Professional Documents
Culture Documents
ITM 415
April 11, 2017
Authors:
Grant Heelan
Patrick Walker
Executive Summary
We performed both manual testing and automated tests on the application. For
automated tests, we used fuzzing, spidering, and active scanners within ZAP. Though
the automated tools and manual testing we found multiple vulnerabilities, some a larger
threat than others. One of the vulnerabilities found with a large threat is reflective cross-
site scripting. We could write script on the search bar and the script would be executed
by the server. This vulnerability could be fixed by by the developers by employing
escaping. Utilizing escaping, the script would be taken literally, therefore, not executed
as code. In addition, the developers could also limit the amount of characters that can
be entered by a user into the search bar. With the search field limited, an attacker
couldnt write long, complex code in order to defeat escaping and other protective
measures in place.
Another vulnerability that we found is that the login data is being passed over
HTTP, thus, unencrypted. Even if the usernames and passwords are encrypted or
hashed in the database, an attacker could still intercept the data being passed by the
browser to the database using a sniffer or MITM attack before its encrypted/hashed.
This may not be that harmful to the organization if a general users account is
compromised but if an attacker gain the credentials to a superuser or admin, the effect
could become disastrous.
Scope
Tests Performed
The following automated tests were all completed using ZAP. The first scan we
performed on the website was a spider. The spider can crawl through all possible links
on the site. The spider was launched when the user was logged into the account. This is
so the spider will be able to access more of the page as a logged in user. The next test
that was executed on the site was an active scan with the scope of the scan set for the
URL: 192.168.1.248/getboo. No parameters were set for the active scan. The last
automated test that was performed on the site was a fuzzer. The fuzzer fills the website
with random requests to detect information leaks and establishes how susceptible the
server is to crashing with stack overflow. Fuzzing is used to try to pass untrusted data
as trusted data to a site for processing to see how the site will deal with the information
passed its way. In this regard, fuzzing can be beneficial in identifying a possible cross-
site scripting vulnerability. Initially, we selected all the fuzzing loads to be executed
through the site but we quickly found out that this method returned a great deal of
scripts that were reflected off the web page. Testing the variety of loads from the results
would be a difficult task. Instead, we decided to execute the fuzzer with just cross-site
scripting loads.
Manual testing was also used in addition to automated tools. Although the
scanner and fuzzing results did not return an alert for a SQL Injection vulnerability, we
wanted to run additional manual tests to eliminate the possibility for a false negative.
Our first test was to type in a single () into a search field, trying to generate an error
message with some information. With no success we planned to try again to generate
an error message or to gain access a list of all users username with the tautology
script: SELECT* FROM users WHERE user_id = 1 OR 1=1;#. Both the search bar
field, username field, and password field had a character limit for the input field, making
it difficult to execute an SQL script. We did find two fields that allowed for enough
characters to insert a script into the web page, the email field when registering for an
account and the search field. We were unsuccessful in our attempts to insert an SQL
injection into the page, therefore, the web application passed our SQL injection
assessment.
A possible XSS vulnerability was found through fuzzer; certain XSS script could
be reflected off the webpage. To test for a possible false positive, manual testing was
conducted to attempt to duplicate the results from the scanner/fuzzer. JavaScript was
entered into the search bar in an attempt to create a pop up window appear. The script
that was entered was: <script>alert(hi);</script>. Image 4 shows the screenshot of the
pop-up that was created in the webpage.
Vulnerabilities Identified
Classification / High
Severity
Detailed The input from the fuzzer caused a stack overflow where
Description information was leaked about a hidden page was revealed.
Classification / Low
Severity
Detailed The attacker can brute force their way through the admin
Description account, then they would have full rights to do just about
anything they want. The reason I pointed it out as mild is
because it may be hard to brute force but the problem
should be adjusted sooner than later to make sure nobody
knows that the only thing incorrect is the password.
Classification / Low
Severity
Recommended Fix Limit the amount of characters the user can enter for a max
of 25-50 characters.
Classification / High
Severity
Scope The script was executed on one page but it could potentially
affect the entire site.
Recommended The web developers could use escaping where the <>
Fix would be taken literally as not as a tag. The developers
could limit the length of the characters in the search field.
Vulnerability 5a- Login Data Passed Over HTTP (image 5)
Classification / High
Severity
Recommended Fix The login page needs to set up using HTTPS protocol.
Appendix
Image 1
Image 2
Image 3
Image 4
Image 5