At least in my opinion, security is not taken seriously by most of the product owners. I feel glad when some customers want their application to be tested for security quality criteria and I respect such product owners because they respect their product and care about their end-user privacy. To showcase some of the security bugs / vulnerabilities I have listed down some of the bugs that I found and helped product owner from not being into the problem in future. I hope you enjoy these.
Flash Game – In a gaming contest which was developed in Adobe flash was hacked by manipulating the high score submission. This was done by manipulating the POSTDATA values which consisted one of the attribute as “score”. In this case without playing the game high score could be submitted. And it was also found that there was no tracking of time or duration the game was played. If that was in place then at least the game owners could tell in 30 seconds, one cannot make high score of 300+. (I had done public responsible disclosure for this, here is the report http://tuppad.com/blog/wp-content/uploads/2012/03/BugBusters_security_vulnerabilities_found_by_SanthoshTuppad.pdf)
Healthcare – I was able to gain unauthorized access to patient health records which consisted sensitive data like amount paid through the card, address of the payee, e-mail address, problems associated with the specific patient and other things which should be confidential and also the HIPAA compliance talks about this being confidential. I could do this by using SQL Injection technique where the query strings included “admin / 1’or’1’=’1” (Username / Password).
CAPTCHA Hacked – While I was testing CAPTCHA, I could break the CAPTCHA and automated the correct inputs for CAPTCHA. Purpose of CAPTCHA was broken. This is how it was done – I found out that the CAPTCHA images are in sequence like 1.JPG, 2.JPG, 3.JPG… 300.JPG. Once it was found, all the CAPTCHA images were downloaded to the local machine and in excel sheet the mapping was done manually for 300 images. As it was not around 1lac images it was cakewalk to get text equivalent of CAPTCHA in 30 minutes for 300 images. Then excel sheet was used where in one column CAPTCHA image link was added and in second column there was text equivalent.
Once it was done it was pretty easy to use functional automation tools like Selenium or Sahi and put assertions like.
Goto excelsheet and fetch text equivalent of 1.JPG from the second column
Then input it in the CAPTCHA text field
I could even look at the private pictures of other end-users and this was done by URL edit or URL tampering. Inline proxy tool was used to monitor the HTTP requests and then I got absolute path for one of the image which was ours own. Then, I started tampering with the numerical value which was like photoID=39894394. By changing the numbers I could even see private pictures.
Vulnerability was, even the non logged-in end-users could use this URL and view private pictures which should not be the case. In such case anyone else can use add-on DownThemAll and download all the pictures which are both public and private without even logging in.
Cookie vulnerability – I was able to login to any end-user account by replacing the cookie value of its account by some other cookie value of another end-user even when that victim is not logged in.
On investigation it was found that the cookie values were hard-coded and they were not being created newly for every new session which was a bad way of programming. It was pretty easy to brute-force the cookie value and out of million end-users it becomes pretty easy to hit the correct cookie value in different combinations that are generated compared to less number of end-users.
Cookie not being expired on logout – I found that cookie was not being expired and kept active on the server even when the end-user logs out.
How did I do this?
I captured the current cookie value of our logged in account by using Cookie Manager Add-on and then I logged out. Later I could use “Tamper Data” add-on and go back to the logout link so that I could tamper the HTTP request. Once I was allowed to tamper, we replaced the new cookie value with the old cookie value and we were logged in.
I could see that without using the credentials I was able to login to the account by just using the cookie value. It is like entering the home in some other way other than the 2 doors which are made for entry.
Technical sensitive details displayed – I used mix of different character sets like Arabic character set and Chinese character set which was not handled by the application and exception was caused. Also, the page displayed technical details like “Database name”, “Column name” with the exception details as well. This could be the ice-cream for hacker to exploit it and use it for his / her purpose.
Forgot / Reset Password link not being expired – Forgot Password or Reset Password AUTHenticated links need to expire after one use and if they are not used they got to expire after “X” number of duration. Or else it could be easily compromised; in one of the web application I was testing, it was found that the link could have been used for multiple times and password could have been set. It means any other user can get the link along with token from the web browser history if it is shared or public computer.
Shotgun style attack – In one of the web application it was found that the application login was vulnerable to shotgun style attack which means; here I was brute forcing the username by keeping the password consistent. Here the intention of the hackers could be to gain unauthorized access to any account and not the specific account.
I suggested a counter-measure to track the requests from a specific IP and see if the same password or some pattern is being used in a cyclic fashion in order to avoid this attack or build a wall against such attacks.
File Upload Directory Listing Enabled – I found out that after logging in there is a file upload feature where end-users can upload confidential documents which could be used by doctors which are medical records. I found that I was able to access all the files that were uploaded to the directory and directory name was /upload/ – Without logging in I could use the /upload/ path in the URL and access all the documents because directory listing was enabled. Even if it is not enabled then it is easy to brute force with different file naming conventions.
The list will go on as I have found numerous security bugs. I am the believer of “Thinking like a hacker” and consistently training the mind to think like one. Apart from these I perform the tests which are under OWASP TOP 10 which you can see here.
Want to get your app tested for security? I recommend Moolya Software Testing Private Limited (firstname.lastname@example.org). Good news is; I will be part of the team who will be testing your app for security. Let us help you to avoid nightmares and focus on business.
For any questions or consulting that you might require, feel free to tweet @santhoshst.