POSTS
Application Security Demo For Beginners.
If you did attend the ‘Appsec Pitstop’ at Rootconf 2018 (on 10th and 11th of May), then whatever follows is something that you are already well familiar with.
Go ahead and setup your local vulnerable virtual box (make sure it’s an isolated environment) for Mutillidae II and DVNA. Put your creative minds at work! Use the below steps as a reference and get started.
Pre-requisite
- Setup Mutillidae II in your local machine. Refer
https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project
- Setup ‘Damn Vulnerable NodeJS Application’ in your local machine. Refer
https://blog.appsecco.com/damn-vulnerable-nodejs-application-dvna-by-appsecco-7d782d36dc1e
- Create a user ‘rootconf’.
Assumption
192.168.56.101
represents your local instance of Mutillidae II application.192.168.56.101:9090
represents your local instance of Damn Vulnerable NodeJS Application.
A1:2017-INJECTION
Target Application: Mutillidae II
Target URL:
http://192.168.56.101/index.php?page=user-info.php
Issue Description: SQL Injection
Steps-to-reproduce:
- Access the URL.
- Enter a single quote. Exception occurs.
- Enter two single quotes. Exception does NOT occur.
- SQL injection vulnerability has been confirmed on the page.
- Exploit the vulnerability. Enter following malicious text in the target field(s):
' or '1'='1
Fix Recommendation:
- Use parameterized queries.
- Validate user input before processing. Use “whitelist” input validation.
- Contextually escape user data.
References:
- https://www.owasp.org/index.php/Top_10-2017_A1-Injection
- https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
A2:2017-BROKEN AUTHENTICATION
Target Application: Damn Vulnerable NodeJS Application
Target URL:
http://192.168.56.101:9090/forgotpw
Issue Description: Custom authentication and session management schemes could be flawed.
Steps-to-reproduce:
- Access the URL.
- Enter a valid login name, e.g., *** rootconf ***
- Following message appears “Check email for reset link”.
4. Access the following reset link:
http://192.168.56.101:9090/resetpw?login=rootconf&token=a1186f097b4e50b49c7408a51a0d7eb0
Password for any other valid user (say,
riddhi
) could be changed using the above reset link. This is because token value is derived from the username. Token is an MD5 hash of the username.Change the user ‘login’ value to another valid user, and replace the ‘token’ value with MD5 hash of the username.
Reset password page would be presented. Password for any random (valid) user could be easily changed.
Fix Recommendation:
- Use a randomly generated string as the reset token.
- Every token should have an expiry date.
References:
- https://www.owasp.org/index.php/Broken_Authentication_and_Session_Management
- https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet
- https://appsecco.com/books/dvna-developers-security-guide/solution/a2-broken-auth.html
A3:2017-SENSITIVE DATA EXPOSURE
Target Application: Mutillidae II
Target URL:
http://192.168.56.101/robots.txt
Issue Description: Passwords revealed via Hidden/Secret files
Steps-to-reproduce:
Access the URL to see a list of directories and files that Search Engines will not search when crawling the site. See the ‘passwords’ entry.
Navigate to
/passwords/
to find theaccounts.txt
file. Open this file to find account information for all the users.
Fix Recommendation:
- Do not store sensitive information such as passwords in clear text. Hashes are preferred.
- Ensure that authorization checks are performed for sensitive and critical application files.
References:
- https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
- https://appsecco.com/books/dvna-developers-security-guide/solution/a6-sensitive-data-exposure.html
A5:2017-BROKEN ACCESS CONTROL
Target Application: Damn Vulnerable NodeJS Application
Target URL: http://192.168.56.101:9090/app/admin
Issue Description: Restricted functions are accessible by an unauthorized user.
Steps-to-reproduce:
- Access the admin URL.
- User sees the message _“You are not an Admin”_.
- Right click and select ‘View Page Source’ option.
- Following code could be located in the source code:
<a href='/app/admin/users'>List Users</a><br>
5. Access the following URL directly to get admin access:
http://192.168.56.101:9090/app/admin/users
Fix Recommendation:
- Ensure necessary function-level authorization checks are performed.
References:
- https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control
- https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
- https://appsecco.com/books/dvna-developers-security-guide/solution/a7-missing-function-level-access-control.html
A7:2017-CROSS-SITE SCRIPTING (XSS)
Target Application: Damn Vulnerable NodeJS Application
Target URL: http://192.168.56.101:9090/app/products
Issue Description: Reflected XSS
Steps-to-reproduce:
- Access the URL.
- Click on ‘Add Product’.
- Enter product details.
- Enter following in ‘Product Description’:
<script>alert(document.location)</script>
5. Click on “Submit” button.
6. Logout and login as a different user.
7. New user navigates to the following page:
http://192.168.56.101:9090/app/products
8.. Stored XSS is capable of affecting (or, infecting) all those users who would visit the infected page.
Fix Recommendation:
- Contextually output encode any user supplied data before it’s being included as part of HTML or any other response type generated by the application.
References: