Cyber Security and Ethical Hacking Certification Project ---Anirudh Poojary Finding vulnerabilities in a juice shop machine. The list of vulnerabilities I found in this machine are. Improper input validation Cross Site scripting Security Misconfiguration Improper input validation of links Login page SQL injection Broken access control Broken authentication View basket (Broken access control) Admin registration to other users Rate limiting flaws. Stored XSS SQL injection on search page Upload size manipulation Title: Improper input validation Description: Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. Steps to reproduce: First the captured the request of the customer feedback. At first it shows without any rating no submission takes place. But after changing in the burp suite and making the raking into 0, then the request was successfully submitted. Impact: This vulnerability will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. Title: Cross site scripting(XSS) Description: Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Steps to reproduce: First I find a search in a machine. Then I try some xss scripts, then finally <iframe src=javascript:alert(“hello”)> was succeeded. As a result a popup was display on the screen Impacts: It allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data. Title: Security Misconfiguration Description: Security misconfiguration is any error or vulnerability present in the configuration of code that allows attackers access to sensitive data. There are many types of security misconfiguration, but most present the same danger: vulnerability to data breach and attackers gaining unauthorized access to data. Steps to reproduce: First I captured the request of product 1 review Then I captured the request and change the product id here, then I got then information of the other products easily. Just by changing the /rest/product/2/reviews id, I successfully look onto other reviews. Impacts: These can lead to a data breach and even complete system compromise. Depending on the value of the data compromised, this can have a significant negative impact on a business. Attackers may be able to exploit or even modify parts of applications by taking advantage of security misconfigurations. These security misconfiguration vulnerabilities leave a business exposed to potential attack. Title: Improper input validation of links Description: Input validation is a frequently-used technique for checking potentially dangerous inputs in order to ensure that the inputs are safe for processing within the code, or when communicating with other components. When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. Steps to reproduce: Here I go to http://192.168.29.104:3000/#/photo-wall link, then I found an image which is not properly loaded. So I inspect the code and I replaced the “#” in this link http://assets/public/images/uploads/%F0%9F%98%BC-#zatschi-#whoneedsfourlegs1572600969477.jpg with %23 then I got a picture. Impacts: This vulnerability will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution. Title: Login page(SQL Injection) Description: SQL injection is a technique used to exploit user data through web page inputs by injecting SQL commands as statements. Basically, these statements can be used to manipulate the application’s web server by malicious users. The first account in a database is often an administrative user, we can exploit this behavior to log in as the first user in the database. Steps to reproduce: First I got to the login page using link http://192.168.29.104:3000/#/login Then in the username section I just inject a simple sql injection script as ' or 1=1 – And used a random password. Then I accessed into the admin account, as the admin account was stored in the database as first, so I logged into as admin. Impacts: The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. Title: Broken access control Description: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Steps to reproduce: Here after entering into admin user. I found a hidden path related to administrator, at first I access it with a normal user, then it restricted me. After entering into as a admin privilege, I accessed the administration page. And I found the all users and the reviews related to them. Impacts: Broken access control can lead to a number of serious security issues, including data breaches, theft of sensitive information, and loss of system availability. In some cases, it can also enable an attacker to gain elevated privileges that allow them to perform malicious actions on the systems or data they have accessed. Title: Broken Authentication Description: Broken Authentication and Session Management is a security vulnerability that occurs when the authentication and session management mechanisms of a web application are flawed or improperly implemented.Authentication refers to the process of verifying the identity of users, typically through usernames and passwords, while session management involves maintaining and controlling the user's session after authentication. Steps to reproduce: By entering into admin user I found the username. But meanwhile, I don’t know the password, so I captured the request of login page using burp-suite. And then I tried to intrude some password list on the admin user password. Then I found that the password is ‘admin123’. Impacts: The impact of broken authentication can be severe and far-reaching. When attackers successfully exploit these vulnerabilities, they can gain unauthorized access to user accounts, leading to various consequences. This may include unauthorized access to sensitive information, such as personal data, financial details, or intellectual property. Title: View basket (Broken access control) Description: Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the user's limits. Steps to reproduce: First I capture the request of my my normal user using burp suite. After that I try to change the request and using the repeater. At the /rest/basket/2 link when we change the number, then we access the other users access. Impacts: Broken access control can lead to a number of serious security issues, including data breaches, theft of sensitive information, and loss of system availability. In some cases, it can also enable an attacker to gain elevated privileges that allow them to perform malicious actions on the systems or data they have accessed. Title: Admin registration Description: In this the attacker can change the normal user into the admin user and gain the admin privileges by changes the role of the user easily. Steps to reproduce: Here I captured the request of the user registration using burp-suite. Then I change the role of the user as “admin” from “customer”. Then I send the request, and I gain the admin privileges for the normal user. Impacts: By this the attacker can just do register as a client and changes the permissions into admin privileges and access all the internal files and attacks the machine with the malware files easily. Title: Rate Limiting flaw. Description: Rate limiting is a strategy leveraged to cap a traffic exchange, limiting the amount of incoming and outgoing traffic from a particular network. Typically, it limits repeat actions within specified timeframes by users, preventing systems/ networks/ applications from becoming overloaded. For instance, the number of logins to an account within a specified timeframe or the number of failed login attempts. Steps to reproduce: Here I used the feedback review page. Then using the burp-suite intruder, I just generate a random null payloads on the feedback page then I found that it has the rate limiting flaw. Even it by passing the captcha by forwarding more requests at a time. Impacts: Rate-limiting flaws can impact the performance of the API servers and allow attackers to launch DoS attacks. When a single client or multiple clients makes too many requests at once, requests from those clients can overwhelm the server’s ability to process requests, and in turn, make the service slow or unavailable for other users.Another issue is that a lack of rate-limiting can lead to brute-forcing attacks on authentication endpoints and on endpoints with Broken Object Level Authorization. Title: Stored Cross site scripting(XSS) Description: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. Steps to reproduce: Here I try to register for a new user. Then I captured the request of the registration and in the email field I replaced the xss script as <iframe src=\”javascript:alert(‘hello’)\”> Then after I forwarded the request, I got the user was successfully registered, Then I got to the administration page using admin, then I found a pop-up showing hello. When ever I open this page then I got the pop-up as hello Impacts: Stored XSS (also known as second-order XSS) is the most dangerous type of cross-site scripting attack. The reason is that it does not require users to click a malicious link or perform any activity, other than browsing to a legitimate web page. Once an attacker discovers a stored XSS vulnerability and injects XSS code into the database, all visitors to affected pages are compromised, until the exploit is discovered. Stored XSS attacks are even more significant in websites that require authentication. When an authenticated user visits a page with stored XSS, attackers are usually able to hijack their session and perform actions on their behalf. On some websites, such as those of financial or medical institutions, this can result in financial loss or exposure of highly sensitive data. Title: SQL injection to extract Database Description: SQL injection is a technique used to exploit user data through web page inputs by injecting SQL commands as statements. Basically, these statements can be used to manipulate the application’s web server by malicious users. The first account in a database is often an administrative user, we can exploit this behavior to log in as the first user in the database. Steps to reproduce: First I try some SQL injection scripts to extract the total database using the URL given below. Then I captured the request of search using burp-suite. After that I tried the SQL script ‘))union%20select%20sql,2,3,4,5,6,7,8,9%20from%20sqlite_master-- after the search request. Then I successfully extracted the database schema of that search data. Impacts: The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.Essentially, the attack is accomplished by placing a meta character into data input to then place SQL commands in the control plane, which did not exist there before. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. Title: Upload size manipulation Description: File content manipulation: An attacker may upload a file with malicious code, such as a script that executes arbitrary code on the server. File size manipulation: An attacker may upload a big file that exceeds the web application’s file size restriction, causing a buffer overflow or other vulnerabilities. Steps to reproduce: Here I take the url http://192.168.29.104:3000/#/complain In this there is an option to upload a file, but it is only pdf or zip type and upto 100kb size. So I try to manipulate the size using the burpsuite, by capturing and sending into repeater. There I just clear the old file data and paste the new file data. And send the request, then I file uploaded successfully. Like this I just manipulated the file size. After I sending the request, in the juice shop I got like this as you completed the challenge. Impacts: The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.