Cryptographic Algorithms:

● Utilize well-established, strong cryptographic algorithms and protocols for

data protection, including AES for encryption and SHA-256 for hashing.
● Stay updated on the latest cryptographic standards and best practices to
ensure the use of secure algorithms.

2. Secure Key Management:

● Implement a robust key management system to safeguard encryption keys

and ensure their secure storage and rotation.
● Use hardware security modules (HSMs) for protecting encryption keys.

3. Data in Transit Encryption:

● Encrypt data in transit using protocols like TLS/SSL. Ensure that all sensitive
communication between the client and the server is encrypted.
● Employ perfect forward secrecy (PFS) to protect data even if long-term keys
are compromised.

4. Secure Password Storage:

● Never store passwords in plaintext. Use strong, salted hashing algorithms,

such as bcrypt or Argon2, to store user passwords securely.
● Implement a strict policy for password complexity and expiration.

Page 11 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

5. Secure Random Number Generation:

● Use cryptographically secure random number generators for generating

cryptographic keys and nonces.
● Avoid relying on insecure random number sources.

6. Security Testing:

● Regularly conduct security assessments, including penetration testing and

code reviews, to identify and address vulnerabilities related to cryptographic
implementations.
● Perform regular vulnerability scanning and security audits.

7. Access Controls:

● Implement role-based access controls to ensure that only authorized

individuals can access sensitive data and cryptographic operations.
● Enforce the principle of least privilege to restrict access to necessary
personnel.

8. Training and Awareness:

● Educate developers, administrators, and users about secure coding

practices, cryptographic best practices, and the importance of data
protection.
● Promote awareness of phishing and social engineering tactics that can lead
to cryptographic failures.

9. Incident Response Plan:

● Develop and maintain a well-defined incident response plan specifically

addressing cryptographic failures and data breaches.
● Be prepared to respond quickly to security incidents and to notify relevant
parties.

Page 12 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

5) Extra information on the topics

Cryptographic failures can be exploited by attackers to compromise the security of systems

and gain unauthorized access to sensitive information. Here are three ways in which
cryptographic failures can be exploited:

1. Storing or Transmitting Data in Clear Text (Most Common):

A vulnerability arises when sensitive data is persistently stored or transmitted

without encryption, akin to inscribing confidential information on an open postcard.
This practice exposes critical information to unauthorized access, analogous to
displaying a password publicly rather than employing secure storage protocols.

2. Protecting Data with Outdated or Weak Encryption:

An inherent flaw emerges when cryptographic mechanisms utilizing outdated or

weakened algorithms are employed for safeguarding digital assets. This situation is
analogous to relying on an antiquated and easily compromised lock to secure
valuables, thereby diminishing the effectiveness of data protection measures.

3. Improperly Filtering or Masking Data in Transit:

A susceptibility materializes when data in transit lacks proper concealment,

reminiscent of sending correspondence without securely sealing the envelope.
Inadequate measures during data transfer compromise confidentiality, analogous to
sharing sensitive information with intermediaries along the communication route.

Page 13 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

6) Conclusion

In conclusion, cryptographic failures pose a significant risk to the security and

integrity of digital systems. The vulnerabilities associated with storing or transmitting data
in clear text, using outdated or weak encryption, and improperly filtering or masking data
during transit can lead to severe consequences, including unauthorized access, data
tampering, and compromised confidentiality.

Addressing cryptographic failures requires a comprehensive and proactive approach.

By implementing strong cryptographic algorithms, ensuring robust key management
practices, and securing communication protocols, organizations can mitigate the risk of
exploitation. Regular security audits, adherence to best practices, and ongoing education on
secure cryptographic implementations are essential components of a resilient defense
against cryptographic vulnerabilities.

As technology evolves, it is imperative for organizations to stay informed about

emerging cryptographic threats and promptly adopt secure practices. Cryptographic failures
not only jeopardize sensitive data but also erode trust in digital systems. A commitment to
robust cryptographic practices is fundamental to maintaining the confidentiality, integrity,
and authenticity of information in the digital age. Through continuous vigilance, education,
and strategic implementation of security measures, organizations can fortify their defenses
against the ever-evolving landscape of cryptographic threats.

Page 14 of 15
Copyright of German-Malaysian Institute. All rights reserved.
NTC1062 NETWORK VULNERABILITY ASSESSMENT

7) References

[1]
“Common Web Application Vulnerabilities Explained | Rapid7,” Rapid7, 2022.
https://www.rapid7.com/fundamentals/web-application-vulnerabilities/#:~:text=We
b%20application%20vulnerabilities%20involve%20a,to%20compromise%20the%2
0application's%20security. (accessed Oct. 26, 2023).

[2]
Products, “Cryptographic Failures - A02 OWASP Top 10 in 2021
Wallarm.com, Mar. 29, 2022.
‍ ,” 👁🗨
https://www.wallarm.com/what/a02-2021-cryptographic-failures#:~:text=What%2
0is%20A02%3A2021%20%E2%80%93%20Cryptographic,and%20poor%20key%2
0management%20practices. (accessed Oct. 26, 2023).

[3]
“A02 Cryptographic Failures - OWASP Top 10:2021,” Owasp.org, 2021.
https://owasp.org/Top10/A02_2021-Cryptographic_Failures/ (accessed Oct. 26,
2023).

Page 15 of 15
Copyright of German-Malaysian Institute. All rights reserved.