Skip to content

davidpeikrishvili/Pentesting-Live-Targets

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
README.md
README.md
 
 

Repository files navigation

Project 8 - Pentesting Live Targets

Time spent: around 7 hours spent in total

Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.

The six possible exploits are:

  • Username Enumeration
  • Insecure Direct Object Reference (IDOR)
  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Session Hijacking/Fixation

Each color is vulnerable to only 2 of the 6 possible exploits. First discover which color has the specific vulnerability, then write a short description of how to exploit it, and finally demonstrate it using screenshots compiled into a GIF.

##Blue

Vulnerability #1: SQLI Description: In this vulnerability for blue site you can use sql injections in the url to make the website change the page accordingly and find information. SQLI(Blue)

Vulnerability #2:Session Hijacking/Fixation Descirption: By using the PHP script given to use and injecting it into the url of the page, we can get the session ID for each of the websites. In this case the left is the admin, while the right is not. By getting the session ID from the admin and setting as the one of the regular side, we can then log in just like the admin without any problems.Hijack(Blue)

Green

Vulnerability #1: Cross-Site Scripting Description: By sending a fake "Contact Us" form with a javascript injection attached, we can set up an alert box that pops out whenever the admin visits the feedback page. As seen in the gif, multiple alert boxes were coming up since there were more people sending the fake feedbacks as well. XSS(Green)

Vulnerability #2: Username Enumeration Description: The Red and Blue sites did not have username enumeration since whenever you entered an incorrect username, nothing changed at all. But for Green, whenever you enter an correct username (one was given to us) , the font would turn BOLD, while if it was incorrect it would be regular text font. This is a small hint but still a dangerous vulnerabily if used maliciously. User Enumeration(Green)

Red

Vulnerability #1: Insecure Direct Object Reference Description: For this vulnerability by changing the id number/value in the url, you could get a user or information which has not been posted yet or is private. In this case, when inputing id = 10, we get infromation that should not yet be public. While this is true for the Red site, the other sites do not have this. What they did correctly is, if you input an id that is not public, it just redirects you straight back to the main page of the "Find a Salesperson". So it is impossible to get private information out of those two. IDOR(Red)

Vulnerability #2: Cross-Site Request Forgery Description: By creating an html form, and submitting it as fake feedback, we can change information accordingly. For example I decided to change the territory canada, and code to something else. The same thing can be done with the users of the page, by changing their names/numbers/etc... For some reason tho, I could not get the submission of my attack to hide even though i tried using hidden and display none, but the vulnerability still worked. CSRF

Concept Review

  1. In my opinion; Session Hijacking/Fixation,Cross-Site Scripting,Username Enumeration,Insecure Direct Object Reference were the easiest and SQL Injection, Cross-Site Request Forgery were the most challening for me / took up the most time since both required a bit of guess and checking with proper script / code execution.
  2. When making a log in page, its best to never let the person know what was incorrect about the input. So for example if the username/password is incorrect, you should just say "The fields you entered are incorrect" and the same thing goes if the username/password was correct. In this case, by not making the font bold, all the three sites would not have any username enumeration Vulnerabilities.
  3. I don't think that ' OR 1=1 --' and ' AND 1=1 --' are the same, since ' OR 1=1 --' returns everything in the field, for example if a table of names was hidden, it would return all names since 1=1 would always be true. On the other hand having an AND would say one part and another part both have to be true instead of just the 1=1 part. When using OR, the 1=1 will always be true, so it will always print the full table of names or other stuff.
  4. You can trick your friend/adming by providing false information in order for them to check the feedback forum link. For example by saying that "the website has a problem or its buggy and I sent a screenshot in the feedback section, can you please check", can make the admin check it and launch the CSRF attack.
  5. I would say that Session Hijacking is easier, since you are waiting for the user to log in , and stealing their session id while in session Fixation, you have to get the ID for the attacker and then you have to give that same ID to the target and then log in. Session Hijacking is also probably easier to defend against if you can keep chaning the session ID very frequently.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published