#13 – Hacking stuff

TA: Henrique Pereira

▪ Open Web Application Security Project

▪ https://www.owasp.org

▪ OWASP Top 10

▪ https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

▪ https://google-gruyere.appspot.com/start

▪ A codelab for learning how to find, exploit and stop security vulnerabilities.

▪ A web application that is “full of holes”

▪ Basic examples of most of the attacks in the OWASP Top10 List.

▪ You are authorized to “hack it”.

▪ Running in a protected Sandbox

▪ If anything goes wrong, just RESET the instance.

▪ Injecting code into the contents of a website that is not under the attacker’s control.

▪ Reflected

▪ The application includes unescaped user input that is part of the output.

▪ A successful attack lets the attacker execute arbitrary HTML/JS in the victim’s browser.

▪ Stored

▪ The application stores an unsanitized user input that is viewed at a later time by another user or admin.

▪ Stored XSS

▪ Lets save the script in one of our snippets.

▪ Obvious choice? <script>alert(“lol”)</script>

▪ Stored XSS

▪ Lets save the script in one of our snippets.

▪ Obvious choice? <script>alert(“lol”)</script>

▪ <script> seems to be blacklisted.

▪ But what happens if we put the JS inside an event of an HTML element?

▪ <a onmouseover=“alert(‘lol’)”>Click me</a>

▪ Guessing the admin URL

▪ /admin

▪ “Invalid request: /admin”

▪ Can we turn this into a reflected XSS?

▪ Obvious choice again.

▪ <script>alert(“lol”)</script>

▪ Another XSS vulnerability?

▪ Uploading HTML files with JS

▪ Easy to steal the cookies/session

▪ Easy to do Phishing

▪ https://gist.github.com/anonymous/4d1acc67897a8114e356473421de6519

▪ There are more XSS vulnerabilities in Gruyere, try to find them all.

▪ The authentication mechanism is not working properly.

▪ An user can get more privileges than he is supposed to.

▪ Cookies can be stolen and users inpersonated.

▪ Looking at the signup form

▪ Hidden field “is_author”

▪ What if we add another field called is_admin?

▪ $$$

▪ What if we have a weird username?

▪ a|admin|author

▪ One attacker can fake a request from a legitimate user by tricking the user to load or execute some resource on an external website.

▪ Cookies to the original site are always sent with requests to that site.

▪ Deleting Snippets

▪ …/deletesnippet?index=0

▪ Lets trick another user on calling that.

▪ Maybe an innocent JSFiddle example that contains the following: <imgsrc=“…/deletesnippet?index=0” />

▪ Web apps usually contain information that should not be made public

▪ User and passwords

▪ Private data

▪ Financial data

▪ ...

▪ A “debugger” that was left by one of the developers

▪ Passwords are stored in plain text

▪ + lots of vulnerabilities

▪ The full list of vulnerabilities and exploits with detailed explanations and fixes is available at the project’s website.

▪ https://google-gruyere.appspot.com/part1