Time spent: 7 hours spent in total
Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.
The six possible exploits are:
- Username Enumeration
- Insecure Direct Object Reference (IDOR)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session Hijacking/Fixation
Each version of the site has been given two of the six vulnerabilities. (In other words, all six of the exploits should be assignable to one of the sites.)
Vulnerability #1: SQL Injection. The url in list of salespeople is injectable with SQL commands. An attacker can simply replace the id number with any sql command they like.
[Gif]https://i.imgur.com/xugt8Ao.gif
Vulnerability #2: Session Hijacking. Attacker can change their current session to one same as a logged in admin, and the website will allow the attacker to login without asking for any credentials.
[Gif]https://i.imgur.com/O0LJXwr.gif
Vulnerability #1: User Enumeration. The text "Log in was unsuccessful" is bolded for existing users, and unbolded for non-existing users. Inspecting the HTML revealed that this was mainly due to CSS naming confusion.
[Gif]https://i.imgur.com/0sZX7MC.gif
Vulnerability #2: XSS Attack. Attacker can inject their own script into either the name or the comment field under "Contact Us". When an admin looks at the feedback, the XSS attack is then launched.
[Gif]https://i.imgur.com/4wZdhJE.gif
Vulnerability #1: Insecure Direct Object Reference. When finding a salesperson for different regions, attacker can simply modify the id number in the URL and see information about salespeople that are in the database, but not available for public.
[Gif]https://i.imgur.com/wTrwLMg.gif
Vulnerability #2: CSRF Attack. When editing a user as an admin, the Red website does not do a check on previous passwords nor the CSRF token. This allows an attacker to create a script, which when opened, automatically fills out the user edit form as a post request, and submits it soon as the page is loaded.
