Security Master Course EXAM Squalli-Rhita
Security Master Course EXAM Squalli-Rhita
Security Master Course EXAM Squalli-Rhita
Squalli Rhita
[email protected]
2
Mitigation:................................................................................................................................................................24
XI. Vulnerability: Missing authentication / authorization....................................................................................24
Observation:.............................................................................................................................................................24
Exploit:......................................................................................................................................................................24
Mitigation:................................................................................................................................................................24
XII. Vulnerability: Session cookie is forgeable......................................................................................................24
Observation:.............................................................................................................................................................24
Exploit:......................................................................................................................................................................25
Mitigation:................................................................................................................................................................25
XIII. Vulnerability : USERNAME ENUMERATION....................................................................................................26
Observation:.............................................................................................................................................................26
Exploit:......................................................................................................................................................................26
Mitigation:................................................................................................................................................................27
XIV. Vulnerability : VULNERABLE LIBRAIRIES..........................................................................................................28
Observation:.............................................................................................................................................................28
Exploit:......................................................................................................................................................................28
Mitigation:................................................................................................................................................................29
XV. Vulnerability: Obscure backdoor.....................................................................................................................29
Observation:.............................................................................................................................................................29
Exploit:......................................................................................................................................................................29
Mitigation:................................................................................................................................................................29
XVI. Vulnerability : Tabnabbing...............................................................................................................................29
Observation:.............................................................................................................................................................29
Exploit:......................................................................................................................................................................30
Mitigation:................................................................................................................................................................30
XVII. Vulnerability: weak hashing method for.........................................................................................................30
Observation& exploitation:......................................................................................................................................30
mitigation:.................................................................................................................................................................30
3
Vulnerability : Sql injection
Observation:
SQL injection attack happened when SQL statements are inserted into an entry field for execution.
when we inject a single quote we create an error in the application and we get the request
cur = db.execute('SELECT * FROM users where userid='+str(userid))
Let’s inject true logical operators “ and 1=1” to see if we can manipulate the SQL statements : bingo !
4
Exploit:
As we did in the observation, the application is vulnerable to sql injection.
Let’s inject sql statement by using union to read information from the Data Base.
- We use the UNION operator is used to combine the result-set of two SELECT statements, every
SELET statement within UNION must have the same number of columns.
Let’s try to inject union select 1, 2,…x-1, x until we don’t get an error page.
Then the X is the number of columns of the first select in the union.
Let’s use the use sqlite_master to find the name of password field
5
- Let’s guess login and password from the table by using :
Union select 1,2,username,4,5,6,password,8,9,FullName from users
- Let’s guess the other login password by using adding to the union : limit 1,1 / limit 2,1/ limit 3,1
6
Mitigation:
You show the code fix (pseudo-code) of the vulnerability or write in detail the steps to mitigate it (can be in a
screenshot).
7
1- we replace the code :
Import re
Def validate_input()
Input=request.forme[‘string’]
If len(input)<9
If regexp_match(input, not in [0-9a-zA-Z])
Return render_template (error)
Else return render_template (ok)
- If we try to inject another website, google for example, we can see there is a Stored cross site
scripting vulnerability.
8
- When we send we change the url of the linkdIN
Exploit:
Like see in the observation the user input is being reflected in the href.
we insert javascript code in the input text field instead of : javascript:alert('i can be a pop-up')
9
Mitigation:
xssref can be prevented by using a:
10
The application accept the file :
Exploit:
- We can upload a malicious file.
Mitigation:
- Mitigation: file upload CHECK extensions, virus scanning, type.
11
Exploit:
- We can upload a very large files and consume memory
Mitigation:
- Mitigation: validation input with size extention,…
Vulnerability: LFI
Observation:
A Local File Inclusion attack is used to trick the application into exposing or running files on the server.
When we want to add companie :
We see that when we click on send, the server load te file company.xml like shown in the code
12
Exploit:
- We can change the name of the file company.xml by ../../../../../../etc/passwd to download the
contents of passwd instead of company.xml by inspectind the code in the window :
This indicate that the web application might be running python flask, and python flask runs with the jinja2.
14
Let’s inject a mathematical statements: {{ 8 + 1 }}
Exploit:
To exploit this vulnerability lets inject some useful for Jinja2, for example, {{ config.items() }} to display
the configuration.
Mitigation:
Vulnerability : DES-YAML
Observation:
When we click on config then click on Rest server config : we remarque that the application is using a yaml
serialised object to display the content in the HTML.
16
We found
dist: trusty
language: python
sudo: false
python: "3.6"
notifications:
- on_success: always
- on_failure: always
- on_start: never
Exploit:
Lets use :
sudo: !!python/object/apply:subprocess.check_output ['whoami']
Encode base 64 :
c3VkbzogISFweXRob24vb2JqZWN0L2FwcGx5OnN1YnByb2Nlc3MuY2hlY2tfb3V0cHV0IFsnY2F0IC9ldGM
vcGFzc3dkJ10=
17
The app display the result of whoami : app
Mitigation:
- We should use safeloader in the python file : content = yaml.load(yaml_file, Loader=yaml.safeLo
-
Vulnerability : CORS
Observation:
In this window :
18
We intercept the traffic from the application: we Remarque that the application is using insecure
configurations: '*' wildcard, as value of the Access-Control-Allow-Origin header that means all domains are
allowed.
Exploit:
We can replace the ‘*’ by our evilsite
Now our evilsite can to do the malicious XHR GET request.
Mitigation:
we change the ‘*’ :
19
By a Whiteliste :
Exploit:
Now we will log as Admin with the good password, intercept with burb and send to the repeater the request:
Mitigation:
To fix this vulnerability we should crypt the data and don’t allow the application to display it on the URL.
and change the method from get to post in login.py Index.html
20
Vulnerability : external entity attack
Observation:
In this window we can observe that we can upload a file and display the content :
When we click on upload the application display the content of the file :
21
Exploitation:
Lets add the balise of external entity injection like in the fichier below and upload it : to display the content
of passwd :
22
Mitigation:
The safest way to prevent XXE is always to disable DTDs (External Entities) completely. Depending on the
parser.
Exploit:
A malicious user can add a company and stock the information of it without any control
Mitigation:
The application should verify that the session exist before allow a user to add new compay
Observation:
We log as Admin, we intercept the request by using burp and we read the cookie session value
23
Exploit:
To exploit we log as Test, we intercept the request by burp and we change session id in the cookie by the
session of the Admin the user Test is now connected as Admin like in shown is the screeshot :
Mitigation:
Use
24
Vulnerability : USERNAME ENUMERATION
Observation:
When we enter a random username in the application the application display the message error “invalid
username”
Exploit:
When we enter a usual login the application display Admin:
25
We get the error message : invalid password for username the username Admin exist
Mitigation:
26
Vulnerability : VULNERABLE LIBRAIRIES
Observation:
In the code in monitoring.py we find the library import os :
Exploit:
we go to the page monitoring and we see that this library display sensitive information in the second
screenshot:
27
Mitigation:
We should define a whiteliste of command to execute by this librairy.
Exploit:
Mitigation:
Vulnerability : Tabnabbing
Observation:
Tabnabbing is a phishing attack, which persuades users to submit their login details and passwords
When we click on Learn more we are rediriged
28
Exploit:
Mitigation:
When we found the crypted password in sql injection we use easily md5 on the internet to get the password
mitigation:
the application should force the user to choose a strong password with “caractères spéciaux’
29