Scribd
Upload
85 views91 pages

Hacking - Environment - Web - Application - Detail - Developers Report

The security assessment report found several critical vulnerabilities in the Lifestyle store e-commerce website, including: 1. SQL injection vulnerabilities that could allow hackers to steal customer records and gain administrative access. 2. Weak passwords and lack of authentication protecting the administrative interface, allowing hackers to fully control the server. 3. Arbitrary file upload vulnerabilities that could enable hackers to upload malicious code or backdoors to the server. The report provided details on 14 critical vulnerabilities, 10 severe vulnerabilities, and 7 moderate vulnerabilities found, and recommended addressing issues like SQL injection, weak passwords, file uploads and authentication to improve the website's security.

Uploaded by

Nikhil Jangra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
85 views91 pages

Hacking - Environment - Web - Application - Detail - Developers Report

The security assessment report found several critical vulnerabilities in the Lifestyle store e-commerce website, including: 1. SQL injection vulnerabilities that could allow hackers to steal customer records and gain administrative access. 2. Weak passwords and lack of authentication protecting the administrative interface, allowing hackers to fully control the server. 3. Arbitrary file upload vulnerabilities that could enable hackers to upload malicious code or backdoors to the server. The report provided details on 14 critical vulnerabilities, 10 severe vulnerabilities, and 7 moderate vulnerabilities found, and recommended addressing issues like SQL injection, weak passwords, file uploads and authentication to improve the website's security.

Uploaded by

Nikhil Jangra
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 91

E-COMMERCE WEBSITE

LIFESTYLE STORE
DETAILED DEVELOPER REPORT
SECURITY STATUS – EXTREMELY VULNERABLE

• Hackers can steal all the records of Lifestyle store(SQLi)


• Hacker can take control of complete server including View, Add, Edit, Delete files and
folders.(shell upload and weak passwords)
• Hacker can change source code of application to host malware, phishing pages or even
explicit content.(Shell upload)
• Hacker can see details of any customer.(IDOR)
• Hacker can easily access or bypass admin account authentication.(bruteforcing)
• Hacker can get access to seller details and login into the website using customer of the
month usernames (PII).
• Hacker can change the password , confirm order and remove item of customer(CSRF)
VULNERABILITY STATISTIC

Critical Severe Moderate

14 10 7

Low

5
S.NO. SEVERITY VULNERABILITY COUNT
1 CRITICAL SQL injection 3
2 CRITICAL Access to admin panel 1
3 CRITICAL Arbitrary file upload 2
4 CRITICAL Account takeover by OTP bypass 1
5 CRITICAL CSRF 3
6 SEVERE Reflected cross site scripting 1
7 SEVERE Stored cross site scripting 1

VULNERABILITIES:- 8 SEVERE Common password 1


9 SEVERE Component with known vulnerability 3
10 MODERATE Server misconfiguration 1
11 MODERATE Unauthorized access to user details 4
(IDOR)
12 MODERATE Directory listings 5
13 LOW Personal Information leakage 2
14 LOW Client side and server side validation 1
bypass
15 LOW Default error display 1
16 LOW Open redirection 2

4
1. SQL Injection

Below mentioned URL in the T-shirt/socks/shoes module is vulnerable to SQL injection attack
Affected URL :

•http://15.206.74.73/products.php?cat=1

Affected Parameters :
•cat (GET parameter)

Payload:
SQL Injection •cat = 1’
(Critical)
Affected URL :

•http://15.206.74.73/products.php?q=socks

5
Affected Parameters :
•q (GET parameter)

Payload:
•q=socks'
1. SQL Injection

Here are other similar SQLi in the application

Affected URL :
• http://15.206.74.73/products.php?cat=2
SQL Injection • http://15.206.74.73/products.php?cat=3
(Critical)

6
Observation
• Navigate to T-Shirt tab where you will see number of T-shirts. Notice the GET parameter CAT in
the URL:
Observation
• We apply single quote in cat parameter: products.php?cat=1’ and we get complete MySQL
error:
Observation

• We then put --+ : products.php?cat=1’--+ and we error is removed confirming SQL injection
• Now hacker can inject sql or use use sqlmap to get access to the database
• No of databases: 2
•information_schema
Proof of Concept •hacking_training_project
• No of tables : 10
(PoC):- •brands
•cart_items
Attacker can •categories
•customers
dump arbitrary data •order_items
•orders
•product_reviews
•products
•sellers
•user
Business Impact – Extremely High

Using this vulnerability, attacker can execute arbitrary SQL commands on Lifestyle store server
and gain complete access to internal databases along with all customer data inside it.
Previous slide has the screenshot of users table which shows user credentials being leaked that too in
plain text without any hashing/encryption.
Attacker can use this information to login to admin panels and gain complete admin level access
to the website which could lead to complete compromise of the server and all other servers connected
to it.
RECOMENDATIONS
• Use whitelists, not blacklists
• Don’t trust any user input
• Adopt the latest technologies
• Ensure Errors are Not User-Facing
• Disable/remove default accounts, passwords and databases

• References
• https://www.owasp.org/index.php/SQL_Injection
• https://en.wikipedia.org/wiki/SQL_injection
2.Access to admin panel

Below mentioned URL is vulnerable to Arbitrary File Upload and making other admin level changes.

Affected URL :
Access to admin
panel •http://13.126.196.134/wondercms/loginURL
(Critical)

13
Observation
• When we navigate to http://13.126.196.134/wondercms/ url
• we get the password on the page and login as : admin in the url
http://13.126.196.134/wondercms/loginURL .
Proof of Concept (PoC)
Hacker can change the admin password .
Hacker can also add and delete pages.
Hacker can upload any malicious file.
Business impact - Extremely High
• Hacker can do anything with the page, he will have full access of the page and
can govern the page according to it's will.
• It is the massive business risk.
• Loss can be very high
RECOMENDATIONS
• The default password should be changed and a strong password
must be setup.
• The admin url must also be such that its not accessible to normal
users.
• Password changing option must be done with 2 to 3 step
verification.

• References
• https://www.owasp.org/index.php/Default_Passwords
• https://www.us-cert.gov/ncas/alerts/TA13-175A
3.Arbitrary file uplaod

The attacker can upload insecure shells and files and gain access over the entire database and
login as the admin and the vesion is known to have vulnerabilities .

Affected URL :
•http://13.126.196.134/wondercms/Affected Parameters :
•File Upload (POST parameter)
Arbitrary file
upload The attacker can upload files with extension other than .jpeg .
(Critical)
Affected URL :

18
•http://13.126.196.134/profile/2/edit/

Affected Parameters :
•Upload Profile Photo (POST parameter)
Observation
Proof of concept
•Weak password - admin.

•Arbitrary File Inclusion.


Business Impact – Extremely High
A malicious user can access the Dashboard which discloses many critical
information of organization including:

• Important files

• Password

• And much more...

21
Business Impact – Extremely high
• Any backdoor file or shell can be uploaded to get access to the
uploaded file on remote server and data can be exfiltrated. The
presence of an actual malicious file can compromise the entire
system leading to system takeover/ data stealing.
Recommendation
•Change the Admin password to something strong and not guessable.
•The application code should be configured in such a way, that it
should block uploading of malicious files extensions such as exe/ php
and other extensions with a thorough server as well as client
validation. CVE ID allocated:CVE-2017-14521.
References
https://www.owasp.org/index.php/Unrestricted_File_Upload
https://www.opswat.com/blog/file-upload-protection-best-practices
Recommendation
Take the following precautions:
• Use a strong password 8 character or more in length with alphanumerics and symbols
• It should not contain personal/guessable information
• Do not reuse passwords
• Disable default accounts and users
• Change all passwords to strong unique passwords

References:
https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)
https://www.owasp.org/index.php/Default_Passwords
https://www.us-cert.gov/ncas/alerts/TA13-175A
4. Account Takeover Using OTP Bypass

The below mentioned login page allows login via OTP which can be bruteforced

Affected URL :
• http://13.126.196.134/reset_password/admin.php?otp=
Account
Takeover Using
OTP Bypass Affected Parameters :
(Critical) • OTP (POST parameters)

25
Observation
• Navigate to http://13.126.196.134/reset_password/admin.php?otp= . You will see user login
page via OTP.
Observation
• Following request will be generated containing OTP parameter.
• Now we are bruteforcing it.
Observation
• And we easily got the valid otp
POC
• Now a hacker can change the password of admin dashboard.
Business Impact – Extremely High

A malicious hacker can gain complete access to any account just by brute forcing
the otp. This leads to complete compromise of personal user data of every
customer.
Attacker once logs in can then carry out actions on behalf of the victim which could
lead to serious financial loss to him/her.

30
Recommendation
Take the following precautions:
• Use proper rate-limiting checks on the no of OTP checking and Generation requests
• Implement anti-bot measures such as ReCAPTCHA after multiple incorrect attempts
• OTP should expire after certain amount of time like 2 minutes
• OTP should be at least 6 digit and alphanumeric for more security

References:
https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)

https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
5. CSRF

The below mentioned login page allows you to change password without verification and view
details of other customers (CSRF).
Affected URL :
•http://13.126.196.134/profile/change_password.php

Affected Parameters :
•Update button (POST parameter) We can change the password.
Unauthorised
Access to Affected URL :
Customer •http://13.126.196.134/cart/cart.php
Details
Affected Parameters :
(Critical)
•Remove option (POST parameter)

Affected URL :

32
•http://13.126.196.134/cart/cart.php

Affected Parameters :
•Confirm order option (POST parameter)
Observation
• Here you can see 7 digit pasword ,but due to csrf I'll change the password at the moment he
want to update.
Observation
• Here's the file I opened while chnaging password , when we click on send the password will
change to 12345.
POC
Here's the code of generated by burp suite community edition.
Observation
• CSRF in cart
Observation

• Here you can


see order is
placed
unwantedly by
user thorugh
CSRF
POC
Here's the code of generated by burp suite community edition.
Business Impact – Very High
• Hacker can change the password of any user .
• Hacker can make user to do unwanted things
• It makes very bad impact of the website in the front of user
• Hacker can remove and confirm orders in the cart of the use

39
Recommendation
Take the following precautions:
•Implement an Anti-CSRF Token.
•Do not show the customers of the month on the login page.
•Use the Same Site Flag in Cookies.
•Check the source of request made.
•Take some extra keys or tokens from the user before processing an important request.
•Use 2 factor confirmations like otp , etc. for critical requests
References:
https://www.netsparker.com/blog/web-security/csrf-cross-site-request-forgery/

https://digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compromise
6. Reflected Cross Site Scripting (XSS)

Below mentioned parameters are vulnerable to reflected XSS

Affected URL :
Reflected • http://13.126.196.134/profile/16/edit/
Cross Site Affected Parameters :
Scripting • address(POST parameters)
(Severe)
Payload:
• <script>alert(1)</script>

41
Observation
Open edit profile through URL and write a script on address bar
POC
Business impact - High

As attacker can inject arbitrary HTML CSS and JS via the URL, attacker can put any content on the
page like phishing pages, install malware on victim’s device and even host explicit content that
could compromise the reputation of the organization
All attacker needs to do is send the link with the payload to the victim and victim would see hacker
controlled content on the website. As the user trusts the website, he/she will trust the content.
Recommendation
Take the following precautions:
• Sanitize all user input and block characters you do not want
• Convert special HTML characters like ‘ “ < > into HTML entities &quot; %22 &lt; &gt; before
printing them on the website

References:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.w3schools.com/html/html_entities.asp
7. Stored Cross Site Scripting (XSS)

Below mentioned parameters are vulnerable to reflected XSS

Affected URL :
• http://13.126.196.134/products/details.php?p_id=14
Stored Cross Affected Parameters :
Site Scripting • POST button under Customer Review (POST parameters)
(Severe)
Payloads:
• <script>alert('Hacked')</script>
• <h1>hey</h1>

46
Observation
Now try entring the payload in review box
Observation
Hit post button , you can see stored XSS or permanent XSS
Business impact - High

As attacker can inject arbitrary HTML CSS and JS via the URL, attacker can put any content on the
page like phishing pages, install malware on victim’s device and even host explicit content that
could compromise the reputation of the organization
All attacker needs to do is send the link with the payload to the victim and victim would see hacker
controlled content on the website. As the user trusts the website, he/she will trust the content.
Recommendation
Take the following precautions:
• Sanitize all user input and block characters you do not want
• Convert special HTML characters like ‘ “ < > into HTML entities &quot; %22 &lt; &gt; before
printing them on the website

References:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.w3schools.com/html/html_entities.asp
8. COMMON PASSWORD

Below mentioned url has weak and very common password

Common
password
Affected URL :
(Severe) • http://13.126.196.134/wondercms/

51
Observation
• Password is right in front of you
Business Impact – high
Easy, default and common passwords make it easy for attackers to gain access to their
accounts illegal use of them and can harm the website to any extent after getting logged
into privileged accounts.

53
Recommendation
•There should be password strength check at every creation of an account.
•There must be a minimum of 8 characters long password with a mixture of numbers
, alphanumerics ,special characters ,etc.
•There should be no repetition of password ,neither on change nor reset.
•The password should not be stored on the web, rather should be hashed and stored

References:
https://www.acunetix.com/blog/articles/weak-password-vulnerability-common-think/

https://www.owasp.org/index.php/Testing_for_Weak_password_policy_(OTG-AUTHN-007)
9. Component with known vulnerability

•Server used is nginx/1.14.0 appears to be outdated (current is at least 1.17.3 ) i.e it is known to
have exploitable vulnerabilities.

•WonderCMS
Component
with known •Codoforum (Powered by codologic)
vulnerability
(Severe)

55
Observation
Codologic Vulnerability:- Now you can see that they have blind sql injection vulnerability
POC
Codologic Vulnerability,
It has multiple sql injection vulnerability,
Chack the link of exploit-db in reference.
Business Impact – high
Exploits of every vulnerability detected is regularly made public and hence outdated
software can very easily be taken advantage of.If the attacker comes to know about this
vulnerability ,he may directly use the exploit to take down the entire system, which is a
big risk.

58
Recommendation
•Upgrade to the latest version of Affected Software/theme/plugin/OS which means latest version.

•If upgrade is not possible for the time being, isolate the server from any other critical data and
servers.

References:
https://usn.ubuntu.com/4099-1/ (for ubuntu)
https://www.exploit-db.com/exploits/37820
https://securitywarrior9.blogspot.com/2018/01/vulnerability-in-wonder-cms-leading-to.html
10. Server misconfiguration

Below mentioned url will show you the server related info

URL
Server http://13.126.196.134/server-status
misconfiguration
http://13.126.196.134/server-info
(Moderate)

60
Observation and POC
Recommendation
• Keep the software up to date
• Disable all the default accounts and change passwords regularly
• Develop strong app architecture and encrypt data which has
sensitive information.
• Make sure that the security settings in the framework and libraries
are set to secured values.
• Perform regular audits and run tools to identify the holes in the
system
References
• https://www.ifourtechnolab.com/blog/owasp-vulnerability-
security-misconfiguration
11. Unauthorized access to user
details(IDOR)

Below mentioned url will have vulnerabilty through which anyone can see the details of
another user

URL
http://13.233.173.221/generate_receipt/ordered/10

Unauthorized Affected parameter


access to Ordered/10
user details
(Moderate)
Payload
http://13.233.173.221/generate_receipt/ordered/11

64
11. Unauthorized access to user
details(IDOR)

Below mentioned url will have vulnerabilty through which anyone can see the details of
another user
You just have to change the numeric value given in the url's .
They can be seen as customer id.
URL'S effected:-
Unauthorized
http://13.127.159.1/orders/orders.php?customer=13/
access to user
http://13.127.159.1/profile/16/edit/
details http://13.127.159.1/forum/index.php?u=/user/profile/4
(Moderate)

65
Observation
• When we change the payload we can see the reciepts of other users
or customers
POC
• Here you can clearly see the receipt of another user
Business Impact – Extremely High
A malicious hacker can read bill information and account details of any user just by knowing the
customer id and User ID. This discloses critical billing information of users including:
•Mobile Number
•Bill Number
•Billing Period
•Total number of orders ordered by customer
•Bill Amount and Breakdown
•Phone no. and email address
•Address
This can be used by malicious hackers to carry out targeted phishing attacks on the users and the
information can also be sold to competitors/blackmarket. More over, as there is no ratelimiting
checks, attacker can bruteforce the user_id for all possible values and get bill information of each
and every user of the organization resulting is a massive information leakage.
Recommendation
Take the following precautions:
•Implement proper authentication and authorisation checks to make sure that the user has
permission to the data he/she is requesting
•Use proper rate limiting checks on the number of request comes from a single user in a small
amount of time
•Make sure each user can only see his/her data only
References
• https://www.owasp.org/index.php/Insecure_Configuration_Management
• https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
12 Directory Listings

Below mentioned urls disclose server information. Affected URL :

•http://13.126.196.134/phpinfo.php

•https://13.126.196.134/robots.txt

•http://13.126.196.134/composer.lock
Directory listings
(Moderate) •http://13.126.196.134/composer.json

•http://13.126.196.134/userlist.tx

71
Observation
POC
• In above observation you can see that a hacker can go through
these directory easily and gather as much as information he/she
want.
• Infact it also shows some accounts of seller
Business Impact – Moderate
• Although this vulnerability does not have a direct impact to users or the server, though it can
aid the attacker with information about the server and the users. Information Disclosure due to
default pages are not exploitable in most cases, but are considered as web application security
issues because they allows malicious hackers to gather relevant information which can be used
later in the attack lifecycle, in order to achieve more than they could if they didn’t get access to
such information.
Recommendation
• Disable all default pages
• Enable multiple security checks

References
https://www.netsparker.com/blog/web-security/information-
disclosure-issues-attacks/
https://www.netsparker.com/web-vulnerability-
scanner/vulnerabilities/information-disclosure-phpinfo/
13. Personal Information Leakage

Below mentioned urls disclose personal inforamtion

Affected URL :
Personal • http://13.127.159.1/static/images/upload/customers/default.png
Information • http://13.127.159.1/products/details.php?p_id=2
Leakage (Low)

76
Observation
• Navigate to mentioned URL
• And you can see the whole path where everyones photo is stored
POC
• Here if you see the url , you
will know that we just
chnaged it little bit and we
hit jackpot where we can
see photos uploaded by
customer and may more...
Business Impact – Moderate
Although this vulnerability does not have a direct impact to users or the server, though it can help the
attacker in mapping the personal information of any account and plan further attacks on any specific
account

Recommendations
• You can apply encyrption to the personal data
• You can add authenticity and authorization to access the other data

REFERENCES:-
https://cipher.com/blog/25-tips-for-protecting-pii-and-sensitive-data/
https://digitalguardian.com/blog/how-secure-personally-identifiable-information-against-loss-or-compromise
14.Client side and server side validation bypass

In below mentioned urls , we can easily bypass client side and server side validation

Affected URL :
• http://13.126.121.253/profile/16/edit/Affected parameter:

Client side •Contact Number (POST Parameter)


and server sid
e validation by Payload used:
pass (Low)
•123465890000000

80
Observation
Here we intercepted the request and made changes in the contact number field

81
POC
• Mobile number is saved as zero
Business Impact – Moderate
The data provided by the user ,if incorrect, is not a very big issue but still must be checked for proper
validatory information.

Recommendations
• Implement all critical checks on server side code only.
• Client-side checks must be treated as decoratives only.
• All business logic must be implemented and checked on the server code.

REFERENCES:-
http://projects.webappsec.org/w/page/13246933/Improper%20Input%20Handling
https://www.owasp.org/index.php/Unvalidated_Input
15. Default Messages

In below mentioned urls ,if add a specific payload it will show deault messages

Affected URL :
•http://13.126.196.134/?includelang=lang/en.php

Default
Payload
messages (Low)
•en.php' (GET Parameter)

84
Observation & POC
Here we added payload as shown above and we got an error

85
Business Impact – Moderate
Although this vulnerability does not have a direct impact to users or the server, though it can help the
attacker in mapping the server architecture and plan further attacks on the server.

Recommendations
• Do not display the default error messages because it not tells about the server but also sometimes about the
location.So, whenever there is an error ,send it to the same page or throw some manually written error.

REFERENCES:-
https://www.owasp.org/index.php/Improper_Error_Handling
16. Open redirection

In below mentioned urls we can change the path of redirection

Affected URL :
• http://13.126.196.134/?inclludelang=lang/en.php
Open • http://13.126.196.134/?inclludelang=lang/fr.php
Payload:-
Redirection
(Low) • http://13.126.196.134/?inclludelang=https/www.google.com?lang/en.php

87
Observation
Here we made changes to the url according to the payload

88
POC
• We are redirected to google
Business Impact – low
An http parameter may contain a URL value and could cause the web application to redirect
the request to the specified URL. By modifying the URL value to a malicious site.

Recommendations
• Disallow Offsite Redirects.
• If you have to redirect the user based on URLs, instead of using untrusted input you should always use an ID
which is internally resolved to the respective URL.
• If you want the user to be able to issue redirects you should use a redirection page that requires the user to
click on the link instead of just redirecting them.
• You should also check that the URL begins with http:// or https:// and also invalidate all other URLs to prevent
the use of malicious URIs such as javascript:

REFERENCES:-
https://cwe.mitre.org/data/definitions/601.html

https://www.hacksplaining.com/prevention/open-redirects
THANK YOU
For any further clarifications/patch assistance, please contact:
9876542123

You might also like