REPORT FOR

FOOPHONES

BY UTKARSH MUNRA
 About
This Report consist of Web Application Testing For FooPhones

Breakdown of Key Metrics

Critical
2
High
2

Informational
10
Medium
4

Low
3
 Vulnerability Index
SQL Injection CRITICAL

Cross Site Scripting LOW

LOW
Cross Site Request Forgery
MEDIUM
Brute Force Attack
Information Disclosure From Internal Files MEDIUM

File Upload Vulnerability CRITICAL

OS Command Injection via Shell Upload HIGH

INFORMATIONAL
SSL Not Enforced
INFORMATIONAL
Verbose Error
Directory Listing Vulnerability INFORMATIONAL

User Enumeration INFORMATIONAL

Parameter Tampering HIGH

MEDIUM
No Rate Limiting
Plain Text Data Transmission INFORMATIONAL

Using components with known vulnerabilities MEDIUM

Header Misconfiguration
Cookie Without HTTP-Only Flag INFORMATIONAL
X-Frame-Protection Header Missing INFORMATIONAL
X-XSS-Options Header Missing INFORMATIONAL
Strict-Transport-Security Header Missing INFORMATIONAL
Form does not contain an anti-CSRF token LOW
Javascript Analysis INFORMATIONAL
Vulnerable Function
 SQL INJECTION

Description - SQL injection is a technique used to exploit user data through web
page inputs by injecting SQL commands as statements. Basically, these statements
can be used to manipulate the application’s web server by malicious users.

Proof Of Concept -

While analysing the registration request we observed that the POST parameters
are vulnerable to SQL injection.

As can be seen below we can exploit the SQL query and are able to extract
database with it.

Instances
http://foophones.securitybrigade.com:8080/register_confirm.php
http://foophones.securitybrigade.com:8080/view.php?id=2
Impact
Database fingerprinting: in case of a time-based approach being used. This helps
in database fingerprinting and there are specific time-delay payloads for specific
databases
Steal sensitive customer and/or business information such as credit card
numbers, personal information of customers/ employees, patents, IP, etc.
Read, add, update, or delete data or tables from the database or execute
administrative commands.
Gain privilege escalation that enables them to completely gain control over the
server/ application/ operating system.

Mitigations

Use Parameterized Queries.

Block special characters in the username field.

Metric: Critical
 CROSS-SITE SCRIPTING
Description - A file upload is a great opportunity to XSS an application. User-
restricted area with uploaded profile picture is everywhere, providing more chances
to find a developer’s mistake. If it happens to be a self XSS

Proof Of Concept -

While analysing file upload functionality in registration form we observed that

unrestricted file upload is implemented which allowed us to upload Vulnerable
File consist of XSS Payload
As can be seen below XSS Payload got executed susccessfully
Instances
http://foophones.securitybrigade.com:8080/register_confirm.php

Impact
The attacker can overwrite any critical file with his payload file.
It can also be used for phishing.
Compromising with a web-server via uploading a shells. .

Mitigations

Restrict file types accepted for upload: check the file extension and only allow
certain files to be uploaded.
Use a whitelist approach instead of a blacklist. Check for double extensions such
as .php.png.
Check for files without a filename Change the permissions on the upload folder
so the files within it are not executable.
If possible, rename the files that are uploaded

Metric: Low
 Cross Site Request Forgery
Description - Cross-site request forgery (CSRF) vulnerabilities may arise when
applications rely solely on HTTP cookies to identify the user that has issued a
particular request. Because browsers automatically add cookies to requests
regardless of their origin, it may be possible for an attacker to create a malicious
website that forges a cross-domain request to the vulnerable application. For a
request to be vulnerable to CSRF

Proof Of Concept -
We captured the "buy_confirm" request and modified the shipping address to
Attacker's Address and generated an auto-submit CSRF POC

We sent the Generated HTML file to Victim

Upon executing the HTML file (being victim logged in already in browser),Victim
unknowingly placed an order to Attackers Address, as there is no availability to
cancel the order victim will be affected with finanacial loss
Instances
http://foophones.securitybrigade.com:8080/buy_confirm.php

Impact
CSRF is a dangerous vulnerability that abuses the trust between the victim’s
browser and the webserver. The magnitude of its impact depends on the
number of benefits allocated to the user.
CSRF has been used to perform several malicious activities such as stealing data,
unauthorized funds transfer, changing passwords, damaging clients’
relationships, spreading worms or malware, and many more

Mitigations
Logging off-web applications when not in use
Securing usernames and passwords
Not allowing browsers to remember passwords
Avoiding simultaneously browsing while logged into an application

Metric: Low
 Brute Force Attack
Description - A brute force attack, also known as an exhaustive search, is a
cryptographic hack that relies on guessing possible combinations of a targeted
password until the correct password is discovered. The longer the password, the
more combinations that will need to be tested.

Proof Of Concept -

With the help of automation we bruteforced the login request

As can be seen below with automation we are able to acquire victim's password
Instances
http://foophones.securitybrigade.com:8080/login.php

Impact
Account Takeover/Compromise

Mitigations
Lockout policy—you can lock accounts after several failed login attempts and
then unlock it as the administrator.
Captcha—tools like reCAPTCHA require users to complete simple tasks to log
into a system. Users can easily complete these tasks while brute force tools
cannot.
Requiring strong passwords—you can force users to define long and complex
passwords. You should also enforce periodical password changes. Two-factor
authentication—you can use multiple factors to authenticate identity and grant
access to accounts
Metric: Medium
 Information Disclosure From Internal Files

Description - The Sensitive Files Exposure scan verifies that any files that cause
security problems are not accessible through the service. Typically, attackers try to
use sensitive files for breaking the service or finding the information that may be
useful for other types of attacks.

Proof Of Concept -

While Crawling the web application we encountered an internal file containing

logs
As can be seen below Logs are publically accessible

Instances
http://foophones.securitybrigade.com:8080/logs.txt

Impact
Logs are Publically Accessible which may lead to information disclosure

Mitigations
Static files that are not necessary should be removed from the web root. If
documents are required to be in the web root, and are sensitive in nature, they
should require authentication.
Use generic error messages as much as possible. Don't provide attackers with
clues about application behavior unnecessarily
Metric: Medium
 File Upload Vulnerability
Description - File uploads are essential for user productivity and many business
services and applications. For instance, file uploads are an important function for
content management systems, healthcare portals, insurance sites, and messaging
applications. As organizations move to remote and distanced workspaces it
becomes increasingly critical to implement measures to ensure the security of file
uploads, since leaving file uploads unrestricted creates an attack vector for malicious
actors.

Proof Of Concept -

As can be seen below File Upload functionality in Registration form is vulnerable

to Unrestricted-File-Upload Vulnerability
Instances
http://foophones.securitybrigade.com:8080/register_confirm.php

Impact
Overwriting an existing file, If a file is uploaded with the same name and
extension as an existing file on the server, this could overwrite the existing file.
If the uploaded file contains an exploit or malware which can leverage a
vulnerability in server-side file handling, the file could be used to gain control of
the server, causing severe business consequences and reputational damage.
Attacks on your users: If the uploaded file contains an exploit, malware,
malicious script or macro, the file could be used to gain control of infected users’
machines.
If an extremely large file is uploaded, this could result in high consumption of the
servers’ resources and disrupt the service for your users

Mitigations
Only allow specific file types– By limiting the list of allowed file types, you can
avoid executables, scripts and other potentially malicious content from being
uploaded to your application. (Whitelisting of files)
Set a maximum name length and maximum file size – Make sure to set a
maximum name length (restrict allowed characters if possible) and file size in
order to prevent a potential service outage
File Name Validation must be implemented to prevent Double Exetension and
Null Byte Bypasses.
Metric: Critical
OS Command Injection via Shell Upload

Description - OS command injection (also known as shell injection) is a web security

vulnerability that allows an attacker to execute an arbitrary operating system (OS)
commands on the server that is running an application, and typically fully
compromise the application and all its data

Proof Of Concept -

We Uploaded a PHP Shell into the application through Unrestricted File Upload
Resulting in OS Command Injection.

Instances
http://foophones.securitybrigade.com:8080/register_confirm.php
Impact
The attacker can overwrite any critical file with his payload file.
It can also be used for phishing.
Compromising with a web-server via uploading a shells.
If the server is also vulnerable to directory traversal, this could mean attackers
are even able to upload files to unanticipated locations.
Failing to make sure that the size of the file falls within expected thresholds
could also enable a form of denial-of-service (DoS) attack, whereby the attacker
fills the available disk space.

Mitigations
require authentication to upload files
store uploaded files in a location not accessible from the web
don't eval or include uploaded data
scramble uploaded file names and extensions,
define valid types of files that the users should be allowed to upload

Metric: High
 SSL Not Enforced
Description - when a client and server communicate over a non-secure
(unencrypted) channel. Failing to securely communicate server-to-server and
server-to client means an attacker can intercept sensitive transactions. This is
typically done through man-in-the-middle attacks

Proof Of Concept -

As can be seen below SSL is not enforced in the web application.

Instances
http://foophones.securitybrigade.com:8080/*

Impact
The attacker can read and manipulates the HTTP requests.
Man-in-the-Middle (MITM) Attacks

Mitigations
Encrypt the connection with TLS-SSL certificate

Metric: Informational
 Verbose Error
Description - Verbose Error Message (Improper Error Handling) Improper error
handling leads to a variety of security problems. Common problems include when
we expose our internal methods in Stack-traces, error codes, exceptions etc. and
these are displayed to the hacker.

Proof Of Concept -

As can be seen below Information is diclosed in Verbose Error.

Instances
http://foophones.securitybrigade.com:8080/*

Impact
Attacker can easily get to know web-server information.

Mitigations
Make sure to add custom error pages

Metric: Informational
 Directory Listing Vulnerability
Description - Directory listing is a web server function that displays the directory
contents when there is no index file in a specific website directory. It is dangerous to
leave this function turned on for the web server because it leads to information
disclosure.

Proof Of Concept -

As can be seen below Directory Listing is enabled in Web Application

Instances
http://foophones.securitybrigade.com:8080/images/

Impact
Internal Files can be Disclosed through directory listing

Mitigations
Disable directory listing, you must change your web server configuration

Metric: Informational
 User Enumeration
Description - User enumeration is when a malicious actor can use brute-force
techniques to either guess or confirm valid users in a system. User enumeration is
often a web application vulnerability, though it can also be found in any system that
requires user authentication

Proof Of Concept -

As can be below Users can be enumerated through login request

Impact
Attacker can bruteforce the fields to acccquire information regarding the already
registered users in the web application.

Mitigations
Make sure to return a generic "username and password not found " message
when a login failure occurs.

Metric: Informational
 Parameter Tampering
Description - web-based attack intended as a business security threat that involves
another party’s unauthorized manipulation and tampering with the website’s URL,
web-page form or other parameters. It is manipulating the parameters exchanged
between client and server in order to modify the application data such as user
credentials, permissions, price, the quantity of products, etc.

Proof Of Concept -

We Captured the buy_confirm.php request from product purchase page

Here we manupulated the value of "price" parameter.

Value lower than real price
Negative Value
 We are successfully able to perform purchase action with manupulated price

Instances
http://foophones.securitybrigade.com:8080/buy_confirm.php

Impact
As u can see the attacker can manipulate the price field and make purchase the
order for a lesser amount.
It can also manipulate many more parameters which are vulnerable.

Mitigations
Server-side validation compared with all inputs
Validate data

Metric: High
 No Rate Limiting
Description - Rate limiting is a strategy for limiting network traffic. It puts a cap on
how often someone can repeat an action within a certain timeframe – for instance,
trying to log in to an account. Rate limiting can help stop certain kinds of malicious
bot activity. It can also reduce strain on web servers. However, rate limiting is not a
complete solution for managing bot activity.

Proof Of Concept -

We intercepted the register.php request

With the help of Automation we Bruteforced the register request

Here we observed that No Rate Limiting is implemented of web application
Instances
http://foophones.securitybrigade.com:8080/register_confirm.php
http://foophones.securitybrigade.com:8080/login.php

Impact
An attacker can make multiple users with a single request.
An attacker can brute force.

Mitigations
Monitoring API activity against your rate limit.
Catching errors caused by rate limiting.
Reducing the number of requests.
Extra precautions are taken with login, otp, vouchers etc

Metric: Medium
 Plain Text Data Transmission
Description - Some applications transmit passwords over an unencrypted
connections, making them vulnerable to interception. To exploit this vulnerability, an
attacker must be suitably positioned to eavesdrop on the victim’s network traffic.
This scenario typically occurs when a client communicates with the server over an
insecure connection such as public Wi-Fi, or a corporate or home network that is
shared with a compromised computer.

Proof Of Concept -

As can be seen below login credentials are transmitted in plain text to web
application.

Instances
http://foophones.securitybrigade.com:8080/login.php

Impact
Failure frequently compromises all data that should have been protected.
Typically,
this information includes sensitive personal information

Mitigations
Because user credentials are considered sensitive information, should always be
transferred to the server over an encrypted connection (HTTPS).
User credentials are transmitted over an unencrypted channel.
This information should always be transferred via an encrypted channel (HTTPS)
to avoid being intercepted by malicious users.

Metric: Informational
Using Components With Known Vulnerabilities
Description - This includes components you directly use as well as nested
dependencies. If software is vulnerable, unsupported, or out of date. This includes
the OS, web/application server, database management system (DBMS), applications,
APIs and all components, runtime environments, and libraries.

Proof Of Concept -

We Found Exploits for Apache 2.2.22 which is being used in the web application.

Impact
Attackers can invoke any web service with full permission by failing to provide an
identity token.
Remote-code execution with Expression Language injection vulnerability is
introduced through the Spring Framework for Java based apps.

Mitigations
Identify all components and the versions that are being used in the webapps not
just restricted to database/frameworks.
Keep all the components such as public databases, project mailing lists etc. up to
date.
Add security wrappers around components that are vulnerable in nature.

Metric: Medium
 Cookie without HTTP Only flag set
Description - One or more cookies don't have the HttpOnly flag set. When a cookie
is set with the HttpOnly flag, it instructs the browser that the cookie can only be
accessed by the server and not by client-side scripts. This is an important security
protection for session cookies.

Proof Of Concept -

As can be seen below Cookies does not contain HTTP Only Flag.

Instances
http://foophones.securitybrigade.com:8080/*

Impact
During a cross-site scripting attack, an attacker might easily access cookies and
using these he may hijack the victim’s session.
An attacker can grab the sensitive information contained in the cookie.

Mitigations
Set HTTP Only on the cookie. This helps mitigate a large part of XSS attacks
attempting to capture the cookies and possibly leaking sensitive information or
allowing the attacker to impersonate the user.
The HTTP TRACE method combined with XSS can read the authentication cookie,
even if the HTTP Only flag is used. So make sure that the HTTP TRACE method is
disabled.

Metric: Informational
 X-frame-Protection
Description - A missing X-Frame-Options header which means that this website
could be at risk of a clickjacking attack.

Proof Of Concept -
Go to this URL: https://clickjacker.io/test?url=<target site URL here>
Observe that the website is getting embedded in an Iframe.
Observe that the headers x-frame-options and content-security-policy frame
ancestors are missing.

Launch the file in browser.

Observe that the website is getting embedded in an Iframe.
Impact
Users are tricked into performing all sorts of unintended actions are such as
typing in the password, clicking on ‘Delete my account’ button, liking a post,
deleting a post, commenting on a blog.
In other words all the actions that a normal user can do on a legitimate website
can be done using clickjacking.

Mitigations
Sending the proper X-Frame-Options in HTTP response headers that instruct the
browser to not allow framing from other domains. X-Frame-Options: DENY It
completely denies to be loaded in frame/iframe.
X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a
same origin.
X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a
iframe. However please pay attention to that, not all browsers support this.
Employing defensive code in the UI to ensure that the current frame is the most
top level window.

Metric: Informational
 X-XSS-Options
Description - The X-XSS-Protection header is designed to enable the cross-site
scripting (XSS) filter built into modern web browsers. This is usually enabled by
default, but using it will enforce it. It is supported by Internet Explorer 8+, Chrome,
and Safari. The recommended configuration is to set this header to the following
value, which will enable the XSS protection and instruct the browser to block the
response in the event that a malicious script has been inserted from user input,
instead of sanitizing.

Proof Of Concept -

As can be seen below XSS-Options Header is missing.

Impact
The major impact for this violation is cross-scripting attacks.

Mitigations
X-XSS-Protection: 1
Enables Cross-site scripting (XSS) filtering.
This is the default option used by most browsers if the setting is not specified
explicitly.
If a cross-site scripting attack is detected, the browser will sanitize the page and
the malicious/unsafe part will be removed.

Metric: Informational
 Strict-Transport-Security
Description - HTTP Strict Transport Security (HSTS) is a web security policy
mechanism whereby a web server declares that complying user agents (such as a
web browser) are to interact with it using only secure (HTTPS) connections. The HSTS
Policy is communicated by the server to the user agent via a HTTP response header
field named "Strict-Transport-Security". HSTS Policy specifies a period of time during
which the user agent shall access the server in only secure fashion.

Proof Of Concept -

As can be seen below Strict Transport Security Header is missing.

Impact
As the header is expired, the communication will continue in HTTP.
The HTTP protocol is vulnerable to attacks like Man in the middle attack (MITM).

Mitigations
Use your browsers developer tools or a command line HTTP client and look for a
response header named Strict-Transport-Security.
Access your application once over HTTPS, then access the same application over
HTTP. Verify your browser automatically changes the URL to HTTPS over port 443.

Metric: Informational
 Form Does Not Contain Anti-CSRF token
Description - Anti-CSRF tokens are used to protect against cross-site request
forgery attacks. This article explains the basics of anti-CSRF tokens, starting with how
to generate and verify them. You will also learn about CSRF protection for specific
forms and requests. Finally, the post examines selected issues related to CSRF
protection, such Ajax, login forms, and non-persisted tokens.

Proof Of Concept -

As can be seen below Anti-CSRF Token is missing.

Impact
An attacker may trick the users of a web application into executing actions of the
attacker's choosing.
A successful CSRF exploit can compromise end user data and may allow an
attacker to perform an account hijack.
If the targeted end user is the administrator account, this can compromise the
entire web application.

Mitigations
The application should implement anti-CSRF tokens into all requests that perform
actions which change the application state or which add/modify/delete content.
An anti-CSRF token should be a long randomly generated value unique to each
user so that attackers cannot easily brute-force it.

Metric: Low
 Javascript Analysis
Description - JavaScript, often abbreviated as JS, is an interpreted programming
language that conforms to the ECMAScript specification. JavaScript is high-level,
often just-in-time compiled, and multi-paradigm.While analysing javascript files (js)
we found some functions appear to be vulnerable.

Proof Of Concept -

As can be seen below add_user function appears to be vulnerable which results

in creation of users when parameters are parsed correctly.

Impact
Attacker can create numerous amount of users when exploited

Mitigations
JS files should not disclose important information regarding the website

Metric: Informational