SlideShare a Scribd company logo

Web App Pen Test Reveals Financial Data Exposure in 40 Characters

C
Caleb Sima

An automated vulnerability scan was performed on a financial organization's website which uncovered several vulnerabilities in their enrollment website (enroll.site.com) that allowed sensitive customer information like credit cards and applications to be accessed. The vulnerabilities included detailed error messages revealing information, lack of session authentication, incorrect file permissions, and default files still existing for the Forte WebEnterprise application. Access to internal systems was also achieved through an exposed debugging option.

Technology
1 of 35
Web Hack ,[object Object]
Discovery Four servers were found on the internet facing side of the company. 1. www.site.com - (Main site) 2. enroll.site.com - (Customer Enrollment) 3. calc.site.com - (Financial web tools) 4. secure.site.com – (Customer web banking) This information was easily discovered by: 1. Web browsing 2. Using Google
Issue List ,[object Object],[object Object],[object Object]
Let’s target enroll.site.com first ,[object Object],[object Object],[object Object]
The Attack Browsing the website I noticed that the URL stayed pretty much the same except for the templateName value changed on each page: https://enroll.site.com/cgi-forte/fortecgi? serviceName=siteCaastAccess&templateName=prod_sel.forte&source=site&AD_REFERRING_URL=http://www.site.com By deleting all the information after the script and then reissuing the request …
The Attack … the server responded with a very detailed error message.   Please specify the name of Forté service and page. Usage:http://web_server_name/cgi_directory_name/fortecgi?serviceName=Forté_service_name&pageName=request_page&other_info   Forte WebEnterprise Version WE.1.0.E.0 Copyright (c) 1999, Forte Software, Inc. All Rights Reserved.
The Attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Attack ,[object Object]
The Attack ,[object Object],[object Object],[object Object]
The Attack https://enroll.site.com/forte/cgi_bin/fortecgi.dat
The Attack ,[object Object],[object Object],[object Object],[object Object]
The Attack ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Attack ,[object Object],[object Object]
Issue List ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
The Attack At the beginning of the scan, a directory /template was found. To test a theory a request was issued for:    
Full Source Code
The Attack This allowed us to view the exact details of how the script worked and what other files or scripts it referenced. By methodically going thru and retrieving the source for all the scripts available a large database of filenames was logged.
The Attack After gathering the list of filenames – Several filenames stood out: 1. VerifyLogin.htm 2. ApplicationDetail.htm 3. CreditReport.htm 4. ChangePassword.htm A connection was tried to each file. https://enroll.site.com/cgi-forte/fortecgi?serviceName=siteCaastAccess&templateName=ApplicationDetail.htm
The Attack The server returned a "User not Logged in" message for each request. It also stated that the connection must be made from the Intranet. At first this seemed to be a well secured area but after sniffing the connection, it appeared that ApplicationDetail.htm set a cookie string. siteIntranetIIS=091B1A7D2625162A28241B28167927; frte_lbf_siteIntranetIIS=04392k0W0BTG
Attempt to access with cookie ,[object Object],[object Object],[object Object]
The Attack By taking this cookie and and changing the URL so “serviceName” is set to “siteIntranetIIS” and recreating our request. Our request now looks like this: https://enroll.site.com/cgi-forte/fortecgi ? serviceName=siteIntranetIIS&templateName=ApplicationDetail.htm Cookie: siteIntranetIIS=091B1A7D2625162A28241B28167927; frte_lbf_siteIntranetIIS=04392k0W0BTG
Jackpot! ApplicationDetail.htm returned Client information and credit cards anytime an application was being processed.
Jackpot! ApplicationDetail.htm returned Client information and credit cards anytime an application was being processed.
The Attack By then issuing a request for CreditReport.htm.   The server replied with this error message: HTMLScannerException detected Detecting Method HTMLScanner::HandleExecuteBlock Message qqsp_Exception caught while executing EXECUTE tag named EMCreditRptHandler.GetCreditReport Original message: Cannot add member name View to result set creditRS - value specified is NIL.
The Attack ,[object Object],[object Object]
The Attack Access granted.
The Attack ,[object Object],[object Object]
How Did This Happen? Data Center Enroll. Site Calc. Site WWW Secure Site CSR Network
I’ve been 0wned
Icing On The Cake By accessing the ChangePassword.htm page. The ability to reset the users web banking password was available.
Icing On The Cake Retrieved application source code and system user names and passwords.
Icing On The Cake ,[object Object],[object Object],[object Object],[object Object]
Summary ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object],CellPhone Security: Google: ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Try WebInspect SPI Dynamics, Inc. 115 Perimeter Center Place Suite 270 Atlanta, GA 30346 Caleb Sima [email_address] For a free WebInspect TM 15-day trial download visit: www.spidynamics.com

Recommended

2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A StudyVijay Prasad Gupta
 
Apache error
Apache errorApache error
Apache errorRishabh Bahukhandi
 
SPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartSPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartJenkins NS
 
C sharp and asp.net interview questions
C sharp and asp.net interview questionsC sharp and asp.net interview questions
C sharp and asp.net interview questionsAkhil Mittal
 
Apache ppt
Apache pptApache ppt
Apache pptpoornima sugumaran
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationShahab Al Yamin Chawdhury
 
( 2 ) Office 2007 Create A Portal
( 2 ) Office 2007 Create A Portal( 2 ) Office 2007 Create A Portal
( 2 ) Office 2007 Create A PortalLiquidHub
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 

Recommended

2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study2009 - Microsoft IIS Vs. Apache - Who Serves More - A Study
2009 - Microsoft IIS Vs. Apache - Who Serves More - A StudyVijay Prasad Gupta
 
Apache error
Apache errorApache error
Apache errorRishabh Bahukhandi
 
SPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartSPFx Webinar Loading SharePoint data in a SPFx Webpart
SPFx Webinar Loading SharePoint data in a SPFx WebpartJenkins NS
 
C sharp and asp.net interview questions
C sharp and asp.net interview questionsC sharp and asp.net interview questions
C sharp and asp.net interview questionsAkhil Mittal
 
Apache ppt
Apache pptApache ppt
Apache pptpoornima sugumaran
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationShahab Al Yamin Chawdhury
 
( 2 ) Office 2007 Create A Portal
( 2 ) Office 2007 Create A Portal( 2 ) Office 2007 Create A Portal
( 2 ) Office 2007 Create A PortalLiquidHub
 
Secure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior - Local file inclusion
Secure Code Warrior - Local file inclusionSecure Code Warrior
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft AzureDima Maleev
 
New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0Dima Maleev
 
ASP.NET Request Processing Internals
ASP.NET Request Processing InternalsASP.NET Request Processing Internals
ASP.NET Request Processing InternalsAbhijit Jana
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichEnkitec
 
Apache web server
Apache web serverApache web server
Apache web serverRishabh Bahukhandi
 
Share point 2010_overview-day4-code
Share point 2010_overview-day4-codeShare point 2010_overview-day4-code
Share point 2010_overview-day4-codeNarayana Reddy
 
Offline Storage
Offline StorageOffline Storage
Offline StorageSP Balamurugan
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Boxguest34a3a419
 
Web servers
Web serversWeb servers
Web serverswebhostingguy
 
Web server
Web serverWeb server
Web serverNirav Daraniya
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Web servers (l6)
Web servers (l6)Web servers (l6)
Web servers (l6)Nanhi Sinha
 
Reasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server ErrorsReasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server ErrorsHTS Hosting
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websitesoazabir
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 
Web Servers (ppt)
Web Servers (ppt)Web Servers (ppt)
Web Servers (ppt)webhostingguy
 
Create Applicationwith IIS 7
Create Applicationwith IIS 7Create Applicationwith IIS 7
Create Applicationwith IIS 7Sandeep Verma
 
Web Security
Web SecurityWeb Security
Web SecurityChatree Kunjai
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 

More Related Content

What's hot

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0Dima Maleev
 
ASP.NET Request Processing Internals
ASP.NET Request Processing InternalsASP.NET Request Processing Internals
ASP.NET Request Processing InternalsAbhijit Jana
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedPort80 Software
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichEnkitec
 
Share point 2010_overview-day4-code
Share point 2010_overview-day4-codeShare point 2010_overview-day4-code
Share point 2010_overview-day4-codeNarayana Reddy
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Boxguest34a3a419
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosPayampardaz
 
Web servers (l6)
Web servers (l6)Web servers (l6)
Web servers (l6)Nanhi Sinha
 
Reasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server ErrorsReasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server ErrorsHTS Hosting
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websitesoazabir
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsAdeel Javaid
 

What's hot (18)

Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
 
New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0New Features Of ASP.Net 4 0
New Features Of ASP.Net 4 0
 
ASP.NET Request Processing Internals
ASP.NET Request Processing InternalsASP.NET Request Processing Internals
ASP.NET Request Processing Internals
 
Web Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting StartedWeb Server Technologies I: HTTP & Getting Started
Web Server Technologies I: HTTP & Getting Started
 
Making Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph RuepprichMaking Sense of APEX Security by Christoph Ruepprich
Making Sense of APEX Security by Christoph Ruepprich
 
Apache web server
Apache web serverApache web server
Apache web server
 
Share point 2010_overview-day4-code
Share point 2010_overview-day4-codeShare point 2010_overview-day4-code
Share point 2010_overview-day4-code
 
Offline Storage
Offline StorageOffline Storage
Offline Storage
 
Mantis Installation for Windows Box
Mantis Installation for Windows BoxMantis Installation for Windows Box
Mantis Installation for Windows Box
 
Web servers
Web serversWeb servers
Web servers
 
Web server
Web serverWeb server
Web server
 
Brief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenariosBrief introduction into SQL injection attack scenarios
Brief introduction into SQL injection attack scenarios
 
Web servers (l6)
Web servers (l6)Web servers (l6)
Web servers (l6)
 
Reasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server ErrorsReasons and Ways of Fixing Server Errors
Reasons and Ways of Fixing Server Errors
 
10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites10 performance and scalability secrets of ASP.NET websites
10 performance and scalability secrets of ASP.NET websites
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Web Servers (ppt)
Web Servers (ppt)Web Servers (ppt)
Web Servers (ppt)
 

Similar to Web App Pen Test Reveals Financial Data Exposure in 40 Characters

Create Applicationwith IIS 7
Create Applicationwith IIS 7Create Applicationwith IIS 7
Create Applicationwith IIS 7Sandeep Verma
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityChris Hillman
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009ClubHack
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsMunir Njiru
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing Techglyphs
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenancePort80 Software
 
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdf
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdfProgramming Assignment 3 CSCE 3530 Introduction to Comput.pdf
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdfaddtechglobalmarketi
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaSandeep Tol
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technologytiwariparivaar24
 
Introducing asp
Introducing aspIntroducing asp
Introducing aspaspnet123
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3CNatasha Rooney
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 

Similar to Web App Pen Test Reveals Financial Data Exposure in 40 Characters (20)

Create Applicationwith IIS 7
Create Applicationwith IIS 7Create Applicationwith IIS 7
Create Applicationwith IIS 7
 
Web Security
Web SecurityWeb Security
Web Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Bh Win 03 Rileybollefer
Bh Win 03 RileybolleferBh Win 03 Rileybollefer
Bh Win 03 Rileybollefer
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploits
 
Study of http
Study of httpStudy of http
Study of http
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 
Application Security
Application SecurityApplication Security
Application Security
 
Unit5 servlets
Unit5 servletsUnit5 servlets
Unit5 servlets
 
Bt0083 server side programing
Bt0083 server side programing Bt0083 server side programing
Bt0083 server side programing
 
Web Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server MaintenanceWeb Server Technologies II: Web Applications & Server Maintenance
Web Server Technologies II: Web Applications & Server Maintenance
 
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdf
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdfProgramming Assignment 3 CSCE 3530 Introduction to Comput.pdf
Programming Assignment 3 CSCE 3530 Introduction to Comput.pdf
 
Using HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in JavaUsing HttpWatch Plug-in with Selenium Automation in Java
Using HttpWatch Plug-in with Selenium Automation in Java
 
Webappcontrol for Information Technology
Webappcontrol for Information TechnologyWebappcontrol for Information Technology
Webappcontrol for Information Technology
 
Introducing asp
Introducing aspIntroducing asp
Introducing asp
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3C
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 

More from Caleb Sima

Blind Sql Injection
Blind Sql InjectionBlind Sql Injection
Blind Sql InjectionCaleb Sima
 
Caleb Xss Dating Website
Caleb Xss Dating WebsiteCaleb Xss Dating Website
Caleb Xss Dating WebsiteCaleb Sima
 
Misconfigurations
MisconfigurationsMisconfigurations
MisconfigurationsCaleb Sima
 
Privilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsPrivilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsCaleb Sima
 
Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Caleb Sima
 
Privilege Escalation
Privilege EscalationPrivilege Escalation
Privilege EscalationCaleb Sima
 
Session Hijacking
Session HijackingSession Hijacking
Session HijackingCaleb Sima
 

More from Caleb Sima (9)

Blind Sql Injection
Blind Sql InjectionBlind Sql Injection
Blind Sql Injection
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
Caleb Xss Dating Website
Caleb Xss Dating WebsiteCaleb Xss Dating Website
Caleb Xss Dating Website
 
Misconfigurations
MisconfigurationsMisconfigurations
Misconfigurations
 
Privilege Escalation And Misconfigurations
Privilege Escalation And MisconfigurationsPrivilege Escalation And Misconfigurations
Privilege Escalation And Misconfigurations
 
Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2Privilege Escalation And Misconfigurations Part2
Privilege Escalation And Misconfigurations Part2
 
Privilege Escalation
Privilege EscalationPrivilege Escalation
Privilege Escalation
 
Session Hijacking
Session HijackingSession Hijacking
Session Hijacking
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 

Web App Pen Test Reveals Financial Data Exposure in 40 Characters

  • 1.
  • 2. Discovery Four servers were found on the internet facing side of the company. 1. www.site.com - (Main site) 2. enroll.site.com - (Customer Enrollment) 3. calc.site.com - (Financial web tools) 4. secure.site.com – (Customer web banking) This information was easily discovered by: 1. Web browsing 2. Using Google
  • 3.
  • 4.
  • 5. The Attack Browsing the website I noticed that the URL stayed pretty much the same except for the templateName value changed on each page: https://enroll.site.com/cgi-forte/fortecgi? serviceName=siteCaastAccess&templateName=prod_sel.forte&source=site&AD_REFERRING_URL=http://www.site.com By deleting all the information after the script and then reissuing the request …
  • 6. The Attack … the server responded with a very detailed error message.   Please specify the name of Forté service and page. Usage:http://web_server_name/cgi_directory_name/fortecgi?serviceName=Forté_service_name&pageName=request_page&other_info   Forte WebEnterprise Version WE.1.0.E.0 Copyright (c) 1999, Forte Software, Inc. All Rights Reserved.
  • 7.
  • 8.
  • 9.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. The Attack At the beginning of the scan, a directory /template was found. To test a theory a request was issued for:    
  • 17. The Attack This allowed us to view the exact details of how the script worked and what other files or scripts it referenced. By methodically going thru and retrieving the source for all the scripts available a large database of filenames was logged.
  • 18. The Attack After gathering the list of filenames – Several filenames stood out: 1. VerifyLogin.htm 2. ApplicationDetail.htm 3. CreditReport.htm 4. ChangePassword.htm A connection was tried to each file. https://enroll.site.com/cgi-forte/fortecgi?serviceName=siteCaastAccess&templateName=ApplicationDetail.htm
  • 19. The Attack The server returned a "User not Logged in" message for each request. It also stated that the connection must be made from the Intranet. At first this seemed to be a well secured area but after sniffing the connection, it appeared that ApplicationDetail.htm set a cookie string. siteIntranetIIS=091B1A7D2625162A28241B28167927; frte_lbf_siteIntranetIIS=04392k0W0BTG
  • 20.
  • 21. The Attack By taking this cookie and and changing the URL so “serviceName” is set to “siteIntranetIIS” and recreating our request. Our request now looks like this: https://enroll.site.com/cgi-forte/fortecgi ? serviceName=siteIntranetIIS&templateName=ApplicationDetail.htm Cookie: siteIntranetIIS=091B1A7D2625162A28241B28167927; frte_lbf_siteIntranetIIS=04392k0W0BTG
  • 22. Jackpot! ApplicationDetail.htm returned Client information and credit cards anytime an application was being processed.
  • 23. Jackpot! ApplicationDetail.htm returned Client information and credit cards anytime an application was being processed.
  • 24. The Attack By then issuing a request for CreditReport.htm.   The server replied with this error message: HTMLScannerException detected Detecting Method HTMLScanner::HandleExecuteBlock Message qqsp_Exception caught while executing EXECUTE tag named EMCreditRptHandler.GetCreditReport Original message: Cannot add member name View to result set creditRS - value specified is NIL.
  • 25.
  • 26. The Attack Access granted.
  • 27.
  • 28. How Did This Happen? Data Center Enroll. Site Calc. Site WWW Secure Site CSR Network
  • 30. Icing On The Cake By accessing the ChangePassword.htm page. The ability to reset the users web banking password was available.
  • 31. Icing On The Cake Retrieved application source code and system user names and passwords.
  • 32.
  • 33.
  • 34.
  • 35. Try WebInspect SPI Dynamics, Inc. 115 Perimeter Center Place Suite 270 Atlanta, GA 30346 Caleb Sima [email_address] For a free WebInspect TM 15-day trial download visit: www.spidynamics.com