12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Get unlimited access to the best of Medium for less than $1/week. Become a member

Tryhackme | OWASP Top 10–2021 | IV—

Insecure Design
Sudarshan Patel · Follow
4 min read · Dec 29, 2023 Open in app

37
Search
Listen Share More

Greetings, everyone! We’re excited to have you back for the fourth day of our deep
dive into the OWASP Top 10 2021. Today, our attention will be devoted to a
comprehensive examination of insecure design vulnerabilities. Let’s explore the
intricacies together!

I nsecure Design

Insecure design refers to vulnerabilities which are inherent to the application’s

architecture. They are not vulnerabilities regarding bad implementations or
configurations, but the idea behind the whole application (or a part of it) is flawed
from the start. Most of the time, these vulnerabilities occur when an improper
threat modelling is made during the planning phases of the application and
propagate all the way up to your final app. Some other times, insecure design
vulnerabilities may also be introduced by developers while adding some “shortcuts”
around the code to make their testing easier. A developer could, for example,
[Link] 1/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

disable the OTP validation in the development phases to quickly test the rest of the
app without manually inputting a code at each login but forget to re-enable it when
sending the application to production.

Insecure Password Resets

A good example of such vulnerabilities occurred on Instagram a while ago.

Instagram allowed users to reset their forgotten passwords by sending them a 6-digit
code to their mobile number via SMS for validation. If an attacker wanted to access
a victim’s account, he could try to brute-force the 6-digit code. As expected, this was
not directly possible as Instagram had rate-limiting implemented so that after 250
attempts, the user would be blocked from trying further.

However, it was found that the rate-limiting only applied to code attempts made
from the same IP. If an attacker had several different IP addresses from where to
send requests, he could now try 250 codes per IP. For a 6-digit code, you have a
million possible codes, so an attacker would need 1000000/250 = 4000 IPs to cover all
possible codes. This may sound like an insane amount of IPs to have, but cloud
services make it easy to get them at a relatively small cost, making this attack
feasible.

[Link] 2/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Notice how the vulnerability is related to the idea that no user would be capable of
using thousands of IP addresses to make concurrent requests to try and brute-force
a numeric code. The problem is in the design rather than the implementation of the
application in itself.

Since insecure design vulnerabilities are introduced at such an early stage in the
development process, resolving them often requires rebuilding the vulnerable part
of the application from the ground up and is usually harder to do than any other
simple code-related vulnerability. The best approach to avoid such vulnerabilities is
to perform threat modelling at the early stages of the development lifecycle.

Practical Example

Navigate to tryhackme machne-ip and get into joseph’s account. This application
also has a design flaw in its password reset mechanism. Can you figure out the
weakness in the proposed design and how to abuse it?

Try to reset joseph’s password. Keep in mind the method used by the site to validate
if you are indeed joseph.

Question:

What is the value of the flag in joseph’s account?

Answer: THM{Not_3ven_c4tz_c0uld_sav3_U!}
[Link] 3/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Navigate to the “forgot password” page and enter the username “joseph” and
intercept the request and send to intruder. Select the “faviourite color” option. In
the payload enter the color names and start the intruder attack.

Looking at the length section, the green payload is of different length.

[Link] 4/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

We acquired the password for the user joseph. Please refer to the above screenshot.

After logging in with the obtained credentials, please go to the private section and
open the [Link] file.

Voila…..!!!!!!!

We got the flag.

Please refer to the below screenshot.

[Link] 5/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Thank you for reading !

Happy Hacking !

Author: Sudarshan Patel

Tryhackme Tryhackme Walkthrough Tryhackme Writeup

Follow

Written by Sudarshan Patel

73 Followers · 139 Following

[Link] 6/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Cyber Security Researcher && Bug Bounty Hunter

No responses yet

What are your thoughts?

Respond

More from Sudarshan Patel

[Link] 7/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Sudarshan Patel

🔒🔑Tryhackme | JWT Security | Writeup📌🖥️

Learn about JWTs, where they are used, and how they need to be secured.

Oct 14 11

Sudarshan Patel

Tryhackme | Intro to Logs | walkthrough

Learn the fundamentals of logging, data sources, collection methods and principles to step
into the log analysis world.

[Link] 8/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Mar 9 10

Sudarshan Patel

🖥️📊Tryhackme | Splunk: Exploring SPL | Walkthrough📈📌

Learn and explore the basics of the Search Processing Language.

May 17 4 1

Sudarshan Patel

Tryhackme | OWASP Top 10–2021 | X — Server-Side Request Forgery

(SSRF)
[Link] 9/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Ladies and gentlemen, a warm welcome to Day 10 of our exploration through the OWASP Top
10 2021! Your esteemed presence adds brilliance to…

Jan 4 8 1

See all from Sudarshan Patel

Recommended from Medium

In T3CH by Axoloth

TryHackMe | Web Application Basics | WriteUp

Learn the basics of web applications: HTTP, URLs, request methods, response codes, and
headers

Oct 26 56

[Link] 10/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Abhijeet Singh

Advent of Cyber 2024 [Day 3] Even if I wanted to go, their vulnerabilities

wouldn’t allow it.
So, Let’s Start with the Questions. I hope you already read the story and all the given
instructions —

Dec 4 2

Lists

Staff picks
789 stories · 1509 saves

Stories to Help You Level-Up at Work

19 stories · 893 saves

Self-Improvement 101
20 stories · 3144 saves

Productivity 101
20 stories · 2657 saves

[Link] 11/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

0xDK

Insecure Deserialisation | TryHackMe

overview:Insecure deserialization occurs when an application trusts serialized data without
proper validation. Serialization is the process…

Jul 5 5

Jawstar

Advent of Cyber 2024 {DAY - 9} Tryhackme Answers

Day 9: Nine o’clock, make GRC fun, tell no one.

[Link] 12/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

Dec 9 4 1

CyferNest Sec

JWT Security | TryHackMe Walkthrough

TASK 2: Token-Based Authentication

Nov 26

In InfoSec Write-ups by Nanda Siddhardha

TryHackme’s Advent of Cyber 2024 — Day 14 Writeup

Day 14: Even if we’re horribly mismanaged, there’ll be no sad faces on SOC-mas!
[Link] 13/14
12/18/24, 3:31 PM Tryhackme | OWASP Top 10–2021 | IV— Insecure Design | by Sudarshan Patel | Medium

3d ago

See more recommendations

[Link] 14/14