SecurityFirst Competition v2.1

Competition Information. 1

Background. 1

Objectives. 1

Rules. 2

Reference. 3

Users. 3

Goals. 3

Walkthrough. 6

Forward. 6

Section 1:  Gaining Access to the Database. 6

Section 2:  Logging In As a Customer. 7

Section 3:  Stealing the Money. 8

Section 4:  Leaving a Mark. 9

Competition Information

Background

This competition is a reincarnation of previous efforts at UNCC to provide students with an engaging, hands-on test of their knowledge.  An older project, CyberWars, was used for years as a final project in Vulnerability Assessment and System Assurance to test student’s knowledge of network and operating system security.  However, when the decision was made to split the course into two separate classes, one of which focusing specifically on web-based vulnerabilities, a replacement competition was needed.  Although the initial iteration of SecurityFirst was too simple and unrealistic, inspiration was drawn from UCSB’s annual International CTF competition in 2008.  Using those design ideas as a starting point, construction of this version of SecurityFirst began.

Objectives

The overarching objective presented to contestants of this competition is to be the first to log in as a financial manager and transfer funds between the two specified accounts.  In order to do this, contestants must find and exploit various web-based vulnerabilities as they work toward their ultimate goal.  As a secondary objective, each vulnerability discovered and successfully exploited earns them points.

By default, the accounts for the transfer are listed below.  The amount transferred is unimportant and any number will be fine as the transfer is only simulated.

Source account:                   109762820
Destination account:          110806729

During the competition you may need to crack MD5-hashed passwords you find. A script, md5crack, has been provided for attempting to brute-forcing crack MD5 password hashes. Simply enter “md5crack” in a terminal to see the help guide with examples. Because brute-forcing can be a long and time consuming process, the following hints are given:

  1. One of the users has a weak password that is no longer than 3 characters.
  2. His or her password contains lowercase letters

Use these hints when running md5crack. Remember, cracking a password isn’t the only way into an account. Good luck!

Rules

  1. The scope of the competition is discovering and exploiting web-based vulnerabilities of the SecurityFirst web application. Contestants are urged to use the phpMyAdmin and SquirrelMail web applications where applicable, but attacking these is against the rules.
  2. Outside the use of the provided password cracking tool, brute-force tools or methods are forbidden. Running scripts to attempt to log into any services will be considered an attempted denial of service attack and the contestant will be penalized or disqualified.
  3. The competition application is designed for use with multiple concurrent users and should not allow cross-contestant attacking. However, directly attacking other contestants by means outside of the web application is prohibited.
  4. Periodically judges may ask for you to demonstrate a vulnerability that you previously exploited. This is not social engineering; this is normal.
  5. Developing exercises like this one is very time consuming and many times the same competition is used multiple semesters, so please do not disclose vulnerabilities or hints to others.

Reference

SecurityFirst Users

UsernamePasswordNameE-mail AddressSecretRole
tdunlinG7qD3!LvThomas Dunlintdunlin@fakemail.comGrantCustomer
khill1cDz@oniKaitlin Hillkhill@fakemail.comCraigCustomer
smaslovIx0nW!NrSonya Maslovsmaslov@fakemail.comPaninCustomer
fsmithredFrank Smithfsmith@securityfirst.comDunnSite Admin
xwangy@k6cQtjXu Wangxwang@securityfirst.comZhengSite Admin
rscottH9c!pJ6bRoger Scottrscott@securityfirst.comHeifnerFinancial Manager

MySQL Users

UsernamePassword
login_manager23sk!d0o
competitionH4v3fo0n
rootSunr!se49ers

System/Email Users

UsernamePassword
hacker1234
sfadminSunr!se49ers

 

Goals

IDLocationTypePoints
100/site/login.jspSource Code Disclosure10
101/site/login.jspSQL Injection25
102/site/login.jspInsecure Authentication30
103/site/login.jspCross-Site Scripting45
110/site/faq.jspSource Code Disclosure10
111/site/faq.jspDirectory Traversal via Filter Evasion25
112/site/faq.jspFilter Evasion20
113/site/faq.jspDenial of Service60
120DatabaseInsecure Cryptographic Storage25
200/customers/editcomment.jspRequest Variable Manipulation15
201/customers/editcomment.jspCross-Site Scripting10
300/secure/siteadmin/index.jspWeak Password Hash Cracking30
310/secure/siteadmin/active_users.jspSession Hijacking35
400/secure/financial_manager/

transfer_funds.jsp

Weak Password Management Policy75
Total:415

 

100

By removing one or both of the POST request variables (“username” and “password”), an un-handled exception is thrown.  The result of this NullPointerException is the displaying of a small portion of the relevant page code via a standard Tomcat 500 Error page.  The benefit of the displayed code is to learn the location of the include file that contains the database connection credential information.  This should be used in conjunction with Goals 111 and 112.

101

This is a simple SQL Injection vulnerability that allows a user to enter a basic login bypass SQL Injection (e.g. ‘ OR ‘a’=’a) in order to login as a user.  More advanced injections will allow the user to attempt to log into a specific user and not just the first in the database.  This will only allow access a customer’s account and not to a higher-privileged account (admins and managers must log in through the /secure/login.jsp).

102

Because the login page simply hashes the password without any salting before sending it to the server, a password hash found in the database could be replayed with a tool like Tamper Data that modifies POST request variables after the form submit takes place.  This requires successfully gaining access to the MySQL database.  If real victim users were using this web application on your network, it would be possible to obtain a hash by packet sniffing their login attempts.

103

Upon failing to correctly log in on the  login page, users are informed that their activity has been logged.  This log is viewed by site admins at /secure/siteadmin/logviewer.jsp.  The log entries for failed log-ins contains the username of the attempted log-in and because these are neither filtered nor encoded upon entering into the server or being displayed on the log viewer page, this allows for an XSS or XSRF injection point.

110

By removing the “topic” URL variable, an un-handled exception is thrown.  The result of this NullPointerException is the displaying of a small portion of the relevant page code via a standard Tomcat 500 Error page.  The benefit of the displayed code is to learn the input filtering code to more easily find a way to evade it.  This should be used in conjunction with Goals 111 and 112.

111

The “topic” URL variable’s value is filtered to replace any instance of “../” with a blank string to prevent directory traversal.  Because this process is not recursive, by using “….//” the filter will remove the inner-most “../” and leave the remaining “../” intact.  This should be used in conjunction with Goal 112.

112

The “topic” URL variable’s value is appended with “.html”.  By placing a question mark at the end of the original variable’s value, the appended “.html” appears to be part of the query portion of the included URL (e.g. “index.jsp?” becomes “index.jsp?.html”).

113

By instructing the FAQ page to include itself, an infinite loop occurs as the server tries to continuously nest pages.  This causes a denial of service and with multiple threads started on this process, the server will crash quickly.

120

The “users” table in the MySQL database stores the secret (mother’s maiden name) in Base64 format.  This is used to verify that the forgotten password restoration request is coming from the account owner.  Because Base64 is just an encoding method and not encryption or hashing, any user with access to the MySQL database can decode the secrets easily and are able to reset the password and have the new one sent to the owner’s e-mail.  This alone will not allow access to the account since contestants do not have access to the account owners’ e-mail inboxes.

200

By modifying the “id” variable when attempting to edit a comment for a transaction, a user is able to post the comment for any transaction.  Essentially, the “id” variable is not checked to verify that the user actually owns the transaction it is associated with.

201

The transaction comments are neither filtered nor encoded upon entering into the server or being displayed on the transaction page.  This allows for an easy XSS or XSRF injection point.

300

The only method of initially gaining access to the /secure/siteadmin/ area of the site is by logging-in through the /secure/login.jsp with correct site admin credentials.  In order to do this, one needs the username and password.  The username is easily obtainable after the contestant has gain access to the MySQL database, but the password hash must be cracked.  The contestant must run the password hashes through a password cracking tool or an online rainbow table.

310

The active_users.jsp page shows a list of all sessions active, including username, e-mail address, role, and last activity time.  Session IDs are shown as well, but our censored for contestants to prevent cross-contestant hacking and cheating.  One user “rscott”, a financial manager, is hard-coded to always have an active session.  By modifying their session cookie to the session ID listed for rscott, contestants can gain access to the financial manager’s already logged-in account.

400

There is technically no vulnerability on this page, but in order to successfully transfer funds, the manager account’s password must be re-entered and thus known by the contestant.  To gather this information, contestants must first gain access to the manager’s account using Goal 310, change the e-mail address to their own, log out, and then use the “forgot my password” feature (Goal 120).

Walkthrough

Forward

This guide assumes that you are using the SecurityFirst distributed VM and have made no modifications to any part of the system.  This includes web applications, databases, and client configurations.  Because the scores and database system are persistent through reboot, it is preferable to make a “clean” copy or snapshot of the VM before beginning to work on the exercises.

To get started, log into the operating system with the username “hacker” and password “1234”.  Once logged in, open Firefox and navigate to the SecurityFirst website using the provided bookmark.  If prompted, enter your name to track your score.

Section 1:  Gaining Access to the Database

Goal 100:  Source Code Disclosure #1

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  4. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  5. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  6. On the right side of the following window, right-click on the either username or password and select ‘Delete Element’.
  7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should display a Tomcat error page with a portion of the JSP page’s code shown.
  8. Note the include statement for file “includes/database_info.jspf”.

Goal 110:  Source Code Disclosure #2

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so there is no longer a parameter named “topic”.
  3. Press Enter after modifying the URL to request the new page.  This should display a Tomcat error page with a portion of the JSP page’s code shown.
  4. Note the String replace function that removes any occurrence of “../” from the “topic” parameter.

Goal 111 and 112:  Local File Inclusion via Filter Evasion

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//index.jsp. The URL should be: jsp?topic=….//index.jsp
  3. Press Enter after modifying the URL to request the new page.  This should display an error message stating that “/site/index.jsp.html” could not be found.
  4. Modify the URL in the address bar so the “topic” parameter is set to: ….//index.jsp?. The URL should be: jsp?topic=….//index.jsp?
  5. Press Enter after modifying the URL to request the new page. This should display the index page nested inside of the FAQ page.

Putting It All Together

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//includes/database_info.jspf?
  3. Press Enter after modifying the URL to request the new page. This should display the contents of the database include file.
  4. Note the database username and password.
  5. Using the Firefox bookmark, navigate to phpMyAdmin (http://securityfirst.com/phpmyadmin/)
  6. Log in with the username and password you just discovered.

 

Section 2:  Logging In As a Customer

Goal 101:  SQL Injection

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  4. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  5. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  6. On the right side of the following window, change the contents of the ‘password’ textbox from the MD5 hash to the following: ‘ OR ‘a’=’a
  7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should log you into the first user in the database, Thomas Dunlin.

Goal 102:  MD5 Hash Replay

  1. Log in to phpMyAdmin using the method at the end of Section 1.
  2. On the left menu, choose the SecurityFirst database, followed by the ‘users’ table.
  3. Select “Browse” from the list of tabs at the top of the page.
  4. Note the list of users displayed below, along with their password hashes and other information. Pick one of the users with a “role” of 0, and copy their password hash to your clipboard.
  5. Return to the SecurityFirst web application or open it in a new window or tab.
  6. Log out if you are already logged in as a user.
  7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  8. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  9. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  10. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  11. On the right side of the following window, change the contents of the ‘username’ textbox to the username of the chosen user account from the MySQL database in step 4. Also change the ‘password’ textbox to the password hash of the chosen user account.  If you copied this data to your clipboard you can simply paste it.
  12. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should log you into the customer account you chose.

Section 3:  Stealing the Money

Goal 300:  Weak Password Hash Cracking

  1. Log in to phpMyAdmin using the method at the end of Section 1.
  2. On the left menu, choose the SecurityFirst database, followed by the users table.
  3. Select “Browse” from the list of tabs at the top of the page.
  4. Note the list of users displayed below, along with their password hashes and other information. Copy the password hash of “Frank Smith” to your clipboard.
  5. Open a terminal and type the following (replace <hash> with the hash in your clipboard by right-clicking on the window and pasting): md5crack a 1 3 <hash>
  6. Press enter to begin the cracking process.
  7. When the password is found, go back to the SecurityFirst login page and log out if needed. Login as “fsmith” using the password.  After you are redirected to the secure page, do the same again.

Goal 310:  Session Hijacking

  1. Navigate to ‘/secure/siteadmin/active_users.jsp’ by clicking the “Site Administrative Panel” button at the bottom-right of the page, followed by the “Active Sessions” link.
  2. Copy the Session ID of “rscott” to the clipboard.
  3. On the Firefox toolbar, select Tools, followed by Cookie Editor.
  4. Find and select the JSESSIONID cookie for the host “securityfirst.com”. Click the “Edit” button to modify the cookie.
  5. Remove the contents of the “Content” text box and paste the Session ID you copied into the box. Click “Save”.
  6. Close the Cookie Editor window.
  7. Refresh the current page or navigate to another.
  8. Note that you are now user “rscott”.

Goal 120:  Insecure Cryptographic Storage

  1. As user “rscott”, click “Change E-mail Address” on the right-side menu.
  2. Enter “hacker@hacker.com”. Click “Submit” to change the email address.
  3. Click the “Logout” button on the right-side menu.
  4. Log in to phpMyAdmin using the method at the end of Section 1.
  5. On the left menu, choose the SecurityFirst database, followed by the users table.
  6. Select “Browse” from the list of tabs at the top of the page.
  7. Note the list of users displayed below, along with their password hashes and other information. Copy the Base64 encoded secret of “Roger Scott” to your clipboard.
  8. Press F9 on your keyboard to open the HackBar extention in Firefox. Click the “Encoding” menu button, followed by the “Base64 Decode” item.
  9. In the window that appears, remove “String to use” from the textbox and paste the Base64 encoded secret you copied previously. Click the “Ok” button.
  10. The resulting string is placed in the HackBar textarea. Select and copy it to the clipboard.

Goal 400:  Weak Password Management Policy

  1. Return to the SecurityFirst web application and navigate to ‘/site/index.jsp’. Ensure you are logged out.
  2. Under the login form on the right-hand side of the page, click the “here” link.
  3. In the form provided, enter “rscott” in the username textbox and paste the decoded secret into the “Mother’s maiden name” textbox.
  4. Click “Submit”. A message should appear, informing you that a password reset mail has been sent to the account owner’s e-mail address.
  5. Using the Firefox bookmark, navigate to SquirrelMail (http://hacker.com/mail/)
  6. Login as “hacker” as the username and “1234” as the password.
  7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’. Enter the username as “rscott” and paste the password you received into the password textbox.  After you are redirected to the secure page, do the same again.
  8. Navigate to ‘/secure/financial_manager/transfer_funds.jsp’ by clicking the “Financial Manager’s Panel” button at the bottom-right of the page, followed by the “Transfer Funds” link.
  9. Enter “109762820” and “110806729” into the source account and destination account textboxes respectively. Enter any positive number into amount textbox, 500.00 for example.  Paste the password for “rscott” into the password box.  Click the “Submit” button to transfer the funds.

Section 4:  Leaving a Mark

Goal 201:  Cross-Site Scripting

  1. Log in as a customer-role user using a method from Section 2.
  2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Recent Transactions’ button, followed by the ‘details’ link for one of the transactions, and finally the ‘edit comment’ link.
  3. In the textbox on the page, enter <script>alert(“hi”)</script> and click ‘Submit’.
  4. When the transaction page loads, you should see an alert box appear.

Goal 200:  Request Variable Manipulation

  1. Log in as a customer-role user using a method from Section 2.
  2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Transactions’ button, followed by the ‘details’ link for one of the transactions, and finally the ‘edit comment’ link.
  3. On the very bottom-right edge of the Firefox window, click the icon that resembles a bug to open the FireBug pane.
  4. Click the “Inspect” button at the top of theFireBug pane. With the Inspecting option toggled on, click the comment textbox on the page.
  5. Find the following line in the FireBug pane (the number may be different).
    <form method=”post” action=”?id=1”>
  6. Click on the “?id=1” portion of the textarea. In the mini-textbox that opens, change the number to another number (higher than 4).  Press “Enter” to close the mini-textbox.
  7. Click the FireBug icon on the bottom-right of Firefox to close the window pane.
  8. Click the “Submit” button on the page.

Goal 103:  Log Poisoning

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. In the login form on the page, enter <script>alert(“hi”)</script> into the username field and click ‘Submit’.
  4. Click the ‘Ok’ button at the bottom of the window to submit the tampered request.
  5. If this is your first time scoring this goal, enter ‘/secure/siteadmin/logviewer.jsp’ (no quotes) in the goal score page to answer the question correctly. Submit the form.
  6. Log in as a siteadmin-role user using the password discovered for Goal 300 in Section 3.
  7. Navigate to ‘/secure/siteadmin/logviewer.jsp’.
  8. When the transaction page loads, you should see an alert box appear.

Goal 113:  Crashing the Web Server

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//faq.jsp? The URL should be: jsp?topic=….//faq.jsp?
  3. Press Enter after modifying the URL to request the new page. This should display three nested FAQ pages.
  4. Note if this was unchecked, the server would continue processing this until it ran out of memory and crashed.

Leave a Reply

Your email address will not be published. Required fields are marked *

SecurityFirst Competition v2.1

Competition Information. 1

Background. 1

Objectives. 1

Rules. 2

Reference. 3

Users. 3

Goals. 3

Walkthrough. 6

Forward. 6

Section 1:  Gaining Access to the Database. 6

Section 2:  Logging In As a Customer. 7

Section 3:  Stealing the Money. 8

Section 4:  Leaving a Mark. 9

Competition Information

Background

This competition is a reincarnation of previous efforts at UNCC to provide students with an engaging, hands-on test of their knowledge.  An older project, CyberWars, was used for years as a final project in Vulnerability Assessment and System Assurance to test student’s knowledge of network and operating system security.  However, when the decision was made to split the course into two separate classes, one of which focusing specifically on web-based vulnerabilities, a replacement competition was needed.  Although the initial iteration of SecurityFirst was too simple and unrealistic, inspiration was drawn from UCSB’s annual International CTF competition in 2008.  Using those design ideas as a starting point, construction of this version of SecurityFirst began.

Objectives

The overarching objective presented to contestants of this competition is to be the first to log in as a financial manager and transfer funds between the two specified accounts.  In order to do this, contestants must find and exploit various web-based vulnerabilities as they work toward their ultimate goal.  As a secondary objective, each vulnerability discovered and successfully exploited earns them points.

By default, the accounts for the transfer are listed below.  The amount transferred is unimportant and any number will be fine as the transfer is only simulated.

Source account:                   109762820
Destination account:          110806729

During the competition you may need to crack MD5-hashed passwords you find. A script, md5crack, has been provided for attempting to brute-forcing crack MD5 password hashes. Simply enter “md5crack” in a terminal to see the help guide with examples. Because brute-forcing can be a long and time consuming process, the following hints are given:

  1. One of the users has a weak password that is no longer than 3 characters.
  2. His or her password contains lowercase letters

Use these hints when running md5crack. Remember, cracking a password isn’t the only way into an account. Good luck!

Rules

  1. The scope of the competition is discovering and exploiting web-based vulnerabilities of the SecurityFirst web application. Contestants are urged to use the phpMyAdmin and SquirrelMail web applications where applicable, but attacking these is against the rules.
  2. Outside the use of the provided password cracking tool, brute-force tools or methods are forbidden. Running scripts to attempt to log into any services will be considered an attempted denial of service attack and the contestant will be penalized or disqualified.
  3. The competition application is designed for use with multiple concurrent users and should not allow cross-contestant attacking. However, directly attacking other contestants by means outside of the web application is prohibited.
  4. Periodically judges may ask for you to demonstrate a vulnerability that you previously exploited. This is not social engineering; this is normal.
  5. Developing exercises like this one is very time consuming and many times the same competition is used multiple semesters, so please do not disclose vulnerabilities or hints to others.

Reference

SecurityFirst Users

UsernamePasswordNameE-mail AddressSecretRole
tdunlinG7qD3!LvThomas Dunlintdunlin@fakemail.comGrantCustomer
khill1cDz@oniKaitlin Hillkhill@fakemail.comCraigCustomer
smaslovIx0nW!NrSonya Maslovsmaslov@fakemail.comPaninCustomer
fsmithredFrank Smithfsmith@securityfirst.comDunnSite Admin
xwangy@k6cQtjXu Wangxwang@securityfirst.comZhengSite Admin
rscottH9c!pJ6bRoger Scottrscott@securityfirst.comHeifnerFinancial Manager

MySQL Users

UsernamePassword
login_manager23sk!d0o
competitionH4v3fo0n
rootSunr!se49ers

System/Email Users

UsernamePassword
hacker1234
sfadminSunr!se49ers

 

Goals

IDLocationTypePoints
100/site/login.jspSource Code Disclosure10
101/site/login.jspSQL Injection25
102/site/login.jspInsecure Authentication30
103/site/login.jspCross-Site Scripting45
110/site/faq.jspSource Code Disclosure10
111/site/faq.jspDirectory Traversal via Filter Evasion25
112/site/faq.jspFilter Evasion20
113/site/faq.jspDenial of Service60
120DatabaseInsecure Cryptographic Storage25
200/customers/editcomment.jspRequest Variable Manipulation15
201/customers/editcomment.jspCross-Site Scripting10
300/secure/siteadmin/index.jspWeak Password Hash Cracking30
310/secure/siteadmin/active_users.jspSession Hijacking35
400/secure/financial_manager/

transfer_funds.jsp

Weak Password Management Policy75
Total:415

 

100

By removing one or both of the POST request variables (“username” and “password”), an un-handled exception is thrown.  The result of this NullPointerException is the displaying of a small portion of the relevant page code via a standard Tomcat 500 Error page.  The benefit of the displayed code is to learn the location of the include file that contains the database connection credential information.  This should be used in conjunction with Goals 111 and 112.

101

This is a simple SQL Injection vulnerability that allows a user to enter a basic login bypass SQL Injection (e.g. ‘ OR ‘a’=’a) in order to login as a user.  More advanced injections will allow the user to attempt to log into a specific user and not just the first in the database.  This will only allow access a customer’s account and not to a higher-privileged account (admins and managers must log in through the /secure/login.jsp).

102

Because the login page simply hashes the password without any salting before sending it to the server, a password hash found in the database could be replayed with a tool like Tamper Data that modifies POST request variables after the form submit takes place.  This requires successfully gaining access to the MySQL database.  If real victim users were using this web application on your network, it would be possible to obtain a hash by packet sniffing their login attempts.

103

Upon failing to correctly log in on the  login page, users are informed that their activity has been logged.  This log is viewed by site admins at /secure/siteadmin/logviewer.jsp.  The log entries for failed log-ins contains the username of the attempted log-in and because these are neither filtered nor encoded upon entering into the server or being displayed on the log viewer page, this allows for an XSS or XSRF injection point.

110

By removing the “topic” URL variable, an un-handled exception is thrown.  The result of this NullPointerException is the displaying of a small portion of the relevant page code via a standard Tomcat 500 Error page.  The benefit of the displayed code is to learn the input filtering code to more easily find a way to evade it.  This should be used in conjunction with Goals 111 and 112.

111

The “topic” URL variable’s value is filtered to replace any instance of “../” with a blank string to prevent directory traversal.  Because this process is not recursive, by using “….//” the filter will remove the inner-most “../” and leave the remaining “../” intact.  This should be used in conjunction with Goal 112.

112

The “topic” URL variable’s value is appended with “.html”.  By placing a question mark at the end of the original variable’s value, the appended “.html” appears to be part of the query portion of the included URL (e.g. “index.jsp?” becomes “index.jsp?.html”).

113

By instructing the FAQ page to include itself, an infinite loop occurs as the server tries to continuously nest pages.  This causes a denial of service and with multiple threads started on this process, the server will crash quickly.

120

The “users” table in the MySQL database stores the secret (mother’s maiden name) in Base64 format.  This is used to verify that the forgotten password restoration request is coming from the account owner.  Because Base64 is just an encoding method and not encryption or hashing, any user with access to the MySQL database can decode the secrets easily and are able to reset the password and have the new one sent to the owner’s e-mail.  This alone will not allow access to the account since contestants do not have access to the account owners’ e-mail inboxes.

200

By modifying the “id” variable when attempting to edit a comment for a transaction, a user is able to post the comment for any transaction.  Essentially, the “id” variable is not checked to verify that the user actually owns the transaction it is associated with.

201

The transaction comments are neither filtered nor encoded upon entering into the server or being displayed on the transaction page.  This allows for an easy XSS or XSRF injection point.

300

The only method of initially gaining access to the /secure/siteadmin/ area of the site is by logging-in through the /secure/login.jsp with correct site admin credentials.  In order to do this, one needs the username and password.  The username is easily obtainable after the contestant has gain access to the MySQL database, but the password hash must be cracked.  The contestant must run the password hashes through a password cracking tool or an online rainbow table.

310

The active_users.jsp page shows a list of all sessions active, including username, e-mail address, role, and last activity time.  Session IDs are shown as well, but our censored for contestants to prevent cross-contestant hacking and cheating.  One user “rscott”, a financial manager, is hard-coded to always have an active session.  By modifying their session cookie to the session ID listed for rscott, contestants can gain access to the financial manager’s already logged-in account.

400

There is technically no vulnerability on this page, but in order to successfully transfer funds, the manager account’s password must be re-entered and thus known by the contestant.  To gather this information, contestants must first gain access to the manager’s account using Goal 310, change the e-mail address to their own, log out, and then use the “forgot my password” feature (Goal 120).

Walkthrough

Forward

This guide assumes that you are using the SecurityFirst distributed VM and have made no modifications to any part of the system.  This includes web applications, databases, and client configurations.  Because the scores and database system are persistent through reboot, it is preferable to make a “clean” copy or snapshot of the VM before beginning to work on the exercises.

To get started, log into the operating system with the username “hacker” and password “1234”.  Once logged in, open Firefox and navigate to the SecurityFirst website using the provided bookmark.  If prompted, enter your name to track your score.

Section 1:  Gaining Access to the Database

Goal 100:  Source Code Disclosure #1

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  4. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  5. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  6. On the right side of the following window, right-click on the either username or password and select ‘Delete Element’.
  7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should display a Tomcat error page with a portion of the JSP page’s code shown.
  8. Note the include statement for file “includes/database_info.jspf”.

Goal 110:  Source Code Disclosure #2

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so there is no longer a parameter named “topic”.
  3. Press Enter after modifying the URL to request the new page.  This should display a Tomcat error page with a portion of the JSP page’s code shown.
  4. Note the String replace function that removes any occurrence of “../” from the “topic” parameter.

Goal 111 and 112:  Local File Inclusion via Filter Evasion

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//index.jsp. The URL should be: jsp?topic=….//index.jsp
  3. Press Enter after modifying the URL to request the new page.  This should display an error message stating that “/site/index.jsp.html” could not be found.
  4. Modify the URL in the address bar so the “topic” parameter is set to: ….//index.jsp?. The URL should be: jsp?topic=….//index.jsp?
  5. Press Enter after modifying the URL to request the new page. This should display the index page nested inside of the FAQ page.

Putting It All Together

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//includes/database_info.jspf?
  3. Press Enter after modifying the URL to request the new page. This should display the contents of the database include file.
  4. Note the database username and password.
  5. Using the Firefox bookmark, navigate to phpMyAdmin (http://securityfirst.com/phpmyadmin/)
  6. Log in with the username and password you just discovered.

 

Section 2:  Logging In As a Customer

Goal 101:  SQL Injection

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  4. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  5. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  6. On the right side of the following window, change the contents of the ‘password’ textbox from the MD5 hash to the following: ‘ OR ‘a’=’a
  7. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should log you into the first user in the database, Thomas Dunlin.

Goal 102:  MD5 Hash Replay

  1. Log in to phpMyAdmin using the method at the end of Section 1.
  2. On the left menu, choose the SecurityFirst database, followed by the ‘users’ table.
  3. Select “Browse” from the list of tabs at the top of the page.
  4. Note the list of users displayed below, along with their password hashes and other information. Pick one of the users with a “role” of 0, and copy their password hash to your clipboard.
  5. Return to the SecurityFirst web application or open it in a new window or tab.
  6. Log out if you are already logged in as a user.
  7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  8. Open the Tamper Data extension for Firefox and click ‘Start Tamper’.
  9. In the login form on the page, type a few letters or numbers into both the username and password field and click ‘Submit’.
  10. Tamper Data should pop up and ask you what action you would like to take. Uncheck ‘Continue Tampering’ and click the button label ‘Tamper’.
  11. On the right side of the following window, change the contents of the ‘username’ textbox to the username of the chosen user account from the MySQL database in step 4. Also change the ‘password’ textbox to the password hash of the chosen user account.  If you copied this data to your clipboard you can simply paste it.
  12. Click the ‘Ok’ button at the bottom of the window to submit the tampered request. This should log you into the customer account you chose.

Section 3:  Stealing the Money

Goal 300:  Weak Password Hash Cracking

  1. Log in to phpMyAdmin using the method at the end of Section 1.
  2. On the left menu, choose the SecurityFirst database, followed by the users table.
  3. Select “Browse” from the list of tabs at the top of the page.
  4. Note the list of users displayed below, along with their password hashes and other information. Copy the password hash of “Frank Smith” to your clipboard.
  5. Open a terminal and type the following (replace <hash> with the hash in your clipboard by right-clicking on the window and pasting): md5crack a 1 3 <hash>
  6. Press enter to begin the cracking process.
  7. When the password is found, go back to the SecurityFirst login page and log out if needed. Login as “fsmith” using the password.  After you are redirected to the secure page, do the same again.

Goal 310:  Session Hijacking

  1. Navigate to ‘/secure/siteadmin/active_users.jsp’ by clicking the “Site Administrative Panel” button at the bottom-right of the page, followed by the “Active Sessions” link.
  2. Copy the Session ID of “rscott” to the clipboard.
  3. On the Firefox toolbar, select Tools, followed by Cookie Editor.
  4. Find and select the JSESSIONID cookie for the host “securityfirst.com”. Click the “Edit” button to modify the cookie.
  5. Remove the contents of the “Content” text box and paste the Session ID you copied into the box. Click “Save”.
  6. Close the Cookie Editor window.
  7. Refresh the current page or navigate to another.
  8. Note that you are now user “rscott”.

Goal 120:  Insecure Cryptographic Storage

  1. As user “rscott”, click “Change E-mail Address” on the right-side menu.
  2. Enter “hacker@hacker.com”. Click “Submit” to change the email address.
  3. Click the “Logout” button on the right-side menu.
  4. Log in to phpMyAdmin using the method at the end of Section 1.
  5. On the left menu, choose the SecurityFirst database, followed by the users table.
  6. Select “Browse” from the list of tabs at the top of the page.
  7. Note the list of users displayed below, along with their password hashes and other information. Copy the Base64 encoded secret of “Roger Scott” to your clipboard.
  8. Press F9 on your keyboard to open the HackBar extention in Firefox. Click the “Encoding” menu button, followed by the “Base64 Decode” item.
  9. In the window that appears, remove “String to use” from the textbox and paste the Base64 encoded secret you copied previously. Click the “Ok” button.
  10. The resulting string is placed in the HackBar textarea. Select and copy it to the clipboard.

Goal 400:  Weak Password Management Policy

  1. Return to the SecurityFirst web application and navigate to ‘/site/index.jsp’. Ensure you are logged out.
  2. Under the login form on the right-hand side of the page, click the “here” link.
  3. In the form provided, enter “rscott” in the username textbox and paste the decoded secret into the “Mother’s maiden name” textbox.
  4. Click “Submit”. A message should appear, informing you that a password reset mail has been sent to the account owner’s e-mail address.
  5. Using the Firefox bookmark, navigate to SquirrelMail (http://hacker.com/mail/)
  6. Login as “hacker” as the username and “1234” as the password.
  7. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’. Enter the username as “rscott” and paste the password you received into the password textbox.  After you are redirected to the secure page, do the same again.
  8. Navigate to ‘/secure/financial_manager/transfer_funds.jsp’ by clicking the “Financial Manager’s Panel” button at the bottom-right of the page, followed by the “Transfer Funds” link.
  9. Enter “109762820” and “110806729” into the source account and destination account textboxes respectively. Enter any positive number into amount textbox, 500.00 for example.  Paste the password for “rscott” into the password box.  Click the “Submit” button to transfer the funds.

Section 4:  Leaving a Mark

Goal 201:  Cross-Site Scripting

  1. Log in as a customer-role user using a method from Section 2.
  2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Recent Transactions’ button, followed by the ‘details’ link for one of the transactions, and finally the ‘edit comment’ link.
  3. In the textbox on the page, enter <script>alert(“hi”)</script> and click ‘Submit’.
  4. When the transaction page loads, you should see an alert box appear.

Goal 200:  Request Variable Manipulation

  1. Log in as a customer-role user using a method from Section 2.
  2. Navigate to ‘/customer/editcomment.jsp’ by clicking the ‘View Transactions’ button, followed by the ‘details’ link for one of the transactions, and finally the ‘edit comment’ link.
  3. On the very bottom-right edge of the Firefox window, click the icon that resembles a bug to open the FireBug pane.
  4. Click the “Inspect” button at the top of theFireBug pane. With the Inspecting option toggled on, click the comment textbox on the page.
  5. Find the following line in the FireBug pane (the number may be different).
    <form method=”post” action=”?id=1”>
  6. Click on the “?id=1” portion of the textarea. In the mini-textbox that opens, change the number to another number (higher than 4).  Press “Enter” to close the mini-textbox.
  7. Click the FireBug icon on the bottom-right of Firefox to close the window pane.
  8. Click the “Submit” button on the page.

Goal 103:  Log Poisoning

  1. Log out if you are already logged in as a user.
  2. Navigate to either ‘/site/index.jsp’ or ‘/site/login.jsp’.
  3. In the login form on the page, enter <script>alert(“hi”)</script> into the username field and click ‘Submit’.
  4. Click the ‘Ok’ button at the bottom of the window to submit the tampered request.
  5. If this is your first time scoring this goal, enter ‘/secure/siteadmin/logviewer.jsp’ (no quotes) in the goal score page to answer the question correctly. Submit the form.
  6. Log in as a siteadmin-role user using the password discovered for Goal 300 in Section 3.
  7. Navigate to ‘/secure/siteadmin/logviewer.jsp’.
  8. When the transaction page loads, you should see an alert box appear.

Goal 113:  Crashing the Web Server

  1. Navigate to ‘/site/faq.jsp’ by clicking the “Frequently Asked Questions” link on the left side of the page.
  2. Modify the URL in the address bar so the “topic” parameter is set to: ….//faq.jsp? The URL should be: jsp?topic=….//faq.jsp?
  3. Press Enter after modifying the URL to request the new page. This should display three nested FAQ pages.
  4. Note if this was unchecked, the server would continue processing this until it ran out of memory and crashed.

Leave a Reply

Your email address will not be published. Required fields are marked *