Vulnerable Web Application

T Gopi
14-09-2024
 Project Information Slide

How to Use this Template

● We have provided these slides as a guide to ensure you submit

all the required components to complete your project
successfully.
● When presenting your project, remember that these slides are
merely a guide. We strongly encourage you to embrace your
creative freedom and make changes that reflect your unique
vision as long as the required information is present.
● You can add slides to the template when your answers or
screenshots do not fit on the previously provided pages.
● Delete this and the next slide before submitting your project.
● Remember to add your name and the date to the cover
page.
 Project Information Slide

Project Scenario

You have been hired by a startup company, USociety, which has

received reports from the well-known hacker group Fcity that their
customer data was breached. They need you to identify how the
attackers got into their system, extracted all of their customer's data,
and identify any other security holes that their application might
have. This security audit is considered the company's highest
priority, and they need your help.

You will need to identify which OWASP Top 10 security issues the
vulnerabilities belong to and their severity. You will also correctly
match attack vectors to the OWASP Top 10 definition.

You will be given some static code analysis results and a web
application. You will conduct a manual web application test to find all
vulnerabilities and create write-up documentation to help the
development team patch the code. The write-up documentation
should clearly outline the steps needed to reproduce the security
issue and best practices to support the development team in better
understanding the issue.

At the end of this project, you will have the hands-on skills needed to
tackle application security. You should be proud of this
accomplishment.
Digital Project Management

Section One:
Static Code Scan
 Project Information Slide

Static Code Scan

In this part of the project, your task is to review the results of the
static code scan performed on the application code. You need to
identify and report comprehensive information for each security
issue found in the scan. The identified issues are listed on the
following pages.

For Each Issue:

● Set the Severity Type:
○ There are only Critical, High, or Medium vulnerabilities on
the slides.
○ There is one False Positive among the issues.
○ Be diligent in your assessment because if everything is
marked as Critical, then nothing is truly Critical.
● Associate with an OWASP TOP 10 Reference:
○ Link each issue to a relevant OWASP TOP 10 category.
○ You can refer to either the 2017 or 2021 OWASP TOP 10
lists.
● Provide a High-Level Recommendation:
○ Suggest a high-level solution or best practice to address
and fix the issue effectively.
Issue: B106

>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded

password: 'mysecurepassword'
Location: SampleCode/init_db.py:14
13 def open(self):
14 self.conn = psycopg2.connect(user = "webappuser",
15 password = "mysecurepassword",
16 host = "localhost",
17 port = "5432",
18 database = "website")
19 self.cursor = self.conn.cursor()

Severity: High

OWASP TOP 10 reference: OWASP A3:2017 – Sensitive

Data Exposure and OWASP
A5:2017 – Broken Access
Control
Remediation recommendation

Store the password and other sensitive information in environment

variables instead of hardcoding them in the code. Use a secrets
management tool, like HashiCorp Vault, AWS Secrets Manager, or
Azure Key Vault, to securely store and retrieve sensitive information.
Issue: B108

>> Issue: [B108:hardcoded_tmp_directory] Use of a hardcoded

temporary directory.
Location: SampleCode/temp_file.py:19

18 def createTempFile(data):
19 temp_path = "/tmp/tempfile.txt"
20 with open(temp_path, 'w') as temp_file:
21 temp_file.write(data)
22 return temp_path

Severity: Medium

OWASP TOP 10 reference: A6: Security Misconfiguration or

A5: Sensitive Data Exposure
Remediation recommendation

the remediation is to avoid hardcoding paths and instead use secure

and dynamic methods such as Python's tempfile module for creating
temporary files in system-assigned directories.
Issue: B303

>> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1

hash function.
Location: SampleCode/create_customer.py:23
22 self.email = email
23 self.password = hashlib.md5(password.encode('utf-
8')).hexdigest()
24 self.banner = safestring.mark_safe(banner)

Severity: High

OWASP TOP 10 reference: A3:2017-Sensitive Data

Exposure
Remediation recommendation

Replace MD5 with a more secure hashing algorithm.

Issue: B311

>> Issue: [B311:blacklist] Standard pseudo-random generators are

not suitable for security/cryptographic purposes.
Location: SampleCode/init_db.py:40
39 letters = string.ascii_lowercase
40 result_str = ''.join(random.choice(letters) for i in
range(length))
41 return result_str

Severity: High

OWASP TOP 10 reference: A9:2017-Using Components with

Known Vulnerabilities
A6:2017-Sensitive Data
Exposure
Remediation recommendation

or cryptographic purposes, you should use a cryptographically secure

random number generator, such as secrets in Python, which is
specifically designed for secure use cases.
Issue: B320

>> Issue: [B320:blacklist] Using lxml.etree.fromstring to parse

untrusted XML data is known to be vulnerable to XML attacks.
Replace lxml.etree.fromstring with its defusedxml equivalent function.
Location: SampleCode/fix_customer_orders.py:11
10 def customerOrdersXML():
11 root = lxml.etree.fromstring(xmlString)
12 root = fromstring(xmlString)

Severity: High

OWASP TOP 10 reference: A4:2017-XML External Entities

(XXE)
A6:2017-Sensitive Data Exposure
Remediation recommendation

To securely parse XML data and prevent XXE attacks, use the
defusedxml package, which provides XML parsing functions with
security features designed to handle untrusted input.
Issue: B603

>> Issue: [B603:subprocess_without_shell_equals_true] subprocess

call - check for execution of untrusted input.
Location: SampleCode/onLogin.py:8
7 def process(self, user, startupcmd):
8 p = subprocess.Popen([startupcmd],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
9 r = p.communicate()[0]

Severity: High

OWASP TOP 10 reference: A1:2017-Injection

A10:2017-Insufficient Logging &
Monitoring
Remediation recommendation

To mitigate this risk, ensure that shell=False is used explicitly, and

sanitize or validate any input passed to subprocess calls.
Issue: B703

>> Issue: [B703:django_mark_safe] Potential XSS on mark_safe

function.
Location: SampleCode/create_customer.py:24
23 self.password = hashlib.md5(password.encode('utf-
8')).hexdigest()
24 self.banner = safestring.mark_safe(banner)
25

Severity: High

OWASP TOP 10 reference: A7:2017-Cross-Site Scripting (XSS

Remediation recommendation

Only use mark_safe if you are absolutely certain that the content is
safe and does not contain any untrusted or user-supplied input.
Digital Project Management

Section Two:
Assess the Web Application
 Project Information Slide

Manually Assess the Web Application

and Identify Vulnerabilities
There are 13 vulnerabilities present in the web application. You
have to manually assess at least 5 of the 13 vulnerabilities present
in the application to be able to complete your report. You need to
find at least 1 of each type of the following security vulnerabilities:
● Broken Authentication
● XSS
● Broken Access
● Sensitive Data Exposure
● SQLi

You are not allowed to use any automated scanner, as you can't
refer to them in your report.

There is no deliverable in this section, but you need to write a

report about the vulnerabilities in the next section!
 Project Information Slide

Tools you may need

We have provided some Python files available in the
/workspace/tools/ directory of the workspace that might be
useful. You are only allowed to use these provided scripts because
you are not allowed to refer to any other tool, like automated
scanners, in the report.

● Use the bruteforce.py tool for brute force attacks.

● Use the performbase64 file to encode/decode a value to
Base64:
● Use the hashid.py and checkhash.py files to decode any hash
values.
● If you need, you can also refer to the Hashing exercise's
workspace present in one of the previous lessons to decode
the hash value.
● You can also find the test-password.txt and test-username.txt
in the folder; use these when you need a password or a
username list.
 Project Information Slide

Instructions
If you go to the Web Application Environment page, you will find
a pre-setup environment for you to analyze the web application.
Setting up your env is as simple as initiating the application and
then using the “Start App” button. To view the website, you will
need to click the “Open App” button.
 Project Information Slide

Tips
1. Break into the application: Start with breaking into the
application using the brute force approach.

2. As soon as you break into the application, explore the

different areas in the application to see what vulnerabilities
you can find.
a. Profile
b. Customers
c. Users

3. Profile Section: Visit the profile section, and try various

measures just like an attacker.
a. See if you can abuse the input fields.
b. Examine the Cookie to notice any sensitive data.
c. Try to elevate your role as an Admin. Remember, it
becomes easier to make attacks such as SQLi only after
becoming an Admin.
d. If you succeed to elevate your role to Admin, it will prove
multiple other vulnerabilities.
 Project Information Slide

Tips
4. Customer Section: Once you possess the Admin access
to the Application, the next thing you would want to do is obtain
the details of all the customers.

a. SQLi could be your preferred choice of attack to view

customers' details.
b. If you can view any customer's details, then you'd look for
any sensitive data, such as login credentials.

5. Users:

a. As an attacker, your next step would be to fetch sensitive

data for all the users.
b. See if you can abuse the query string params.

Important

You might think that you don't need to log or track security items
that are "similar". But make sure that you track all of them so that
the developer/tester can fix/verify the issue properly.
Digital Project Management

Section Three:
Security Report
 Project Information Slide

Security Report

In the following slides, you need to provide a detailed report of six

different types of vulnerabilities you found in the web application.
The slides are named for each issue, so it is clear what to put
where. For the walkthrough part, you can add as many slides as
you see fit after the slide that identifies the issue.

Your report has to include at least one finding of these

vulnerabilities: Broken Authentication, XSS, Broken Access,
Sensitive Data Exposure, SQLi.

For each identified issue, include the following components:

● Severity: Assign a severity level to the issue.
● OWASP TOP 10 Reference: Specify the relevant OWASP TOP
10 issue reference (can be 2017 or 2021).
● Vulnerability Explanation: Clearly explain the specific
vulnerability you discovered in the web application.
● Recommendation: Provide a high-level recommendation on
how to fix the issue. This should not be a step-by-step guide
but rather a strategic approach to remediation.
● Steps to Reproduce the Issue: Detail the process of replicating
the vulnerability. Include:
○ A written walkthrough of each step.
○ Annotated screenshots to support your explanation.
 Project Information Slide

Important Considerations
● Accuracy in Severity and OWASP Reference: Accurately
identify the severity and corresponding OWASP TOP 10
reference. Common mistakes include incorrectly assigning
severity levels and misidentifying the OWASP category.
Remember, not every issue is Critical or High; prioritize
accurately to help developers focus their efforts effectively.
● Contextual Vulnerability Description: Describe the
vulnerability as it specifically pertains to the web application
you are testing. Do not provide a generic description.
● Detailed Reproduction Steps: Ensure your steps to
reproduce the issue are comprehensive. Use a combination
of clear writing and annotated screenshots to guide the
reader through the process. Assume the reader may not have
advanced security or technical knowledge.
● You are only allowed to use the provided scripts. Using or
referring to automated scanners is not an acceptable
solution.
● The template slides are named, but they are not necessarily in
order!
● There are a total of 13 vulnerabilities on the server. For a
standout project, include more than the required 5
vulnerabilities in your report!
● There is an example slide that uses an imaginary SSRF
vulnerability but without the step-by-step walkthrough.
 EXAMPLE FOR THE REPORT

Server-Side Request Forgery (SSRF)

Severity: High

OWASP TOP 10 reference: A10:2021-Server-Side Request

Forgery (SSRF)
Vulnerability Explanation

The web application includes a URL preview feature that allows users to
input a URL to fetch and display a preview of the linked content. The
feature does not properly validate or sanitize user input, allowing an
attacker to craft requests to internal systems or third-party services. This
can result in the exposure of sensitive internal information, unauthorized
access to internal services, and potential exploitation of internal network
vulnerabilities.

Remediation recommendation

Implement strict input validation and whitelisting to ensure that only

trusted URLs can be accessed and previewed. Use network segmentation
to limit the application's ability to make requests to internal resources.

EXAMPLE FOR THE REPORT

Broken Authentication
Severity: High

OWASP TOP 10 reference: A2:2017-Broken Authentication

Vulnerability Explanation

Attackers have access to hundreds of millions of valid username and

password combinations for credential stuffing, default administrative
account lists, automated brute force, and dictionary attack tools.
Session management attacks are well understood, particularly in
relation to unexpired session tokens.
Remediation recommendation

Where possible, implement multi-factor authentication to prevent

automated, credential stuffing, brute force, and stolen credential re-
use attacks.
* Do not ship or deploy with any default credentials, particularly for
admin users.
* Implement weak-password checks, such as testing new or changed
passwords against a list of the top 10000 worst passwords.

On the following slide(s) provide the steps to reproduce the vulnerability,

using a combination of writing and annotated screenshots.
Broken Authentication
Provide a step-by-step walkthrough with annotated screenshots. You can
add as many slides as you need!
Cross-Site Scripting (XSS)
Severity: [Write the level here]

OWASP TOP 10 reference: [TOP 10 issue reference]

Vulnerability Explanation

[Explain the vulnerability that you found]

Remediation recommendation

[Provide a high-level recommendation on how best to fix the issue]

On the following slide(s) provide the steps to reproduce the vulnerability,

using a combination of writing and annotated screenshots.
Cross-Site Scripting (XSS)
Provide a step-by-step walkthrough with annotated screenshots. You can
add as many slides as you need!
Broken Access
Severity: [Write the level here]

OWASP TOP 10 reference: [TOP 10 issue reference]

Vulnerability Explanation

[Explain the vulnerability that you found]

Remediation recommendation

[Provide a high-level recommendation on how best to fix the issue]

On the following slide(s) provide the steps to reproduce the vulnerability,

using a combination of writing and annotated screenshots.
Broken Access
Provide a step-by-step walkthrough with annotated screenshots. You can
add as many slides as you need!
Sensitive Data Exposure
Severity: [Write the level here]

OWASP TOP 10 reference: [TOP 10 issue reference]

Vulnerability Explanation

[Explain the vulnerability that you found]

Remediation recommendation

[Provide a high-level recommendation on how best to fix the issue]

On the following slide(s) provide the steps to reproduce the vulnerability,

using a combination of writing and annotated screenshots.
Sensitive Data Exposure
Provide a step-by-step walkthrough with annotated screenshots. You can
add as many slides as you need!
SQLi
Severity: [Write the level here]

OWASP TOP 10 reference: [TOP 10 issue reference]

Vulnerability Explanation

[Explain the vulnerability that you found]

Remediation recommendation

[Provide a high-level recommendation on how best to fix the issue]

On the following slide(s) provide the steps to reproduce the vulnerability,

using a combination of writing and annotated screenshots.
SQLi
Provide a step-by-step walkthrough with annotated screenshots. You can
add as many slides as you need!