Walkthrough : hackyourselffirst.troyhunt.com
Hack Yourself First is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does.
This Vulnerability Assessment and Penetration Testing VAPT was performed during my winter vacation. The detailed report and our findings are described below.
The objective of this test was to determine security vulnerabilities in the web server configuration and website running on the server. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the web server.
The scope is to find OWASP top 10 vulnerabilities on the website Also, find other potential vulnerabilities.
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
OWASP top 10–2017
A2 Broken Authentication
A3 Sensitive Data exposure
A4 XML External Entities
A5 Broken Access control
A6 Security Misconfiguration
A7 Cross site Scripting
A8 Insecure Deserialization
A9 Using components with known vulnerabilities
A10 Insufficient logging and monitoring
Summary Scan Report of hackyourselffirst.troyhunt.com
Injection means inserting a malicious code into a website for malicious commands or data execution.
1) SQL Injection (Critical Severity)
SQL injections operate by injecting data into a web application in the form of SQL queries which causes the database to perform unintended actions. A SQL injection can damage your database.
I tried SQL injections in the search bar but not get any results
But when I tried sql injection on browser url I get server error respose which gives us a version info
Command Used : ‘ union select1,version() # , /’ union select 1,version() #
A2. Broken Authentication
Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.
A) User credentials are not protected
I tried random abc123 as a password while registering new account I got this sensitive info that this password is already taken by firstname.lastname@example.org so I get both username & password no need to create a new account.
B) Weak Passwords
When I try special character in password field while creating new account I get this interface
When I visit the page where all users data are available I see all users passwords is weak
B) Session IDs aren’t changing & Expiring
When I load the website, I got this session id.
Session id : diwmkx5jpcz1l00y3nol5wru
After few hours & I try to login with the help of old session id and successfully logged in
A3. Sensitive Data exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data is exposed because of flaws in the web application. For example, if weak algorithms are used to save passwords then they can be easily cracked, and sensitive data will be exposed.
- I saw that autosave password and email option is enabled on the website
2) No Encryption technique is used to store username & password
A4. XML External Entities (XXE)
An xml external entity vulnerability is an attack against an application parsing xml input from an unreliable source. It’s usually caused by a misconfigured XML parser.
XXE vulnerability was not found.
A5. Broken Access control
a) Insecure direct object reference (IDOR)
IDOR occurs when the developer exposes a reference to an internal implementation object such as database key, file, directories, etc. An attacker can manipulate these references to access unauthorized data. The impact will depend on the severity of the exposed object.
1) Users can access unauthorized files or data
2) Users able to access data of other users, etc.
I visited the super car page I get this alert by the website
So I do some changes in the url 1 to 2 I get this response
So, we come to know that this website is vulnerable to IDOR.
Here I have one more example of IDOR
On my account I visited edit profile and I found one more IDOR example here
I changed 33 to 12 I get this interface
b) Missing Function Level Access Control
In Authentication Function, due to “Missing Function Level Access Control” unauthorized person can gain access to resources or functionalities through bypassing Authentication Mechanism of an application. In Authorization Function, due to “Missing Function Level Access Control”, a least privilege user might get access to admin control panel and can potentially make unauthorized changes to the Access Control List (ACL) of User accounts.
I found this one on cookie editor this one give me admin interface with few changes in it
I went to cookie editor changes the IsAdmin value to true
And get the admin control by refreshing the page
A6. Security Misconfigurations
Security Misconfigurations occur when system framework, software’s are not properly configured by DBA and developers. This can lead to access to the system and result in a compromised system.
- When I searched for some random commands, I got this server error. I got details of the stack trace. Stack Trace revealed some internal information and methods used on the website.
2) Some directories are listed which shouldn’t be listed.
I tried gobuster and found following directories
And I found robots.txt page also by nikto
I found /api/admin/users path in robots.txt so I visited the following path and get this interface
A7. Cross site Scripting
I tried to put java script code in Comments And its work we can execute java script code in it
A8 Insecure Deserialization
Insecure Deserialization wasn’t found on the website.
A9. Using components with known vulnerabilities
This particular vulnerability can bring big risk to the business especially because of its ease of exploitability. If the attacker is able to find out the vulnerable components which a particular application is using, it can be easily exploited since the exploit methods are already out there in the internet and the attacker simply has to make use of it and can cause a minimal impact, or serious or even complete data compromise, or also lead to server/host takeover for organizations
In this I found that the website was using outdated Microsoft.Net framework & outdated ASP.NET. And their Version is also leak.
A10. Insufficient logging and monitoring
No logging and monitoring systems were found on the website.
Other than this I have found some other vulnerabilities in nikto as you can see below
Some Other attacks other than this
1)Back Button attack
If the user leaves the browser open after logging out, the attacker can make use of the back button and navigate to the previous pages visited by the user. Most likely, the pages would have expired, so the attacker would get an error page on the browser saying just that. But the attacker isn’t done yet.
With the help of cookie editor tool we can capture the AuthCookie and we can login easily after user had logged of
We can copy the value of AuthCookie and we can import it later with the help of cookie editor.
This is the end. Thank you for reading this write-up.