Commit 49604551 authored by Adrian Castañeda's avatar Adrian Castañeda

sol(vbd): #0 dsvw, 0079-xss-dom

- discovered vulnerabilities: 2 by me, 7 already in repo, 9 total.
- total estimated vulnerabilities in system:   25
- discovery percentage:                     36%
- effort: 5.02 hours during immersion.
parent f46bd676
http://127.0.0.1:65412/?#lang=en
## Version 1.4.1
## language: en
Feature:
TOE:
Damn Small Vulnerable Web
Category:
Cross-Site Scripting (DOM)
Location:
http://127.0.0.1:65412/ - lang (field)
CWE:
CWE-79: Improper Neutralization of Input During Web Page Generation
('Cross-site Scripting')
Rule:
REQ.173: https://fluidattacks.com/web/rules/173/
Goal:
Show a JavaScript alert
Recommendation:
Whitelisting allowed inputs
Background:
Hacker's software:
| <Software name> | <Version> |
| Debian | Buster |
| Firefox | 68.9.0 |
TOE information:
Given I am accessing the site
And the server is running SQLite version 3
And Python version 2.7.1
Scenario: Normal use case
Given I access to "http://127.0.0.1:65412/?#lang=en"
Then I can see a text that says
"""
Chosen language: en
"""
Scenario: Static detection
Given the source code "dsvw.py"
When I see this part of the source code
"""
var index=document.location.hash.indexOf('lang=');
if (index != -1)
document.write('<div style=\"position: absolute;
toxp: 5px; right: 5px;\">Chosen language: <b>'
+ decodeURIComponent(document.location.hash.substring(index + 5))
+ '</b></div>');
"""
Then I can conclude does not have any type of filter
Scenario: Dynamic detection
Given the parameter "lang"
When I type "<h1>Hey</h1>" and I reload the current page
Then I can see
"""
Chosen language:
Hey
"""
Then I can conclude that I can use HTML tags
Scenario: Exploitation:
Given I can use HTML tags
And that the parameter "lang" is not filtered
And I have this code for generating an alert
"""
<script>alert(document.domain)</script>
"""
And I put the code inside the parameter
"""
http://127.0.0.1:65412/?#lang=<script>alert(document.domain)</script>
"""
When I reload the current page
Then I show an alert [evidence1](image1.png)
Scenario: Remediation
Given the next code snippet
"""
var index=document.location.hash.indexOf('lang=');
if (index != -1)
document.write('<div style=\"position: absolute;
toxp: 5px; right: 5px;\">Chosen language: <b>'
+ decodeURIComponent(document.location.hash.substring(index + 5))
+ '</b></div>');
"""
Then it must validate the data entered in the "lang" parameter
And use a whitelist that only allows entries "[a-z] [A-Z] [0-9]"
And that way, it prevents malicious code from being embedded
Scenario: Scoring
Severity scoring according to CVSSv3 standard
Base: Attributes that are constant over time and organizations
4.3/10 (Medium) - AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Temporal: Attributes that measure the exploit's popularity and fixability
4.2/10 (Medium) - E:H/RL:W
Environmental: Unique and relevant Attributes to a specific user environment
4.2/10 (Medium) - MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:L/MI:N/MA:N
Scenario: Correlations
No correlations have been found to this date 2019-10-17
......@@ -7,4 +7,3 @@ https://incognitjoe.github.io/hacking-the-juice-shop.html
https://ryan-villarreal.com/2018/06/29/juice-shop-walkthrough-part-1/
https://github.com/bkimminich/pwning-juice-shop/blob/master/appendix/solutions.md#perform-a-reflected-xss-attack
https://www.youtube.com/watch?v=YX2KOG5mjLc
......@@ -15,3 +15,7 @@ https://www.youtube.com/watch?v=h-9rHTLHJTYhttps://github.com/bsqrl/juice-shop-w
https://www.youtube.com/watch?v=cD7NN4vWtVQ
http://cybersecology.com/2017/01/owasps-juice-shop-practice-site-refreshing-reminder/
https://ardalis.com/owasp-training-with-juice-shop-sample-application
https://klarsen.net/python/owasp-juice-shop-sqli/
https://bestestredteam.com/2018/07/07/juice-shop-walkthrough-2-star/
https://testautonation.com/hack-juice-shop/
https://www.owasp.org/images/c/c8/LatamTour2017_MateoMartinez_SQL_Injection_DeepDive.pdf
......@@ -5,3 +5,8 @@ https://www.securitynik.com/2017/02/beginning-web-application-testing-sql.html
http://edublog.bitcrack.net/2016/10/mutillidae-owasp-top-10-a1-injection.html
https://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae#basics-of-sql-injection-timing-attacks
https://www.irongeek.com/i.php?page=videos/web-application-pen-testing-tutorials-with-mutillidae#basics-of-sql-injection-using-union
https://dtike.wordpress.com/2012/08/29/mutillidae-basic-sql-injection/
https://sites.google.com/site/iasoncs/home/web-security/mutillidae-security
http://suraj-raghuvanshi.blogspot.com/2014/05/blind-sql-injection-for-forms-fields.html
https://null-byte.wonderhowto.com/how-to/attack-web-applications-with-burp-suite-sql-injection-0184090/
https://www.thecybersploit.com/2019/02/owasp-sql-injection-authentication.html
......@@ -5,3 +5,4 @@ https://www.youtube.com/watch?v=UbkGf5FXyU0
https://youtu.be/dmYp2drEwwE
https://youtu.be/UcbZUmuMy3U
https://www.securitynik.com/2017/02/beginning-web-application-testing-sql.html
https://www.youtube.com/watch?v=GxjoPJUITok
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment