Walkthrough : hackyourselffirst.troyhunt.com

About hackyourselffirst.troyhunt.com

Hack Yourself First is all about developers building up cyber-offense skills and proactively seeking out security vulnerabilities in their own websites before an attacker does.

EXECUTIVE SUMMARY

This Vulnerability Assessment and Penetration Testing VAPT was performed during my winter vacation. The detailed report and our findings are described below.

OBJECTIVE

The objective of this test was to determine security vulnerabilities in the web server configuration and website running on the server. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the web server.

SCOPE

The scope is to find OWASP top 10 vulnerabilities on the website Also, find other potential vulnerabilities.

Disclaimer

All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.

OWASP top 10–2017

A1 Injection

A2 Broken Authentication

A3 Sensitive Data exposure

A4 XML External Entities

A5 Broken Access control

A6 Security Misconfiguration

A7 Cross site Scripting

A8 Insecure Deserialization

A9 Using components with known vulnerabilities

A10 Insufficient logging and monitoring

Summary Scan Report of hackyourselffirst.troyhunt.com

A1. Injection

Injection means inserting a malicious code into a website for malicious commands or data execution.

1) SQL Injection (Critical Severity)

SQL injections operate by injecting data into a web application in the form of SQL queries which causes the database to perform unintended actions. A SQL injection can damage your database.

I tried SQL injections in the search bar but not get any results

But when I tried sql injection on browser url I get server error respose which gives us a version info

Command Used : ‘ union select1,version() # , /’ union select 1,version() #

A2. Broken Authentication

Severity: Critical

Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.

A) User credentials are not protected

I tried random abc123 as a password while registering new account I got this sensitive info that this password is already taken by testing@testing.com so I get both username & password no need to create a new account.

B) Weak Passwords

When I try special character in password field while creating new account I get this interface

When I visit the page where all users data are available I see all users passwords is weak

B) Session IDs aren’t changing & Expiring

When I load the website, I got this session id.

Session id : diwmkx5jpcz1l00y3nol5wru

After few hours & I try to login with the help of old session id and successfully logged in

A3. Sensitive Data exposure

Severity: Medium

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data is exposed because of flaws in the web application. For example, if weak algorithms are used to save passwords then they can be easily cracked, and sensitive data will be exposed.

  1. I saw that autosave password and email option is enabled on the website

2) No Encryption technique is used to store username & password

A4. XML External Entities (XXE)

An xml external entity vulnerability is an attack against an application parsing xml input from an unreliable source. It’s usually caused by a misconfigured XML parser.

XXE vulnerability was not found.

A5. Broken Access control

Severity: High

a) Insecure direct object reference (IDOR)

IDOR occurs when the developer exposes a reference to an internal implementation object such as database key, file, directories, etc. An attacker can manipulate these references to access unauthorized data. The impact will depend on the severity of the exposed object.

Typical Impact:

1) Users can access unauthorized files or data

2) Users able to access data of other users, etc.

I visited the super car page I get this alert by the website

So I do some changes in the url 1 to 2 I get this response

So, we come to know that this website is vulnerable to IDOR.

Here I have one more example of IDOR

On my account I visited edit profile and I found one more IDOR example here

I changed 33 to 12 I get this interface

b) Missing Function Level Access Control

Severity: High

In Authentication Function, due to “Missing Function Level Access Control” unauthorized person can gain access to resources or functionalities through bypassing Authentication Mechanism of an application. In Authorization Function, due to “Missing Function Level Access Control”, a least privilege user might get access to admin control panel and can potentially make unauthorized changes to the Access Control List (ACL) of User accounts.

I found this one on cookie editor this one give me admin interface with few changes in it

I went to cookie editor changes the IsAdmin value to true

And get the admin control by refreshing the page

A6. Security Misconfigurations

Severity: High

Security Misconfigurations occur when system framework, software’s are not properly configured by DBA and developers. This can lead to access to the system and result in a compromised system.

  1. When I searched for some random commands, I got this server error. I got details of the stack trace. Stack Trace revealed some internal information and methods used on the website.

2) Some directories are listed which shouldn’t be listed.

I tried gobuster and found following directories

And I found robots.txt page also by nikto

I found /api/admin/users path in robots.txt so I visited the following path and get this interface

A7. Cross site Scripting

Severity (Critical)

Cross site scripting flaws occur when web application accept untrusted data from the user and send it to the web browser without proper input validation. In a typical XSS attack, the attackers inject a JavaScript into the website and when a user visits the infected link, the JavaScript executes on the user’s browser. It is a client-side code injection attack

I tried to put java script code in Comments And its work we can execute java script code in it

A8 Insecure Deserialization

Severity: Low

Insecure Deserialization wasn’t found on the website.

A9. Using components with known vulnerabilities

Severity: Medium

This particular vulnerability can bring big risk to the business especially because of its ease of exploitability. If the attacker is able to find out the vulnerable components which a particular application is using, it can be easily exploited since the exploit methods are already out there in the internet and the attacker simply has to make use of it and can cause a minimal impact, or serious or even complete data compromise, or also lead to server/host takeover for organizations

In this I found that the website was using outdated Microsoft.Net framework & outdated ASP.NET. And their Version is also leak.

A10. Insufficient logging and monitoring

No logging and monitoring systems were found on the website.

Other than this I have found some other vulnerabilities in nikto as you can see below

Some Other attacks other than this

1)Back Button attack

Severity: Medium

If the user leaves the browser open after logging out, the attacker can make use of the back button and navigate to the previous pages visited by the user. Most likely, the pages would have expired, so the attacker would get an error page on the browser saying just that. But the attacker isn’t done yet.

2)Cookie Invalidation

With the help of cookie editor tool we can capture the AuthCookie and we can login easily after user had logged of

We can copy the value of AuthCookie and we can import it later with the help of cookie editor.

This is the end. Thank you for reading this write-up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store