Time spent: 15 hours spent in total
Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.
The six possible exploits are:
- Username Enumeration
- Insecure Direct Object Reference (IDOR)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session Hijacking/Fixation
Each version of the site has been given two of the six vulnerabilities. (In other words, all six of the exploits should be assignable to one of the sites.)
Vulnerability #1: SQL Injection. Using the ID URL parameter for the salesperson list, you can execute the SLEEP() function and make the site stall.
Walkthrough:
Vulnerability #2: Session Hijacking/Fixation. Session IDs aren't regenerated when logging in.
Walkthrough:
Vulnerability #1: Username Enumeration. The Green site uses a CSS tag of "Failed" instead of "Failure," causing the login failure message to not be bold if the username doesn't exist and bold if it does.
Walkthrough:
Vulnerability #2: Stored Cross-Site Scripting (XSS). Both the name and feedback fields aren't sanitized, allowing attackers to embed scripts into the fields that will trigger when the admin tries to view them.
Walkthrough:
Vulnerability #1: IDOR. The salesperson area allows users to access page IDs they aren't supposed to, such as "Testy McTesterson" and "Lazy Lazyman," which are not meant to be public.
Walkthrough:
Vulnerability #2: CSRF. The edit pages don't check for CSRF tokens.
Walkthrough:
Describe any challenges encountered while doing the work
I could not find a way of getting the admin credentials, since the SQLi vulnerability in the blue site prevents me from dumping the contents of the user table via a "Database Query Failed" error message. Thus, I couldn't find three of the vulnerabilities until they were provided.