Scott Ning
SE 526
Assignment 2
Assessment of PhpGradebook
THREAT MODELING
Application Overview
The PhpGradebook application provides users, such as students and administrators, with the ability to
log in, view, or input grade information. The administration area, however, leverages more functionality
for modifying such data, which in turn, showcases more inputs and outputs that may be possible
vulnerabilities.
Interesting Areas
 The administrator dashboard features database downloading and uploading functionalities
upon administrator login.
o This may pose for possible vulnerabilities, such as the uploading of other files to the
same server/application, or the accessing of these functionalities without
authentication.
 By modifying post/get/request parameters, users can alter the file being
uploaded and therefore potentially access and run this file.
 By accessing this functionality and other database-modifying functionalities
(through the URL and possibly with easily accessible post/get parameters)
without authentication cookies, an unauthenticated user can easily retrieve the
database data.

The administrator area allows for the editing of information through many inputs such as
textbox inputs in the editing grades section.
o The possible vulnerabilities regarding these inputs is that users can possibly enter HTML
and Javascript code that saves directly to the database, which may be viewed executed,
behind the scenes, by other users with this data reflected on different areas of the
application. Users can also possibly try to access this functionality without logging in or
being authenticated; by sending the requests with appropriate parameters.
 By inputting and storing malicious HTML and Javascript code, an attacker can
trick users to execute his or her script without knowing. This cross site scripting
strategy can potentially have the users redirected to an attacker’s server, which
will allows the attacker to steal cookies or authentication information.
 By accessing this functionality possibly through the appropriate URL and
parameters (without being authenticated), a user can easily modify data that
they should not be allowed to access.

A normal user (student) has a couple of input/output areas as well. A main functionality is the
view grades area, which accepts a few parameters as inputs and displays grade data based on
this fed information.
o The possible vulnerabilities are the accessing of other data or another user’s data
through the modification of the sent parameters. The possibility of accessing this
functionality without authentication is also present.
2


By modifying the post/get parameters while accessing the appropriate URL, a
user can possibly access such data that they should not be able to access.
By accessing this functionality possibly through the appropriate URL and
parameters (without being authenticated), a user can easily view data that they
should not be allowed to access.
VULNERABILITY CLASS IDENTIFICATION
Numerous vulnerabilities may exist within the PhpGradeBook application. Through source-based and
blackbox assessment, several vulnerability classes can be identified. Below is the relevant information of
the different classes of possible vulnerability types and the details pertaining to that each of those
vulnerability classes.
Remote File Inclusion (Uploading of malicious files/scripts)
Relevant source code: admin/index.php (lines 78 - 81 and 220 - 280)
 Post request to URL: /phpGradeBook/admin/index.php?restore=sql
o Assumes the parameters:
 “restore” with value of “sql” (Type URL)
 “adminuser” with the value of the administrator’s user name (Type Cookie)
 “adminpass” with the value of the administrator’s encrypted password (Type
Cookie)
 “uploadfile” with a modified value (such as the representation of a gif file) to
attempt to upload different file types such as .txt, .html, .php, .jpg, files to see if
the uploading of other file types is possible. (Type Body)
Insufficient Function Authorization (To retrieve/modify sensitive data)
Relevant source code: admin/index.php (lines 78 - 81 and 220 - 280)
 Post request to URL: /phpGradeBook/admin/index.php? restore=sql
o See if database can be uploaded by directly accessing this URL without logging in
(Without the existence of the cookies, “administrator” and “administrator”). Therefore,
assuming the parameters:
 “restore” with value “sql” (Type URL)
 “uploadfile” with value of the contents of a full sql backup script (which can be
created by the database backup/download functionality). (Type Body)
Relevant source code: admin/functions.inc.php (lines 1075 - 1105)
 Get request to URL: /phpGradeBook/admin/index.php?action=SaveSQL
o See if database can be downloaded by directly accessing this URL without logging in
(Without the existence of the cookies, “adminuser” and “adminpass”). Therefore,
assuming the parameter:
 “action” with value “SaveSQL” (Type URL)
Relevant source code: admin/process.php (lines 127 - 142)
3

Get request to URL:
/phpGradeBook/admin/process.php?action=AddStudent&name=testName&stud_id=testStuden
tId&password=testPass&class_name=SE%20526&notes=testNotes
o See if a user can be created without administrator authentication. Assume parameters:
 “action” with appropriate value “AddStudent” (Type URL)
 “name” with appropriate value such as “testName” (Type URL)
 “stud_id” with appropriate value such as “testStudentId” (Type URL)
 “password” with appropriate value such as “testPass” (Type URL)
 “class_name” with appropriate value such as “SE%20526” (Type URL)
Cross-site Scripting (Reflective XXS/Content Injection)
Relevant source code: admin/index.php (lines 423 - 434)
 Post request to URL: /phpGradeBook/admin/index.php?action= EditGrade
o See if HTML is stripped or not. Assume parameters:
 “action” with value of “EditGrade” (Type URL)
 “adminuser” with the value of the administrator’s user name (Type Cookie)
 “adminpass” with the value of the administrator’s encrypted password (Type
Cookie)
 “EditClass” with appropriate value such as “SE+526” (Type Body)
 “Student” with appropriate value such as “Grade_1” (Type Body)
 “EditGrade%5B%5D” with value containing HTML that can trigger Javascript
such as “%3Cimg+src%3D1+onerror%3Dalert%281%29%3E” (Type Body)
 “EditGrade%5B%5D” with appropriate value such as “20” (Type Body)
 “EditGrade%5B%5D” with appropriate value such as “40” (Type Body)
If injection is a success, see if the output is reflected:
Relevant source code: index.php (lines 79 - 141)
 Post request to URL: /phpGradeBook/index.php
o Assume parameters:
 “class” with appropriate value (same value of the class that was attacked), such
as “SE+526” (Type Body)
 “action” with value “View+Class+Grades” (Type Body)
Insufficient Authentication (Bypassing implicit security expectations by accessing restricted
data with improper authentication)
Relevant source code: index.php (lines 79 - 141)
 Post request to URL: /phpGradeBook/index.php
o Assume parameters:
 “StudID” with value of the logged-in student’s ID, such as “14112” (Type Cookie)
 “StudPass” with the value of the logged-in student’s encrypted password (Type
Cookie)
 “StudID” with a value of another student’s “StudID” (Type Body)
 “UseTerm” with an empty value (Type Body)
 “action” with value “View+Class+Grades” (Type Body)
 “class” with appropriate value such as “SE+526” (Type Body)
4
VULNERABILITY EXPLOITATION
Based upon the vulnerabilities identified earlier, exploitations were possible, allowing attackers to
access the application’s sensitive data and functionality. Below are the processes and levels of access
that can be potentially gained.
Insufficient Function Authorization
As outlined previously in the identification section of this assessment, the downloading of the database
is fully exploitable through the exact get request and specified parameter.
Access Gained: Easily access the application’s database, without authentication, to view sensitive data
such as user information and passwords.
Steps:
1. Access the URL: “/phpGradeBook/admin/index.php?action=SaveSQL” from the browser.
2. Database will be downloaded.
Similarly, as outlined previously, the creation on a user without authentication is also exploitable.
Access Gained: Easily create a user account, which was only creatable within the administrator’s area,
without authentication.
Steps:
1. Access the URL with relevant new user information in the query strings:
“/phpGradeBook/admin/process.php?action=AddStudent&name=testName&stud_id=testStude
ntId&password=testPass&class_name=SE%20526&notes=testNotes” from the browser.
2. The page will reflectively output a success message indicating the user is created.
Cross-site Scripting
Access Gained: The injection of Javascript code that can be executed by any user unknowingly. This can
then be potentially used to redirect users to an attacker’s server, which will allow the attacker to steal
cookies or session/authentication information. With such information, attackers can log into the
account, easily change the password, and take ownership of the account.
Steps:
1. Access the URL: “/phpGradeBook/admin/” from the browser.
2. Log in as an administrator
a. “Admin Name” = admin and “Admin Pass” = superadminpass
b. Or create valid authentication cookies, “adminuser” and “adminpass” (Login/cookie
information can be retrieved from the downloading the database, shown from the
previous exploit; adminuser=”admin” and adminpass=”
21232f297a57a5a743894a0e4a801fc3”)
3. Access the URL: “/phpGradeBook/admin/index.php?action=ViewAllGrades” from the browser.
4. Modify/inject Javascript code such as “<img src=1 onerror=alert(1)>” in a student’s grade
textbox (textbox with name=”EditGrade[]”).
5. Click the “Commit Edit” button for that student.
6. Access the URL: “phpGradeBook/index.php” from the browser.
7. Click the “View Class Grades” button, with the modified class selected.
8. Confirm Javascript code is executed; check if alert message is shown, in this case.
a. Cookies pertaining to this application can be accessed through Javascript.
5
Note: To shorten the steps above, Post requests can be sent directly instead. The first 5 steps can be
similarly achieved by sending a post request to “/phpGradeBook/admin/index.php?action= EditGrade”
with the exact parameters outlined previously, in the identification section of this assessment.
Insufficient Authentication
Access Gained: The ability to view the specific detailed information of another user’s grades (data that is
not supposed to be viewable unless logged in as that specific user).
Steps:
1. Similarly outlined previously, in the identification section of this assessment, send a post request
to the URL “/phpGradeBook/index.php” with the following parameters:
a. Type=Cookie, Name=StudID, Value=14112
b. Type=Cookie, Name=StudPass, Value=a029d0df84eb5549c641e04a9ef389e5
c. Type=Body, Name=StudID, Value=<AnotherUser’sId…such as “11214”>
d. Type=Body, Name= UseTerm, empty value
e. Type=Body, Name= action, Value=View+Student+Grades
f. Type=Body, Name= Class, Value=SE+526
2. Confirm that another student’s detailed grade information is shown.
Assessment of HotChat
THREAT MODELING
Application Overview
The HotChat application provides users with the ability to upload a custom emoticon image and chat
with an inputted nickname and room name. These and other inputs, specifically the uploading of a file,
are known possible vulnerabilities.
Interesting Areas
 The homepage allows for the uploading of an emoticon (assumed to be a .gif file) image file.
o This poses the possible vulnerability of being able to upload and access any file type.
 By being able to upload any file type, an attacker can possibly upload and run
malicious scripts, such as ones that can be run within a PHP file, that can do
various actions such as retrieve or modify data. These scripts essentially create a
backdoor, allowing the attacker much control over the application.

XML files, populated through user inputs, are used to store chat information.
o XML injection is a possible vulnerability due to the ability to populate data in those XML
files.
 By being able to input malicious data in input parameters such as query strings,
post or get requests, or textboxes, users can insert malicious data in XML files.
This can be used to store invalid data and also potentially cause the XML file to
be invalid.
6

The application uses .hc files, which can be seen by any user, to store user nickname
information.
o The functionality of creating or modifying such files, through user inputted requests, can
allow the possibility of creating these files in unexpected directories within the server.
 By being able to input the filename and content (nickname) written within that
file, an attacker can potentially create the file in other directories as well as
insert malicious text in the file.
VULNERABILITY IDENTIFICATION
Remote File Inclusion
Relevant source code: cadastra_sigla.php (lines 31 - 62)
 Post request to URL: /hotchat/cadastra_sigla.php
o Assume parameters:
 “sigla” with appropriate parameter such as “test” (Type Body)
 “imagem” with a modified value of a malicious file (such as the
representation/contents/scripts of a PHP file) to attempt to upload different
file to see if the uploading of other file types is possible. (Type Body)
If upload of malicious file is a success, see if the output is reflected/file is viewable:
Relevant source code: index.php (lines 79 - 141)
 Get request to URL: /hotchat/chats/emoticons/MaliciouslyUploadedFile.php
 Get request to URL: /hotchat/chats/emoticons/ (to take this one step further and see if list of
files is viewable)
XML Injection
Relevant source code: index.php (lines 64 - 71)
 Get request to URL:
/hotchat/cadastra.php?nick_escritor=</NICK><SCOTT>hacked</SCOTT><NICK>&frase_escritor=
chatText&room_escritor=someRoomXmlFileThatExistsInTheChatDirectory
o Assume parameters:
 “nick_escritor” with a malicious value of the tags and data that should be
injected, such as, in this scenario,
“%3C/NICK%3E%3CSCOTT%3Ehacked%3C/SCOTT%3E%3CNICK%3E” (Type URL)
 “frase_escritor” with appropriate value such as “chatText” (Type URL)
 “room_escritor” with appropriate value such as
“someRoomXmlFileThatExistsInTheChatDirectory” (Type URL)
Path Traversal
Relevant source code: index.php (lines 9 – 17 and 45 - 50)
 Get request to URL:
/hotchat/chat_users.php?nick=testNick&room=../test&operation=testOperation
o Assume parameters:
 “nick” with value of text to be saved in file, such as “testNick” (Type URL)
7


“room” with a malicious value of file name and the levels of directories to
traverse, such as “../test” (Type URL)
“operation” with the value of “testOperation” (Type URL)
VULNERABILITY EXPLOITATION
Remote File Inclusion
Access Gained: The ability to upload any file type, will allow an attacker to upload and run malicious
scripts that can do various actions such as retrieve or modify data. These scripts essentially create a
backdoor, allowing the attacker much control over the entire application. The attacker can also
potentially upload a shell and execute system commands through that shell.
Steps:
1. Access the URL “/hotchat/cadastra_sigla.php” from the browser.
2. Enter into the “Text:” textbox the value of “test”.
3. Choose a local PHP file such as “test.php” to upload by clicking the “Choose File” button.
4. Click the “Send!” button.
5. Access the URL “hotchat/chats/emoticons/” from the browser.
6. Confirm that your file is successfully uploaded and exists on the server by seeing it on the list of
files.
7. Execute/view your script by accessing the URL” hotchat/chats/emoticons/test.php” from your
browser.
XML Injection
Access Gained: Attackers can insert malicious data in XML files, injecting invalid data and also
potentially causing the XML file to be invalid. When the application or users retrieve data from this XML,
they will retrieve erroneous information, or worse, if the file becomes invalid, they will see errors
retrieving such data.
Steps:
1. Access the URL
“/hotchat/cadastra.php?nick_escritor=</NICK><SCOTT>hacked</SCOTT><NICK>&frase_escritor
=chatText&room_escritor=someRoomXmlFileThatExistsInTheChatDirectory” from the browser.
a. Or send a get request to the URL “/hotchat/cadastra.php” with the following
parameters:
i. “nick_escritor” with the value of
“%3C/NICK%3E%3CSCOTT%3Ehacked%3C/SCOTT%3E%3CNICK%3E” (Type URL)
ii. “frase_escritor” with the value of “chatText” (Type URL)
iii. “room_escritor” with the value of
“someRoomXmlFileThatExistsInTheChatDirectory” (Type URL)
2. Confirm that the injected data/tags, “<SCOTT>hacked</SCOTT>”, are present within the
returned page and XML file.
a. The XML file can be accessed through this URL within the browser:
i. “/hotchat/chats/someRoomXmlFileThatExistsInTheChatDirectory.xml”
8
Path Traversal
Access Gained: Attackers can create a file and write any content they want in an unintended directory
within the server.
Steps:
1. Access the URL
“/hotchat/chat_users.php?nick=testNick&room=../test&operation=testOperation” from the
browser.
a. Or send a get request to the URL “/hotchat/chat_users.php” with the following
parameters:
i. “nick” with value of “testNick” (Type URL)
ii. “room” with the value of “../test” (Type URL)
iii. “operation” with the value of “testOperation” (Type URL)
2. Confirm that the new file exists in this unintended directory by accessing this URL from within
the browser: “/hotchat/test_users.hc”
3. Confirm that the content of “testNick” is present in that file, on your browser’s screen.