Sample Web-app Pentest

Sample webapp pentest of https://hack-yourself-first.com/

Recon

Subdomain Hunting

Google Dorking for Info Leakage

Scanning and Enumeration

Webserver Fingerprinting

Banner Grabbing

Wappalyzer reveals the following details:

Web Frameworks: Microsoft ASP.NET 4.0.3.0319
Web Servers: IIS 10.0
Operating System: Windows
Javascript Libraries: jQuery 2.1.1

Using Burpsuite to perform Banner Grabbing also confirms for us some of the above details:

Forcing a HTTP 404 error also confirms for us our results:

/robots.txt file

The site contains a /robot.txt file. Navigating to it reveals some interesting information.

Navigating to both /scripts and /images show me the message below:

However, /secret/admin shows me the message page below:

But /api/admin/users reveals the following:

We just found users' credentials in json format. To make matters worse, the passwords are in plaintext. We can potentially takeover any account we wish to. We can even look for admin users using the property IsAdmin:true

Reflected Input

When using the search bar. Potential for XSS or injection???

Email (and Password) Enumeration

When creating a new account, the application reveals that a particular password already exists in the db and is in use by a specified user. This allows us to enumerate emails using an email list and their corresponding passwords.

Alternatively, we can also go through the credentials json file we found earlier.

Additionally, when using the forgot password reset feature, there is email enumeration through the error message.

Findings

Users Credentials

There is Sensitive Data Exposure and Broken Authentication

Information Disclosure

We can find out the server type and version through the HTTP Response Headers and by generating a HTTP 404 error.

When logging in, there is a cookie IsAdmin=false, when we edit it to true, then intercept the server response and also edit it to true, we get access to an Admin tab. This tab allows us to view users credentials and their passwords in plaintext.

We can also perform this attack when registering a user.

Even as an unauthenticated user, we can go to "Inspect Element" and change the cookie value to true and then reload the page. This will allow us access to the Admin panel without even logging in.

Email and Password Enumeration

Refer to the scanning and enumeration section for more details.

Password Disclosure in Account Creation and Reset Password Email

When a new user account is created, the password provided is also sent via email. Some info disclosure.

When I reset a user's password, instead of receiving a link to create a new password, the new password is sent to me via email.

IDOR in Edititng Profile

When I click on my edit profile button and intercept the request, I notice an integer which could potentially be my userId. When I change the integer to a different value, I can view other users Personally Identifiable Information. In the image below, I navigated to the userID 90 which belongs to Susan. (My userId is 91).

Furthermore, we can edit their details by manipulating the userId in the request and body, and changing some parameters.

Password Disclosure on Change Password Form

There is autocomplete of the current user's password on the change password web page. If the user was using the app on a public computer, or someone got access to his device and he was authenticated, the attacker can retrieve the password. They just need to "Inspect Element".

Furthermore, the attacker can also change the user's email address without being prompted for the old password. This will enable them to login to the user's account whenever they feel like.

Kudos

With a generic error message

Password Expiry on Reset

When I perform a password reset, the previous password expires.

PreviousSetting Up Kali Linux for Pentesting in WSL 2 (Windows Subsystem for Linux 2)NextLinux Privilege Escalation for Beginners

Last updated 4 years ago

Was this helpful?