GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-27 14:54:05 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

vault backup: 2022-09-09 10:07:42

Browse Source
This commit is contained in:
Jet Hughes 2022-09-09 10:07:42 +12:00
parent 4ce86af935
commit dfffae2157
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
content/notes/ass01-security-audit.md
View File

@ -31,6 +31,8 @@ In the username field of the login form I entered the string:
' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;-- ' union select group_concat(username||':'||password||':'||name||':'||credit_card_number||':'||credit_card_expiry||':'||credit_card_cvv) from user as name;--
' union (select TABLE_NAME, TABLE_SCHEMA, 1, 2 FROM information_schema.tables) ;--
This resulted in all the users data, credit card informaton, and hashed passwords being displayed in the browser. I was then able to crack 48 of the passwords using hashcat and the rockyou wordlist. This resulted in all the users data, credit card informaton, and hashed passwords being displayed in the browser. I was then able to crack 48 of the passwords using hashcat and the rockyou wordlist.
An attacker would not know the names of the fields or the tables. However security through obscurity is not sufficient and an attacker could guess or otherwise find the information. An attacker would not know the names of the fields or the tables. However security through obscurity is not sufficient and an attacker could guess or otherwise find the information.
@ -73,10 +75,14 @@ CWE: 22
### Cleartext Transmission of Sensitive Information ### Cleartext Transmission of Sensitive Information
CWE: 319 CWE: 319
When a user logs in, their username and unhashed password are transmitted in a cleartext post request to the server. This information is susceptible to a man in the middle attack and other kinds of interception. When a user logs in, their username and unhashed password are transmitted in a cleartext post request to the server. This information is susceptible to a man in the middle attack and other methods of interception.
#### Example payload: #### Example payload:
![example payload](https://i.imgur.com/9Tn6gx1.png) ![example payload](https://i.imgur.com/9Tn6gx1.png)
## Conclusion ## Conclusion
This system is not secure. I was able to identify multiple vulnerabilities, and successfully carry out attacks to exploit these vulnerabilities. The most damaging of these was a simple SQL Injection attack. I was able to extract the credit card information of all the users, and crack the passwords of nearly 50% of the accounts. This is a major security issue. This system is not secure. I was able to identify multiple vulnerabilities, and successfully carry out attacks to exploit these vulnerabilities.
The most severe of these was a simple SQL Injection attack. I was able to extract the credit card information of all the users, and crack the passwords of nearly 50% of the accounts. This is a major security issue.
I was also able to inject Javascript code into the database which would then be run on the browser of other users.