From ae3829ccc83570d61dda0e75c2597602a94eafdd Mon Sep 17 00:00:00 2001 From: Jet Hughes Date: Thu, 8 Sep 2022 18:02:28 +1200 Subject: [PATCH] vault backup: 2022-09-08 18:02:28 --- content/notes/ass01-security-audit.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/content/notes/ass01-security-audit.md b/content/notes/ass01-security-audit.md index d73dae9b8..6576893b3 100644 --- a/content/notes/ass01-security-audit.md +++ b/content/notes/ass01-security-audit.md @@ -26,7 +26,20 @@ In the username field of the login form I entered the string: ' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;-- -This resulted in all the users data +This resulted in all the users data and hashed passwords being displayed in the browser. I was then able to crack 48 of the passwords using hashcat and the rockyou wordlist. + +## Cross site scripting/Javascript injection +CWE: 79 + +The product catalogue is visible to other users. This means if we were able to update the product information in the database we could run javascript on the brower of other users. + +Since we are able to inject SQL using the username field on the login page, we can execute an UPDATE command on the database. This is the input I used: + +'; update PRODUCT set DESCRIPTION = '' where PRODUCT_ID = 67696;-- + +An attacker could use this to present the user with an unsafe link, or export data such as session Id to a remote server where they can view it. + +I was also able to create an account with the username ''", however when I logged in, the alert was not shown and the username in the login page was blank. ## Password policy - must have at least 5 characters and one digit.