Any ideas for new vulnerabilities to add to the workshop?

[teodoran]

Currently, the workshop covers 5 common security vulnerabilities:

1. Sensitive data exposure
2. Broken access control
3. Cross site scripting (XSS)
4. SQL injection
5. Insecure deserialization

Ideally, this should be expanded to cover more vulnerabilities, and/or show other exploits of the most common vulnerabilities. One option is to try to cover more of the vulnerabilities in OWASP top 10, but interesting twists on the vulnerabilities already covered, or vulnerabilities outside the top 10 is also interesting.

Does anyone have any ideas to new sections that could be added? How should the vulnerability be structured as a "Fault", "Fix" and "Flag"?

[teodoran]

One option is to do something inspired by Log4Shell, maybe mixing in some dependency confusion and a homograph attack? This would then be related to Vulnerable and Outdated Components in the OWASP top 10.

[teodoran]

Server-Side Request Forgery is another vulnerability that could work well with the format of the workshop.

[teodoran]

CRLF Injection and HTTP Response Splitting is another candidate for a good workshop vulnerability.

One could perhaps create an endpoint where a header is filled with values from the user, and then inject some script to the user that way. In addition it should be possible to use Unicode code point "folding" to circumvent basic protection, as the basis for a challenge.

[teodor-elstad]

Untrusted Search Path could be interesting to explore, and was the cause of this recent .NET vulnerability. An option for exploring this, could be to introduce such a vulnerability in the server configuration loading.