Scribd
Upload
99 views

Hacking Environment Web Application Updated

The document summarizes vulnerabilities found in the Hacking Environment Web Application. It identifies 17 critical vulnerabilities including: 1. SQL injection vulnerabilities allowing access to all Internshala databases and records. 2. Unauthorized access to the sales dashboard through weak default credentials. 3. Account takeover by bypassing OTP verification through bruteforcing OTP codes. The vulnerabilities identified put customer data at extreme risk and could allow attackers to steal records, host malware, and fully compromise servers. The report provides details on proof of concepts and recommendations to address the issues.

Uploaded by

john carter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
99 views

Hacking Environment Web Application Updated

The document summarizes vulnerabilities found in the Hacking Environment Web Application. It identifies 17 critical vulnerabilities including: 1. SQL injection vulnerabilities allowing access to all Internshala databases and records. 2. Unauthorized access to the sales dashboard through weak default credentials. 3. Account takeover by bypassing OTP verification through bruteforcing OTP codes. The vulnerabilities identified put customer data at extreme risk and could allow attackers to steal records, host malware, and fully compromise servers. The report provides details on proof of concepts and recommendations to address the issues.

Uploaded by

john carter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 58

Hacking Environment Web

Application
Detailed Developer Report
Security Status – Extremely Vulnerable
• Hacker can steal all records in Internshala databases (SQLi)
• Hacker can take control of complete server including View, Add, Edit,
Delete files and folders (Shell Upload)
• Hacker can change source code of application to host malware,
phishing pages or even explicit content (Shell Upload)
• Hacker can inject client side code into applications and trick users by
changing how page looks to steal information or spoil the name of
Internshala (XSS)
• Hacker can extract mobile number of all customers using Userid
(IDOR)
Vulnerability Statistics
Critical Severe Moderate

17 15 2

Low

2
Vulnerabilities:
No Severity Vulnerability Count
1 Critical SQL Injection 8

2 Critical Access to sales dashboard 1

3 Critical Access to admin panel 1

4 Critical Account takeover via OTP Bypass 2

5 Critical Unauthorized Access To Customer Details 5

6 Severe Reflected cross site scripting 15

7 Moderate Directory Listing of Configuration FIles 2

8 Low Information disclosure due to Apache Default Pages 2

4
1. SQL Injection

Below mentioned URL in the Hogwarts House Details module is vulnerable to SQL injection
attack
Affected URL :
• http://url.com/hogwarts/house_details.php?house=HERE
SQL Injection
(Critical) Affected Parameters :
• house (GET parameter)
Payload:
• house=gryffindor’

5
1. SQL Injection

Here are other similar SQLi in the application


Affected URL :
• http://url.com/sql3.php (ID GET parameter)
• http://url.com/sql4.php (jkl POST parameter)
SQL Injection • http://url.com/sql5.php (pqr 5 GET parameter)
(Critical) • http://url.com/sql6.php (abcd cookie paramter)
• http://url.com/sql7.php (User-agent Header)
• http://url.com/sql8.php (xyz POST parameter)

6
Observation
• Navigate to Houses page where you will see list of houses. Click anyone like Gryffindor. You will
see famous people of that house in a table. Notice the GET parameter house in the URL:
Observation
• We apply single quote in house parameter: house_details.php?house=Gryffindor’ and we get
complete MySQL error:
Observation
• We then put --+ : house_details.php?house=Gryffindor’--+ and we error is removed confirming
SQL injection:
Proof of Concept (PoC)
• Attacker can execute SQL commands as shown below. Here we have used the payload below to
extract the database name and MySQL version information:
house=abcd’ union select database(),version()--+
PoC – Attacker can dump arbitrary data
• No of databases: 3
• Information_schema
• SQL_Injection_V3
• Test

• No of tables in SQL_Injection_V3: 2
• Hogwarts
• Users
Business Impact – Extremely High
Using this vulnerability, attacker can execute arbitrary SQL commands on Lifestyle store server and
gain complete access to internal databases along with all customer data inside it.
Below is the screenshot of users table which shows user credentials being leaked that too in plain
text without any hashing/encryption.
Attacker can use this information to login to admin panels and gain complete admin level access to
the website which could lead to complete compromise of the server and all other servers connected
to it.
1. SQL Injection

Below mentioned URL in the Petunia Flowers – Flower Search module is vulnerable to SQL
injection attack
Affected URL :
• http://url.com/petunia/flowerSearch.php
SQL Injection
(Critical) Affected Parameters :
• Flower (POST parameter)
Payload:
• flower=rose’

13
PoC – Attacker can dump arbitrary data
• No of databases: 3
• Information_schema
• SQL_Injection_V3
• Test
• No of tables in SQL_Injection_V3: 2
• Hogwarts
• Users
• Critical Table: Users
Recommendation
Take the following precautions to avoid exploitation of SQL injections:
• Whitelist User Input: Whitelist all user input for expected data only. For example if you are
expecting a flower name, limit it to alphabets only upto 20 characters in length. If you are
expecting some ID, restrict it to numbers only
• Prepared Statements: Use SQL prepared statements available in all web development
languages and frameworks to avoid attacker being able to modify SQL query
• Character encoding: If you are taking input that requires you to accept special characters,
encode it. Example. Convert all ‘ to \’ , “ to \”, \ to \\. It is also suggested to follow a standard
encoding for all special characters such has HTML encoding, URL encoding etc
• Do not store passwords in plain text. Convert them to hashes using SHA1 SHA256 Blowfish
etc
• Do not run Database Service as admin/root user
• Disable/remove default accounts, passwords and databases
• Assign each Database user only the required permissions and not all permissions
References
• https://www.owasp.org/index.php/SQL_Injection
• https://en.wikipedia.org/wiki/SQL_injection
2. Access to Sales Dashboard

The Sales dashboard at the below mentioned URL has default/weak password allowing complete
admin access
Affected URL :
Access to Sales • http://url.com/salesdashboard.php
Dashboard Affected Parameters :
(Critical) • Username, password (POST parameters)
Payload:
• Username=admin password=sales@123

17
Observation
• Navigate to http://url.com/salesdashboard.php You will see sales admin login page
Observation
• Enter username: admin & password: sales@123. You will get logged in to the admin panel
Business Impact – Extremely High
A malicious user can access the Sales Dashboard which discloses many critical
information of organization including:
• Sales Trends
• Client information
• Leads information
• Sales Calendar information
• Income and revenue information
• And much more…

20
POC

21
POC

22
POC

23
POC

24
Recommendation
Take the following precautions:
• Use a strong password 8 character or more in length with alphanumerics and symbols
• It should not contain personal/guessable information
• Do not reuse passwords
• Disable default accounts and users
• Change all passwords to strong unique passwords

References:
https://www.owasp.org/index.php/Testing_for_weak_password_change_or_reset_functionalities_(OTG-AUTHN-009)
https://www.owasp.org/index.php/Default_Passwords
https://www.us-cert.gov/ncas/alerts/TA13-175A
3. Account Takeover Using OTP Bypass

The below mentioned login page allows login via OTP which can be bruteforced

Affected URL :
• http://url.com/login_via_OTP.php
Account
Takeover Using Affected Parameters :
OTP Bypass • OTP (POST parameters)
(Critical)

26
3. Account Takeover Using OTP Bypass

Similar issue is observed on the below mentioned login pages too


Affected URL :
• http://url.com/admin/login_via_OTP.php
Account
Takeover Using Affected Parameters :
OTP Bypass • code (POST parameters)
(Critical)

27
Observation
• Navigate to http://url.com/login_via_OTP.php You will see user login page via OTP. Enter victim’s
mobile number while capturing requests in a local proxy and click Get OTP
Observation
• Following request will be generated containing OTP parameter.
Observation
• We shoot the request with all possible combinations of 4 Digit OTPs and upon a successful hit, we
get a response containing user details. We can use the same OTP then to login.
Business Impact – Extremely High
A malicious hacker can gain complete access to any account just by knowing the registered phone number. This
leads to complete compromise of personal user data of every customer.
Attacker once logs in can then carry out actions on behalf of the victim which could lead to serious financial loss to
him/her.

31
Recommendation
Take the following precautions:
• Use proper rate-limiting checks on the no of OTP checking and Generation requests
• Implement anti-bot measures such as ReCAPTCHA after multiple incorrect attempts
• OTP should expire after certain amount of time like 2 minutes
• OTP should be at least 6 digit and alphanumeric for more security

References:
https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009)
https://www.owasp.org/index.php/Blocking_Brute_Force_Attacks
4. Unauthorised Access to Customer Details

The Show My Bill module suffers from an Insecure Direct Object Reference (IDOR) that allows
attacker get access to anyones Bill details

Unauthorised Affected URL :


Access to • http://hackingenv.internshala.com/Insecure-Direct-Object-Reference/GET-Based-IDOR-in-
URL-Variant-1/bill.php
Customer
Details Affected Parameters :
(Critical) • user_id (GET parameters)

33
4. Unauthorised Access to Customer Details
Similar issue is found on below modules too

Affected URL :
• http://url/invoice.php

Affected Parameters :
• invoice_id (GET parameter)

Affected URL :
• http://url/call_history.php

Affected Parameters :
• mobile_no (POST parameter)
Unauthorised Affected URL :
Access to • http://url/recharge.php
Customer Details
(Critical) Affected Parameters :
• from_accountno (POST parameter)

Affected URL :
• http://url/sms_history.php

34
Affected Parameters :
• mobile_no(GET parameter)
Observation
• Login to your account and navigate to Bill page on
http://hackingenv.internshala.com/Insecure-Direct-Object-Reference/GET-Based-IDOR-in-URL-Va
riant-1/
and click on Show My Bill button
Observation
• Your bill will be shown to you like below. Notice the URL:
http://hackingenv.internshala.com/Insecure-Direct-Object-Reference/GET-Based-IDOR-in-URL-Var
iant-1/bill.php?user_id=1438
• It contains user_id of our user and we get bill details of our user’s mobile number: 9876855654
Observation
• We change this user_id from 1438 to 1439 and we get bill information of a different user with
mobile number: 9976543119
Business Impact – Extremely High
A malicious hacker can read bill information of any user just by knowing the User ID. This discloses critical billing
information of users including:
• Mobile Number
• Bill Number
• Billing Period
• Bill Amount and Breakdown

This can be used by malicious hackers to carry out targeted phishing attacks on the users and the information can
also be sold to competitors/blackmarket.

More over, as there is no ratelimiting checks, attacker can bruteforce the user_id for all possible values and get bill
information of each and every user of the organization resulting is a massive information leakage.

Other IDORs on the application are leaking much more information including Payment details, call history and even
allow attacker to recharge his mobile number deducting money from any one else’s account which can be used to
steal money from users.

38
As a PoC, Bill details of 100 users are dumped in the attached excel file below:
Recommendation
Take the following precautions:
• Implement proper authentication and authorisation checks to make sure that the user has
permission to the data he/she is requesting
• Use proper rate limiting checks on the number of request comes from a single user in a small
amount of time
• Make sure each user can only see his/her data only.

References:
https://www.owasp.org/index.php/Insecure_Configuration_Management
https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References
5. Reflected Cross Site Scripting (XSS)

Below mentioned parameters are vulnerable to reflected XSS


Affected URL :
• hackingenv.internshala.com/Cross-Site-Scripting/Temporary-XSS-Variant-1/hello.php
Reflected
Cross Site Affected Parameters :
Scripting • user_name(GET parameters)
(Severe)
Payload:
• <script>alert(1)</script>

40
5. Reflected Cross Site Scripting (XSS)
Similar issue is found on below modules too

Affected URL :
• http://hackingenv.internshala.com/Cross-Site-Scripting/Temporary-XSS-Variant-2/xss/testing*

Affected Parameters :
• URL – anything after testing

Payload:
• <body onload=alert(1)>

Reflected Cross
Site Scripting
(Severe) Affected URL :
• http://hackingenv.internshala.com/Cross-Site-Scripting/Temporary-XSS-Variant-4/

Affected Parameters :
• url (POST parameters)

Payload:
• " onload="alert(1)

41
Observation
Navigate to hackingenv.internshala.com/Cross-Site-Scripting/Temporary-XSS-Variant-1/hello.php
You will see a field to enter some text
Observation
Enter any text and click the button, you will see it reflected in the next page and value will be in GET
parameter user_name
Observation
Put the payload instead of asd: <script>alert(1)</script>
As you can see we executed custom JS causing popup
PoC
PoC
Business Impact – High
As attacker can inject arbitrary HTML CSS and JS via the URL, attacker can put any content on the page like
phishing pages, install malware on victim’s device and even host explicit content that could compromise the
reputation of the organization

All attacker needs to do is send the link with the payload to the victim and victim would see hacker
controlled content on the website. As the user trusts the website, he/she will trust the content.

47
Recommendation
Take the following precautions:
• Sanitise all user input and block characters you do not want
• Convert special HTML characters like ‘ “ < > into HTML entities &quot; %22 &lt; &gt; before
printing them on the website

References:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.w3schools.com/html/html_entities.asp
6. Directory Listing

Below mentioned parameters are vulnerable to reflected XSS


Affected URL :
• http://URL1/backup/
Directory • http://url2/profile_pictures/
Listing
(Moderate)

49
Observation
• Navigate to http://URL1/backup/
• Complete listing of directory is shown containing month wise HTML backups of the website
Observation
• Navigate to http://URL2/profile_pictures/
• Complete listing of directory is shown containing profile pictures of all users on the website
Business Impact – Moderate
Although this vulnerability does not have a direct impact to users or the server, though it can aid the
attacker with information about the server and the users

Also, attacker can simply download the backups and images and view them

52
Recommendation
Take the following precautions:
• Disable Directory Listing
• Put an index.html in all folders with default message

References:
https://cwe.mitre.org/data/definitions/548.html
https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/
7. Information Disclosure

Below mentioned urls disclose server information


Affected URL :
• http://URL/server-status
Information • http://URL/server-info
Disclosure due
to Apache Info
Pages (Low)

54
Observation
• Navigate to mentioned URL
• Default server-status page opens which discloses server information
Observation
• server-info page
Business Impact – Moderate
Although this vulnerability does not have a direct impact to users or the server, though it can help the
attacker in mapping the server architecture and plan further attacks on the server

Recommendation
Take the following precautions:
• Disable all default pages and folders including server-status and server-info

References:

57
https://vuldb.com/?id.88482
https://httpd.apache.org/docs/current/mod/mod_status.html
https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_apache_http_server_httponly_cookie_informa
tion_disclosure
THANK YOU
For any further clarifications/patch assistance, please contact:
9876542123

You might also like