I'm sharing my project work for the Udacity Security Engineer Nanodegree Program's capstone project, Application Security Report. In the Application Security Module I was tasked with performing penetration testing on a web application (VulnWebApp) and writing a report on the findings.

Project Summary

You will need to manually test the vulnerable web application to find all vulnerabilities and create a writeup documentation to help the development team patch the code. The writeup documentation clearly outlines the steps needed to reproduce the security issue and best practices (OWASP 10) to help the development team better understand the issue.

We were only permitted to use the Python tools listed below:

.
├── bruteforce.py # Use for Brute force attack
├── checkhash.py # Checking the hash value of a value
├── hashid.py # Checking the hash algorithm name 
└── performbase64.py # Converting a value to/from Base64

Application Security Report

Broken Authentication - Login Endpoint (Critical)

Vulnerability Exploited: A02:2017 Broken Authentication

Severity: Critical

Vulnerability Explanation

The application is only accessible by authenticated users through the Login endpoint. Performing simple brute-force attack against the application’s login page results in successful login.

Steps to Reproduce

1. Run brute-force attack with the tool provided in the lab in the following way:

   python bruteforce2.py -U test-username.txt -P test-password.txt -d username=^USR^:password=^PWD^ -m POST -f "Login Failed" http://<host>/login
   

2. Grab the credentials found by the tool: guest:orange
3. Try to login with the found credentials:

Recommendations

• Where possible, implement multi-factor authentication to prevent automated credential stuffing, brute force, and stolen credential reuse attacks.
• Implement weak password checks, such as testing new or changed passwords against the top 10,000 worst passwords list.
• OWASP Reference: link

Broken Access Control – Customers Endpoint (Critical)

Vulnerability Exploited: A05:2017 Broken Access Control

Severity: Critical

Vulnerability Explanation

The application has the Customers endpoint that is only accessible by the administrators. Since we have insecure deserialization vulnerability, we can elevate our privileges to admin in order to access sensitive customers information.

Steps to Reproduce

1. Login as a guest user and extract the cookie by opening the DEV tools in the browser:
2. Decode the cookie with the provided tool:
3. Modify the value of the cookie to 1:admin and encode it again with the same tool:
4. Use the cookie and access the customers endpoint.

Recommendations

• The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
• Or implement integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.
• OWASP Reference: link

Broken Access Control – Users Endpoint (Critical)

Vulnerability Exploited: A05:2017 Broken Access Control

Severity: Critical

Vulnerability Explanation

The application has the Users endpoint that is only accessible by the administrators. Since we have insecure deserialization vulnerability, we can elevate our privileges to admin in order to access sensitive customers information.

Steps to Reproduce

1. Login as a guest user and extract the cookie by opening the DEV tools in the browser:
2. Decode the cookie with the provided tool:
3. Modify the value of the cookie to 1:admin and encode it again with the same tool:
4. Use the cookie and access the users endpoint.

Recommendations

• The only safe architectural pattern is not to accept serialized objects from untrusted sources or to use serialization mediums that only permit primitive data types.
• Or implement integrity checks such as digital signatures on any serialized objects to prevent hostile object creation or data tampering.
• OWASP Reference: link

Cross-Site Scripting (XSS) – Profile Endpoint (High)

Vulnerability Exploited: A07:2017 Cross-Site Scripting (XSS)

Severity: High

Vulnerability Explanation

At the Profile endpoint, we have an option to send a message to other users. The Messages section is vulnerable to stored XSS injection attack when logged as an administrator user. Malicious user can exploit this vulnerability and access some sensitive data (e.g.: the content of cookie).

Steps to Reproduce

1. Login as an administrator user.
2. Put the following script into the Message section’s input field at the Profile endpoint and send the message:

   <script>alert(1);</script>
   

   
3. The webpage responds with the following message, proving that it is vulnerable to the XSS attacks:

Recommendations

• Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework’s XSS protection and appropriately handle the use cases which are not covered.
• Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities
• OWASP Reference: link  

SQL Injection – Customers Endpoint (High)

Vulnerability Exploited: A01:2017 Injection

Severity: High

Vulnerability Explanation

At the Customers endpoint, we can access customer related data with administrator privilege. The “id” parameter of the endpoint is vulnerable to stored SQL injection attack when logged in as an administrator user. Malicious user can exploit this vulnerability and access the content of the database or take over the system.

Steps to Reproduce

1. Login as an administrator user.
2. Put the following URL into the browser’s address bar:

   http://<host>/customers/id/1' or 1=1;-- -
   

3. The customer password data is exposed:

Recommendations

• Do not trust client-side input, even if there is client-side validation in place.
• In general, type check all data on the server side.
• Use prepared statements or ORM on the backend.
• Do not concatenate strings into queries in the stored procedure, or use exec, exec immediate, or equivalent functionality!
• Do not create dynamic SQL queries using simple string concatenation.
• Escape all data received from the client.
• Apply an 'allow list' of allowed characters, or a deny list of disallowed characters in user input.
• Apply the principle of least privilege by using the least privileged database user possible.
• Grant the minimum database access that is necessary for the application.
• OWASP Reference: link

SQL Injection – Profile/Userlist Endpoint (High)

Vulnerability Exploited: A01:2017 Injection

Severity: High

Vulnerability Explanation

The “id” parameter of the Profile/Userlist endpoint is vulnerable to stored SQL injection attack when logged in as an administrator user. Malicious user can exploit this vulnerability and access the content of the database or take over the system.

Steps to Reproduce

1. Login as an administrator user.
2. Put the following URL into the browser’s address bar:

   http://<host>/profile/userlist/id/1' or 1=1;-- -
   

3. All users of the system are exposed:

Recommendations

• Do not trust client-side input, even if there is client side validation in place.
• In general, type check all data on the server side.
• Use prepared statements or ORM on the backend.
• Do not concatenate strings into queries in the stored procedure, or use exec, exec immediate, or equivalent functionality!
• Do not create dynamic SQL queries using simple string concatenation.
• Escape all data received from the client.
• Apply an allow list of allowed characters, or a deny list of disallowed characters in user input.
• Apply the principle of least privilege by using the least privileged database user possible.
• Grant the minimum database access that is necessary for the application.
• OWASP Reference: link  

Sensitive Data Exposure – User Passwords in Cleartext (Medium)

Vulnerability Exploited: A03:2017 Sensitive Data Exposure

Severity: Medium

Vulnerability Explanation

Since we have insecure SQL injection vulnerability, we can freely select information from the application’s database. Selecting from the “users” table shows that the password data is stored in cleartext format, which is insecure way of handling passwords.

Steps to Reproduce

1. Login as an administrator.
2. Put the following URL into the browser’s address bar:

   http://<host>/userlist/id/1';SELECT * FROM users;-- -
   

   

Recommendations

• Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
• OWASP Reference: link

Security Misconfiguration – Customers Endpoint (Medium)

Vulnerability Exploited: A06:2017 Security Misconfiguration

Severity: Medium

Vulnerability Explanation

The application has the Customers endpoint that is only accessible by the administrators. Sensitive customer data (hashed passwords) can be exposed by a simple enumeration of the /customers/id/ path.

Steps to Reproduce

1. Login as an administrator user.
2. Try out one of the following URL in the browser:

   http://<host>/customers/id/1
   http://<host>/customers/id/2
   http://<host>/customers/id/3
   http://<host>/customers/id/4
   http://<host>/customers/id/5
   

   

Recommendations

• A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically, with different credentials used in each environment. This process should be automated to minimize the effort required to setup a new secure environment.
• A minimal platform without any unnecessary features, components, documentation, and samples. Remove or do not install unused features and frameworks.
• OWASP Reference: link

Sensitive Data Exposure – Passwords Stored in MD5 (Medium)

Vulnerability Exploited: A03:2017 Sensitive Data Exposure

Severity: Medium

Vulnerability Explanation

Since we have insecure SQL injection and sensitive data exposure vulnerabilities, we can freely select information from the application’s database or enumerate the customers/id path. Selecting from the “customers” table shows that the password data is stored in MD5 hash format, which is insecure and easily can be reverted.

Steps to Reproduce

1. Login as an administrator user.
2. Put the following URL in the browser:

   http://<host>/customers/id/1
   

   
3. Grab the revealed password hash and check it with the provided tool:

   python hashid.py "d8578ed8458ce06fbc5bb76a58c5ca4"
   

   
4. It confirms that the hash is MD5
5. Based on this, use the hash revert tool to reveal all the passwords:

pdoe:d8578edf8458ce06fbc5bb76a58c5ca4 -> qwerty
jdoe:5f4dcc3b5aa765d61d8327deb882cf99 -> password
ddoe:e807f1fcf82d132f9bb018ca6738a19f -> 1234567890
mdoe:8621ffdbc5698829397d97767ac13db3 -> dragon
ndoe:df53ca268240ca76670c8566ee54568a -> computer

Recommendations

• Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
• OWASP Reference: link  

Security Misconfiguration – Cookie without HttpOnly flag (Low)

Vulnerability Exploited: A06:2017 Security Misconfiguration

Severity: Low

Vulnerability Explanation

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page, then the cookie will be accessible and can be transmitted to another site. If this is a session cookie, then session hijacking may be possible.

Steps to Reproduce

1. Login as guest or administrator user.
2. Open DEV Tools in the browser and navigate to the Console tab.
3. Put the following script into the console terminal: document.cookie

Recommendations

• Ensure that the HttpOnly flag is set for all cookies.
• OWASP Reference: link