diff --git a/content/notes/ass01-security-audit.md b/content/notes/ass01-security-audit.md index 71bf5d116..9df4e29a5 100644 --- a/content/notes/ass01-security-audit.md +++ b/content/notes/ass01-security-audit.md @@ -73,55 +73,10 @@ CWE: 22 ### Cleartext Transmission of Sensitive Information CWE: 319 -When a user logs in, their username and unhashed password are transmitted in a cleartext post request to the server. This informaiton is susceptible to a man in the middle attack and other kinds of interception. +When a user logs in, their username and unhashed password are transmitted in a cleartext post request to the server. This information is susceptible to a man in the middle attack and other kinds of interception. #### Example payload: ![example payload](https://i.imgur.com/9Tn6gx1.png) ## Conclusion - - - - - - - - - - - - - - - - - - - - - - - - - - - - -## SQL Injection -- can log in to admin using username: " 'or 1=1;--" -- we are able to extract data which is displayed as the users username -- we can extract the data from the data base using this "username" - - ' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;-- - - I was able to crack 48 of the 101 passwords using the rockyou wordlist. I'm sure It would not be difficult to crack more. -- you cant also update the data. E.g., set the price of all products to zero using this as a username in the login box - - '; update PRODUCT set UNIT_PRICE = 0 where 1=1;-- - -## Javascript Injection -- It ispossible to perform a javascript injection as the users name is displayed in the website. and prodcut information is displayed in the view catalogue page -- I was able to create an account and log in using the username ''''. However when I did log in the username wasn't displayed in the browser, and alert didn't show. I also repeated the process with the user name '''' which also didn't run -- You was able to update a product name to be a script which would then run on others systems - - e.g. '; update PRODUCT set DESCRIPTION = '' where PRODUCT_ID = 67696;-- -- this could be used to export JSESSIONIDs of other users. Which would allow the attack to access their account (while the other user is logged in). -- It could also be used to present the user with a legitamate seeming message encouraging them to open a malicious link. - -## Other +This system is not secure. I was able to identify multiple vulnerabilities, and successfully carry out attacks to exploit these vulnerabilities. The most damaging of these was a simple SQL Injection attack. I was able to extract the credit card information of all the users, and crack the passwords of nearly 50% of the accounts. This is a major security issue.