Security Master Course

Squalli Rhita
squallirhita@gmail.com

URL used for exam : http://34.78.194.100:5000/

Table des matières

I. Vulnerability : Sql injection...............................................................................................................................4
1
 Observation:..............................................................................................................................................................4
Exploit:........................................................................................................................................................................ 5
Mitigation:.................................................................................................................................................................. 7
II. Vulnerability : Stored cross site scripting..........................................................................................................8
Observation:...............................................................................................................................................................8
Exploit:........................................................................................................................................................................ 9
Mitigation:................................................................................................................................................................10
III. Vulnerability : Insecure file upload,ext...........................................................................................................10
Observation:.............................................................................................................................................................10
Exploit:......................................................................................................................................................................11
Mitigation:................................................................................................................................................................12
IV. Vulnerability: Insecure file upload,size...........................................................................................................12
Observation:.............................................................................................................................................................12
Exploit:......................................................................................................................................................................12
Mitigation:................................................................................................................................................................12
V. Vulnerability: LFI.............................................................................................................................................12
Observation:.............................................................................................................................................................12
Exploit:......................................................................................................................................................................13
Mitigation:................................................................................................................................................................15
VI. Vulnerability : Server Side Template injection................................................................................................15
Observation:.............................................................................................................................................................15
Exploit:......................................................................................................................................................................16
Mitigation:................................................................................................................................................................16
VII. Vulnerability : DES-YAML.................................................................................................................................17
Observation:.............................................................................................................................................................17
Exploit:......................................................................................................................................................................18
Mitigation:................................................................................................................................................................19
VIII. Vulnerability : CORS.........................................................................................................................................19
Observation:.............................................................................................................................................................19
Exploit:......................................................................................................................................................................20
Mitigation:................................................................................................................................................................20
IX. Vulnerability: Sensitive information in URL....................................................................................................21
Observation:.............................................................................................................................................................21
Exploit:......................................................................................................................................................................21
Mitigation:................................................................................................................................................................21
X. Vulnerability : external entity attack...............................................................................................................22
Observation:.............................................................................................................................................................22
Exploitation:..............................................................................................................................................................23

2
 Mitigation:................................................................................................................................................................24
XI. Vulnerability: Missing authentication / authorization....................................................................................24
Observation:.............................................................................................................................................................24
Exploit:......................................................................................................................................................................24
Mitigation:................................................................................................................................................................24
XII. Vulnerability: Session cookie is forgeable......................................................................................................24
Observation:.............................................................................................................................................................24
Exploit:......................................................................................................................................................................25
Mitigation:................................................................................................................................................................25
XIII. Vulnerability : USERNAME ENUMERATION....................................................................................................26
Observation:.............................................................................................................................................................26
Exploit:......................................................................................................................................................................26
Mitigation:................................................................................................................................................................27
XIV. Vulnerability : VULNERABLE LIBRAIRIES..........................................................................................................28
Observation:.............................................................................................................................................................28
Exploit:......................................................................................................................................................................28
Mitigation:................................................................................................................................................................29
XV. Vulnerability: Obscure backdoor.....................................................................................................................29
Observation:.............................................................................................................................................................29
Exploit:......................................................................................................................................................................29
Mitigation:................................................................................................................................................................29
XVI. Vulnerability : Tabnabbing...............................................................................................................................29
Observation:.............................................................................................................................................................29
Exploit:......................................................................................................................................................................30
Mitigation:................................................................................................................................................................30
XVII. Vulnerability: weak hashing method for.........................................................................................................30
Observation& exploitation:......................................................................................................................................30
mitigation:.................................................................................................................................................................30

3
Vulnerability : Sql injection

Observation:
SQL injection attack happened when SQL statements are inserted into an entry field for execution.

when we inject a single quote we create an error in the application and we get the request
cur = db.execute('SELECT * FROM users where userid='+str(userid))

Let’s inject true logical operators “ and 1=1” to see if we can manipulate the SQL statements : bingo !

4
Exploit:
As we did in the observation, the application is vulnerable to sql injection.
Let’s inject sql statement by using union to read information from the Data Base.

- We use the UNION operator is used to combine the result-set of two SELECT statements, every
SELET statement within UNION must have the same number of columns.
 Let’s try to inject union select 1, 2,…x-1, x until we don’t get an error page.
Then the X is the number of columns of the first select in the union.

In our case we don’t get an error page when X=10

Let’s use the use sqlite_master to find the name of password field

5
- Let’s guess login and password from the table by using :
Union select 1,2,username,4,5,6,password,8,9,FullName from users

- We google the hash and we get the password : iamgod

- Let’s guess the other login password by using adding to the union : limit 1,1 / limit 2,1/ limit 3,1

- Limit 4,1 display nothing  4 users

user password fullname

Admin iamgod Glenn ten Cate
Moderator letmein Riccardo ten Cate
Test test test test
John92 Password John Doe

6
Mitigation:
You show the code fix (pseudo-code) of the vulnerability or write in detail the steps to mitigate it (can be in a
screenshot).

SQL Injection can be prevented by using a:

7
 1- we replace the code :

By Prepared Statements (Parameterized Queries)

2-use a validation input:

Import re
Def validate_input()
Input=request.forme[‘string’]
If len(input)<9
If regexp_match(input, not in [0-9a-zA-Z])
Return render_template (error)
Else return render_template (ok)

Else return render_template (error)

Vulnerability : Stored cross site scripting

Observation:
- In the website we found an input box with a link of LinkdIN :
-

- If we try to inject another website, google for example, we can see there is a Stored cross site
scripting vulnerability.
8
 - When we send we change the url of the linkdIN

Exploit:
Like see in the observation the user input is being reflected in the href.
 we insert javascript code in the input text field instead of : javascript:alert('i can be a pop-up')

9
Mitigation:
xssref can be prevented by using a:

1- check if our input starts with http or https:

2- We can also do a server whitelist

Vulnerability : Insecure file upload,ext

Observation:
In edit profile we can upload a txt file instead of a image with the regulat extention og an image

10
The application accept the file :

Exploit:
- We can upload a malicious file.

Mitigation:
- Mitigation: file upload CHECK extensions, virus scanning, type.

Vulnerability: Insecure file upload,size

Observation:
In edit profile we can upload an very big image

11
Exploit:
- We can upload a very large files and consume memory

Mitigation:
- Mitigation: validation input with size extention,…

Vulnerability: LFI
Observation:
A Local File Inclusion attack is used to trick the application into exposing or running files on the server.
When we want to add companie :

We see that when we click on send, the server load te file company.xml like shown in the code

12
Exploit:
- We can change the name of the file company.xml by ../../../../../../etc/passwd to download the
contents of passwd instead of company.xml by inspectind the code in the window :

Now we can download the file passwd by clicking on send :

Bingo we can acced to the content to passwd :

13
Mitigation:
- Use validation input to remove ../ to remove the extension

Vulnerability : Server Side Template injection

Observation:
In the screenshot below we find that the version of python is" xxxx" AND the server is "Werkzeug".

This indicate that the web application might be running python flask, and python flask runs with the jinja2.

14
Let’s inject a mathematical statements: {{ 8 + 1 }}

 The {{ 1 + 1 }} is interpreted and executed on the server-side by displaying login9

Exploit:
To exploit this vulnerability lets inject some useful for Jinja2, for example, {{ config.items() }} to display
the configuration.

Mitigation:

To block this vulnerability we should use a proper design:

15
 - Separate the html template part and put it with the templates.
- When I want to call it, I use variables (the html code is displayed at the user)
- Prioritization of the application

Vulnerability : DES-YAML
Observation:
When we click on config then click on Rest server config : we remarque that the application is using a yaml
serialised object to display the content in the HTML.

In the code we Remarque that a base 64 :

We can decode by using Cyberchef tool to decode the string :

ZGlzdDogdHJ1c3R5Cmxhbmd1YWdlOiBweXRob24Kc3VkbzogZmFsc2UKcHl0aG9uOiAiMy42IgoKbm90a
WZpY2F0aW9uczoKLSBvbl9zdWNjZXNzOiBhbHdheXMgIAotIG9uX2ZhaWx1cmU6IGFsd2F5cyAgCi0gb2
5fc3RhcnQ6IG5ldmVy

16
We found
dist: trusty
language: python
sudo: false
python: "3.6"

notifications:
- on_success: always
- on_failure: always
- on_start: never

Exploit:
Lets use :
sudo: !!python/object/apply:subprocess.check_output ['whoami']

Encode base 64 :
c3VkbzogISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuY2hlY2tfb3V0cHV0IFsnY2F0IC9ldGM
vcGFzc3dkJ10=

17
The app display the result of whoami : app

Mitigation:
- We should use safeloader in the python file : content = yaml.load(yaml_file, Loader=yaml.safeLo
-

Vulnerability : CORS
Observation:

In this window :

18
We intercept the traffic from the application: we Remarque that the application is using insecure
configurations: '*' wildcard, as value of the Access-Control-Allow-Origin header that means all domains are
allowed.

Exploit:
We can replace the ‘*’ by our evilsite
Now our evilsite can to do the malicious XHR GET request.
Mitigation:
we change the ‘*’ :

19
By a Whiteliste :

Vulnerability: Sensitive information in URL

Observation:
When we log as Admin and enter a false password we can see that the login and password are display in the URL :

Exploit:
Now we will log as Admin with the good password, intercept with burb and send to the repeater the request:

Mitigation:
To fix this vulnerability we should crypt the data and don’t allow the application to display it on the URL.
and change the method from get to post in login.py Index.html
20
Vulnerability : external entity attack
Observation:
In this window we can observe that we can upload a file and display the content :

we upload a file like the template like in the screenshot

When we click on upload the application display the content of the file :

21
Exploitation:
Lets add the balise of external entity injection like in the fichier below and upload it : to display the content
of passwd :

22
Mitigation:
The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the
parser.

Vulnerability: Missing authentication / authorization

Observation:
When we logout and go to company/new and we see that we can add new compagnie without being loged

Exploit:
A malicious user can add a company and stock the information of it without any control

Mitigation:
The application should verify that the session exist before allow a user to add new compay

Vulnerability: Session cookie is forgeable

Observation:
We log as Admin, we intercept the request by using burp and we read the cookie session value

23
Exploit:
To exploit we log as Test, we intercept the request by burp and we change session id in the cookie by the
session of the Admin  the user Test is now connected as Admin like in shown is the screeshot :

Mitigation:
Use

24
Vulnerability : USERNAME ENUMERATION
Observation:
When we enter a random username in the application the application display the message error “invalid
username”

Exploit:
When we enter a usual login the application display Admin:

25
We get the error message : invalid password for username  the username Admin exist

Mitigation:

We change the message error in the file Login.py :

By : invalid username or password

26
Vulnerability : VULNERABLE LIBRAIRIES
Observation:
In the code in monitoring.py we find the library import os :

Exploit:
we go to the page monitoring and we see that this library display sensitive information in the second
screenshot:

27
Mitigation:
We should define a whiteliste of command to execute by this librairy.

Vulnerability: Obscure backdoor

Observation:
Backdoor is a security vulnerability that can be used to bypass security policies and mechanisms in a system
Administration And Management Interfaces Exposed
Redundant interfaces/functions/features
Redundant users : guest, testuser, scott (tiger), Usually default users
Authentication and Authorization between
application components
Exposed Configuration Data

Exploit:

Mitigation:

Vulnerability : Tabnabbing

Observation:
Tabnabbing is a phishing attack, which persuades users to submit their login details and passwords
When we click on Learn more we are rediriged

28
Exploit:

Mitigation:

Vulnerability: weak hashing method for

Observation& exploitation:

When we found the crypted password in sql injection we use easily md5 on the internet to get the password

mitigation:

the application should force the user to choose a strong password with “caractères spéciaux’

29