Walkthrough :zero.webappsecurity.com
About http://zero.webappsecurity.com/
The Free Online Bank Web site is published by Micro Focus Fortify for the sole purpose of demonstrating the functionality and effectiveness of Micro Focus Fortify’s WebInspect products in detecting and reporting Web application vulnerabilities. This site is not a real banking site and any similarities to third party products and/or Web sites are purely coincidental. This site is provided “as is” without warranty of any kind, either express or implied. Micro Focus Fortify does not assume any risk in relation to your use of this Web site. Use of this Web site indicates that you have read and agree to Micro Focus Fortify’s Terms of Use found at https://www.microfocus.com/about/legal/#privacy and Micro Focus Fortify’s Online Privacy Statement found at https://www.microfocus.com/about/legal/#privacy.
EXECUTIVE SUMMARY
This VAPT was performed during my winter vacation. The detailed report and our findings are described below.
OBJECTIVE
The objective of this test was to determine security vulnerabilities in the web server configuration and website running on the server. The tests were carried out assuming the identity of an attacker or with malicious intent. At the same time due care was taken not to harm the web server.
SCOPE
The scope is to find OWASP top 10 vulnerabilities on the website Also, find other potential vulnerabilities.
Disclaimer
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
OWASP top 10–2017
A1 Injection
A2 Broken Authentication
A3 Sensitive Data exposure
A4 XML External Entities
A5 Broken Access control
A6 Security Misconfiguration
A7 Cross site Scripting
A8 Insecure Deserialization
A9 Using components with known vulnerabilities
A10 Insufficient logging and monitoring
A1. Injection
Injection means inserting a malicious code into a website for malicious commands or data execution.
1) SQL Injection (Critical Severity)
SQL injections operate by injecting data into a web application in the form of SQL queries which causes the database to perform unintended actions. A SQL injection can damage your database.
I tried SQL injections in the login bar but not get any results so I logged with the username & password and went to the Pay Bills Section & Catch the request of that page with the help of burp suite & froxy proxy
After capturing the request I send the response to the repeater
In repeater I edited the request just with ‘ after sprint and send the request on the response page
Then In response page I select the send response in browser it generated url: http://burpsuite/show/6/miexypvwf7vsvj64ic4g2892mfxytlry i searched this in url and get this response successful in sql injecting
But when I tried sql injection on browser url I get server 404 error which gives us a server & version info.
A2. Broken Authentication
Severity: Critical
Broken authentication is an umbrella term for several vulnerabilities that attackers exploit to impersonate legitimate users online. Broadly, broken authentication refers to weaknesses in two areas: session management and credential management. Both are classified as broken authentication because attackers can use either avenue to masquerade as a user: hijacked session IDs or stolen login credentials.
A) Weak Password & Username & User credentials Exposed
Its Showing on the website only the username & password
B) Session IDs aren’t changing
When I load the website, I got this session id.
JSESSIONID : EA0F367E
I had kept the website pages on hibernate mode for a long time. Still, I was logged in. Session ids did not change.
A3. Sensitive Data exposure
Severity: Medium
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data is exposed because of flaws in the web application. For example, if weak algorithms are used to save passwords then they can be easily cracked, and sensitive data will be exposed.
1) Login User credentials is exposed & not in encrypted format
2) SSL Certificate is not there in website only http is present so any one can sniff in the website & steal any credentials
A4. XML External Entities (XXE)
An xml external entity vulnerability is an attack against an application parsing xml input from an unreliable source. It’s usually caused by a misconfigured XML parser.
XXE vulnerability was not found.
A5. Broken Access control
Severity: High
a) Insecure direct object reference (IDOR)
IDOR occurs when the developer exposes a reference to an internal implementation object such as database key, file, directories, etc. An attacker can manipulate these references to access unauthorized data. The impact will depend on the severity of the exposed object.
Typical Impact:
1) Users can access unauthorized files or data
2) Users able to access data of other users, etc.
After successful login I visited in the account summary then click on Cash Accounts Savings tab I found IDOR
So I changed the value of accountId=1 to 3 and I get this interface
So, we come to know that this website is vulnerable to IDOR.
A6. Security Misconfigurations
Severity: High
Security Misconfigurations occur when system framework, software’s are not properly configured by DBA and developers. This can lead to access to the system and result in a compromised system.
- Default Login & password found
1) Some directories are listed which shouldn’t be listed.
I tried gobuster and found following directories
And I found /admin page
And I found some critical data easily in /admin
A7. Cross site Scripting
Severity (Critical)
Cross site scripting flaws occur when web application accept untrusted data from the user and send it to the web browser without proper input validation. In a typical XSS attack, the attackers inject a JavaScript into the website and when a user visits the infected link, the JavaScript executes on the user’s browser. It is a client-side code injection attack
For executing the cross site script need to find any description or comments box. And found description box in transfer fund tab
I tried to put some script code in Description box and hit the submit button the script get executed
Script = <svg onload=alert(1)> “><svg onload=alert(1)//
I found one more cross site scripting in url: http://zero.webappsecurity.com/bank/account-activity.html?accountId=123456);alert(112);//123
A8 Insecure Deserialization
Severity: Low
Insecure Deserialization wasn’t found on the website.
A9. Using components with known vulnerabilities
Severity: Medium
This particular vulnerability can bring big risk to the business especially because of its ease of exploitability. If the attacker is able to find out the vulnerable components which a particular application is using, it can be easily exploited since the exploit methods are already out there in the internet and the attacker simply has to make use of it and can cause a minimal impact, or serious or even complete data compromise, or also lead to server/host takeover for organizations
In this I found that the website was using outdated Tomcat. And their Version is also leak.
A10. Insufficient logging and monitoring
No found on the website.
Other than this I have found some other vulnerabilities in nikto as you can see below
Some Other attacks other than this
1)Back Button attack
Severity: Medium
If the user leaves the browser open after logging out, the attacker can make use of the back button and navigate to the previous pages visited by the user. Most likely, the pages would have expired, so the attacker would get an error page on the browser saying just that. But the attacker isn’t done yet.
2) Directory Traversal
When I visited /manager/status which I have found from nikto result I found this interface
When I visited /web-services which I have found from gobuster result
I get this interface
In /docs I found this info
CONCLUSIONS
Experience has shown that a focused effort to problem outlined in this report can result in dramatic security improvements. Most of the identified problems do not required high-tech solutions, just knowledge of and commitment to good practices. For system to remain secure, however, security posture must be evaluated and improved continuously. Establishing the organisation structure that will support these ongoing improvements is essential in order to maintain control of corporate information systems. We conclude that the overall security needs to improve. We hope that the issues cited in this report will be addressed.
This is the end. Thank you for reading this write-up.