Subdomain Hunting
Google Dorking for Info Leakage
Scanning and Enumeration
Webserver Fingerprinting
Banner Grabbing
Wappalyzer reveals the following details:
Web Frameworks: Microsoft ASP.NET 4.0.3.0319
Operating System: Windows
Javascript Libraries: jQuery 2.1.1
Using Burpsuite to perform Banner Grabbing also confirms for us some of the above details:
Response to a request for the homepage Forcing a HTTP 404 error also confirms for us our results:
/robots.txt file
The site contains a /robot.txt file. Navigating to it reveals some interesting information.
Navigating to both /scripts and /images show me the message below:
However, /secret/admin shows me the message page below:
But /api/admin/users reveals the following:
We just found users' credentials in json format. To make matters worse, the passwords are in plaintext. We can potentially takeover any account we wish to. We can even look for admin users using the property IsAdmin:true
When using the search bar. Potential for XSS or injection???
Reflected searchbar input Email (and Password) Enumeration
When creating a new account, the application reveals that a particular password already exists in the db and is in use by a specified user. This allows us to enumerate emails using an email list and their corresponding passwords.
Alternatively, we can also go through the credentials json file we found earlier.
Email and Password Enumeration Additionally, when using the forgot password reset feature, there is email enumeration through the error message.
Users Credentials
There is Sensitive Data Exposure and Broken Authentication
We just found users' credentials in json format. To make matters worse, the passwords are in plaintext. We can potentially takeover any account we wish to. We can even look for admin users using the property IsAdmin:true
We can find out the server type and version through the HTTP Response Headers and by generating a HTTP 404 error.
404 Error Information Disclosure When logging in, there is a cookie IsAdmin=false, when we edit it to true, then intercept the server response and also edit it to true, we get access to an Admin tab. This tab allows us to view users credentials and their passwords in plaintext.
We can also perform this attack when registering a user.
Intercept Server Response and change cookie value to true Even as an unauthenticated user, we can go to "Inspect Element" and change the cookie value to true and then reload the page. This will allow us access to the Admin panel without even logging in.
Email and Password Enumeration
Refer to the scanning and enumeration section for more details.
Password Disclosure in Account Creation and Reset Password Email
When a new user account is created, the password provided is also sent via email. Some info disclosure.
When I reset a user's password, instead of receiving a link to create a new password, the new password is sent to me via email.
Password in Reset Password Email IDOR in Edititng Profile
When I click on my edit profile button and intercept the request, I notice an integer which could potentially be my userId. When I change the integer to a different value, I can view other users Personally Identifiable Information. In the image below, I navigated to the userID 90 which belongs to Susan. (My userId is 91).
Furthermore, we can edit their details by manipulating the userId in the request and body, and changing some parameters.
Editing other users details There is autocomplete of the current user's password on the change password web page. If the user was using the app on a public computer, or someone got access to his device and he was authenticated, the attacker can retrieve the password. They just need to "Inspect Element".
Furthermore, the attacker can also change the user's email address without being prompted for the old password. This will enable them to login to the user's account whenever they feel like.
Lack of Email Enumeration on Login Page
With a generic error message
Password Expiry on Reset
When I perform a password reset, the previous password expires.
