GithubHelp home page GithubHelp logo

pentesting-livetargets's Introduction

Project 8 - Pentesting Live Targets

Time spent: 6 hours spent in total

Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.

The six possible exploits are:

  • Username Enumeration
  • Insecure Direct Object Reference (IDOR)
  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Session Hijacking/Fixation

Each version of the site has been given two of the six vulnerabilities. (In other words, all six of the exploits should be assignable to one of the sites.)

Blue

Vulnerability #1: SQL Injection (SQLi)

  • An sql injection is found at the following url: /blue/public/salesperson.php?id= where the id parameter can be exploited with an sql injection. A simple injection was performed with the sql sleep(5)=0 command as a proof of concept. Using this vulnerability an attacker can identify various databases, tables, and columns, then use that information to perform a data dump.
  • GIF Walkthrough:

Vulnerability #2: Session Hijacking

  • The session id of an authenticated user was hijacked and used by an attacker to bypass user login. Session ids can be hijacked by sniffing the network, orchestrating an XSS attack, or predicting the token.

  • GIF Walkthrough:

Green

Vulnerability #1: Username Enumeration

  • In this scenario, we are able to collect a valid username by interacting with the authentication mechanism on the login page. Typing in an invalid username results in a login error message that is not bolded. When we type in a valid username, in this case jmonroe99, the login error message becomes bolded. By knowing a valid username, an attacker can perform a brute force attack on the website to guess the password.
  • GIF Walkthrough:

Vulnerability #2: Cross-Site Scripting (XSS)

  • A stored XSS vulnerability is present at /green/public/contact.php where an anonymous user can submit feedback. This vulnerability can be used to steal sensitive information from an unsuspecting user such as cookies, session tokens, or credentials. In our scenario, we are injecting an alert('My name is ') as proof of concept. The website is not properly sanitizing script tags. Capitalizing the "I" in script bypasses sanitization. script --> scrIpt
  • GIF Walkthrough:

Red

Vulnerability #1: Insecure Direct Object Reference (IDOR)

  • An IDOR is present at /red/public/salesperson.php?id= where a user can input traverse to private information using the 'id' parameter. The salesperson page only shows us information for id=1,2,3,4,5,6,7,8,9 ; however, setting id=10,11 reveals sensitive information about salespersons. e.g. We see that id=11 reveals that Salesperson Lazy Lazyman was fired for stealing. On the secure Blue and Green sites, the website has implemented access control where a reference to a direct object is checked in each instance.
  • GIF Walkthrough:

Vulnerability #2: Cross-Site Request Forgery (CSRF)

  • In a CSRF attack, we take advantage of an authenticated user to execute a malicious script. Here, we utilize the feedback form at /red/public/contact.php to provide a link to a malicious script. When an authenticated user follows the link, we execute a malicious script to edit information about authenticated users in the database.
  • The malicious script is an auto-submitting form that performs a post request and sends the results to an iframe. The form and iframe are hidden with CSS. Please take a look at lulz.html included in the repo.
  • GIF Walkthrough:

References

-GIFS made with LiceCap: https://www.cockos.com/licecap/ -Inspiration drawn from: https://www.owasp.org/index.php/Main_Page

License

Copyright [2017] [Milan Bhatia]

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

pentesting-livetargets's People

Watchers

mbhatia avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.