Midlands Testers Meetup – The Dark Side of the Web

After a long time, I happened to feel adrenaline rush as a speaker which was exceptional. Yes, I am speaking about Midlands Testers Meetup that happened in Solihull in United Kingdom.

How did I end up in Midlands Testers Meetup?

I was invited to do a Security Testing Workshop at TestBash Brighton. Once the news was out, I got an invite from Midlands Testers Meetup organisers Ranjit and Raji. I had never met these folks before, but knew them through Twitter (social media). I knew that Ranjit was always keen on getting me to UK in order to speak with testers and share my knowledge in testing. Like they say, everything happens at the right time; and the right time happened to be March 2017 ūüôā I humbly accepted the invite and then submitted a description of my talk for Midlands Testers Meetup which was requested by Ranjit and Raji to put it on Meetup.com and also advertise to get RSVP.

I also created a poster with the help of my creative designer (Ajay S Menon), and the poster looked like this,

The Day: March 28, 2017 (How did the day start?)

My dearest friend Tracy Stevenson joined me at the meetup and I thank her very much for traveling with me in the train (From Eastleigh to Solihull) and not making me feel lonely. I enjoyed speaking with her on the train with jokes and some interesting topics. We arrived at the Ramada Hotel in the noon and we thought of spending time pampering ourselves at the Top Nail Shop and Kings Barbers (We loved this barber shop in Solihull). We had to be at the venue by 06:15 PM in the Ramada Hotel (Bar). I was hungry after getting a great haircut and a luxury hot towel shave ūüėČ We ordered some food and then Ranjit, Raji and other testers (participants) joined at the bar. I started to exchange some words with testers and then headed out for quick smoke with Tracy before my talk started. And then my talk starts at 07:00 PM.

Key points of my talk

  • Started my talk by “WOW”ing the participants by doing some live hacking
  • Demonstrated server side hacks
  • Demonstrated usage of security testing tools which mainly included BurpSuite, Mantra Web Browser, nMap and some addons
  • Cracked some jokes in between about security and made the participants laugh
  • Simple versus complex – We did “crack / guess the password exercise”.
  • The feedback by testers was amazing. They loved every bit of my talk and were satisfied.
  • After my talk, the participants wanted to talk more to me and I gave all my time. (I do not feel like having food when testers are around me. I am excited to talk to testers because I can eat food anytime :D)
  • Some of the participants requested for security testing full-day workshop and they were ready to pay (I am thinking about it).
  • Thanks to Ranjit, Raji and Matt (Sponsor) for being so welcoming and sweet.

I wish to do some workshops and speak at Midlands Testers whenever I am in United Kingdom / Solihull.

 

SECURITY TESTING TOOL-SET FOR NEWBIE

  • nmap – Scan ports and identify the ports that have to be closed or filtered. I insist on having them “filtered” instead of “closed”. I used nmap on testinsane.com and here is the result. (Note that, you have to get the IP address of the website you intend to scan. And IP address can be retrieved from your terminal command “ping website-name”. And once you see the IP address, use “sudo nmap -sS website-ip-address”

santhoshs-air:~ santhoshshivanandtuppad$ sudo nmap -sS 143.95.75.172
Password:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-21 16:46 GMT
Nmap scan report for ip-143-95-75-172.iplocal (143.95.75.172)
Host is up (0.12s latency).
Not shown: 983 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
26/tcp   open  rsftp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
554/tcp  open  rtsp
587/tcp  open  submission
990/tcp  open  ftps
993/tcp  open  imaps
995/tcp  open  pop3s
1433/tcp open  ms-sql-s
3306/tcp open  mysql
7070/tcp open  realserver

Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
santhoshs-air:~ santhoshshivanandtuppad$

 

Applause – uTest – Hacked Admin Panel – AUTHORIZATION ATTACK (OWASP TOP 10)

Steps that I performed to find this AUTHORIZATION Vulnerability in Applause / uTest

#1 Login to my tester account using my credentials

#2 Go to “Change Password” feature

#3 Enter my new password credentials

(Before I submit the form, I open Network tab from Developer Tools in Mozilla Firefox)

#4 I submitted the “Change Password” form

#5 I see PUT request for accountinfo page (This is to change password).

(I clicked on “Edit and Resend” for “accountinfo” request in order to make the edits in the request body )

#6 I see a user id of mine and I replace the ID and email with Peter Shih (I knew his email address because its available to utest tester. But, how did I find his user ID? Well, recently uTest released social networking feature on uTest where you can visit any testers or staff profile. It was interesting to see the profile picture tag having user id. This was for every user of uTest platform. I did a right-click on Peter Shih’s profile picture and clicked on “Inspect Element” to find out the user id in the HTML tag).

#7 I submitted the new request and I saw that request was successful.

#8 Later, I went to login form and entered Peter Shih’s email address and the password that I had set for Peter Shih. In the video, you see that I was successful in logging in to Peter Shih’s account which had admin role.

HIGHLIGHTS / RISKS

#1 The admin ids should always have email address which is not shared with any user (Its good to have a secret email account for admin logging in. Do not use the email id which is known by many people on the web and also don’t use the known email to create admin account).

#2 Never put your user ids in client-side code or request body. Sensitive data has to be encrypted very well and hard to decode using online decoders.

#3 As I could replace the id and change password for anyone on the utest platform, I could write automation script in order to change password for all the users by using the ids fetched through profile picture HTML tag of all users. In short, I could block all users on utest platform and stop the utest services for long time by always scheduling a script to keep changing their password on every 30 minutes. But, I did not do that because I love helping the global businesses to protect their users data and also bring security awareness in business people.

I am the #CleanWebMovement

Email transcript (The email that I sent to Applause team)

Santhosh said,

Hey Peter & Bryan,

Yes brother, its been long time. I may fly to New York sometime in May to speak at a security conference (May we we can catch-up for a beer and testing talks).

===============

Here are the quick details, I need to run to have some beer! ūüėČ

I have attached a video (GIF format). If your engineering team needs more information even after looking into the video attachment, then let me know ūüôā I will be here to help you with the more details.

@Peter, Please change your password now. I used your ID to analyze the risk and I do not wanted to use some users ID because that may cause problem to your users. Its a critical vulnerability, I could login to your profile and from there I will be able to perform all the admin actions. Its in the video, you can see it.

I insist that this needs to be taken as high priority for the fix. You never know, black-hats may be looking for such things always!

Thanks for the e-mail, it was great to hear from you after a long time ūüôā

Take care!

— Santhosh Tuppad
Testing is Exploratory!
Peter replied,

Thanks for sending this over. Definitely let me know the days you ate planning to speak and I’ll do my best to make it! I met your colleagues last year and it would be great to finally meet you.

@Bryan – feel free to get in contact with Santhosh directly. He’s an awesome tester.

I also re-tested the vulnerability and found that it was fixed. It was great working with Applause / uTest team where I could help them fixing this security vulnerability.

SECURITY TESTING – GET STARTED!

CHECKLIST FOR DEVELOPERS AND TESTERS

If you have been thinking of starting security testing as a programmer or tester, here is the basic checklist to get started. Look below!

  • Make sure robots.txt file doesn’t give details about sensitive URLs like /admin /administration /admin.aspx /administratorLogin/index.php or any other file that leads malicious user to navigate to administrator login form.
  • Make sure your 403 pages are shown as 404 on the front-end without giving a hint to the hacker about sensitiveness of the webpage.
  • Mask your server details like Apache / PHP / ASP which gives hint about the server details and also programming languages used. Also, mark the version number of your server and programming language used.
  • Add HTTPS / SSL Certificate if your website has money transactions or authentication pages.
  • Make sure server side validations are implemented for every form data. For instance: On client side there is a JS code that stop from entering DOB as 31/Feb/1999, but malicious hacker can bypass JS client-side validation using addon like “Tamper Data” and submit invalid DOB to the server. This shouldn’t be possible and server side validation is important for every form data.
  • Make sure 404 page is implemented securely. Try using URLs like http://example.com/page-that-doesnt-exist, http://example.com/example/hey.asdf, http://example.com//hello//..//whatsup, http://subdomaindoesntexist.example.com, and more combinations. Sometimes, the webpage displays some sensitive data if the server doesn’t know to handle a particular URL type.
  • Make sure unnecessary ports that are not being used or closed or set as filtered. I recommend “filtered” instead of “closing”. The only ports that I see should be open are 80 and 443 (HTTP = 80 | 443 = HTTPS).
  • Make sure your directory listing is set to OFF. This is one place which can look like a great treasure if directory listing is set to on.
  • If you are using a framework like DJANGO or any other development framework, make sure DEBUG is turned off before you deploy on the production server.
  • Make sure the session ids are dynamic. You can look into these session ids or cookie ids by using Live HTTP Headers addon on Firefox. Check for it without and with logged in session to also know about “session fixation” vulnerabilities.
  • Make sure you have closed the ports which are critical and kept HTTP, HTTPS open (because you want your users to visit your web application or website). I insist on using “filtered” state instead of “closed” for much better results. You can do the port scanning by using nmap (open-source utility)

Once you install nmap, you can open terminal on Mac (I use Mac currently) and type,

ping website-url

(You will get the IP address of the website)

And then,

sudo nmap -sS IP-address-of-the-website

ENTRY INTO THE HOUSE WITHOUT THE RIGHT KEY!

I am currently in Eastleigh (United Kingdom) and today morning I went to the city center and visited some shops. I wanted to buy a toy for my friend Mr. Thomas who is a brilliant human being at the age of 4. It was an impulsive decision based out of my love for Mr. Thomas (The emperor of future goodness). And I got inside the shop with my wife and my captain Tracy Stevenson to purchase the toy that we saw through the glass. The toy costed 60 GBP and I thought of using the card which was carried by my wife Gina Enache. She handed over the card to me and I punched in the point of sale device.

After punching, I entered the PIN Number and the transaction failed due to the reason “INSUFFICIENT FUNDS”. This was surprising to me that my Kotak Credit Card had sufficient balance before I flew to UK from India. Anyways, as I had cash as well, I could purchase the toy. I was happy, but also I was wondering about the card sufficient funds. Later, we started to walk to a shopping mall and Gina wanted to buy a local SIM card for her phone. Out of curiosity, I wanted to try with the same card again to do the transaction. I punched in the card and before I entered the PIN, I saw that it was a debit card and not a credit card (The same card was used before and transaction failed due to insufficient funds). But, wait! When I did the transaction for the first time in the toy shop, I entered PIN number of my Kotak Credit Card for my Kotak Debit Card and it said, INSUFFICIENT funds (This is true because my debit account had less balance or no balance probably).

Now, my question is: My debit card PIN entered was incorrect (Because I thought its credit card and punched in the wrong PIN) and still I received a message on POS display as “INSUFFICIENT funds”. How does it authenticate to even know “INSUFFICIENT FUNDS” without correct PIN of the card?

The algorithm looks like, “Without a right PIN number, the POS device can get into my account and check the balance?” Creepy!

I think that, the message that I have to receive is “INCORRECT PIN” instead of “INSUFFICIENT FUNDS”.

What are your views?

DrLalPathLabs – Brute Force Vulnerable for Admin Form discovered through robots.txt file

My email exchange with DrLalPathLabs,


Dear Aman,

This is Santhosh Tuppad (Security Researcher, Author for Security Magazine / Blogs and a fan of #CleanWebMovement). I help the website owners to protect their customers data. And one of my specialization is #Healthcare sector. I see that most of the healthcare applications in India are vulnerable to attacks. And any minor or major vulnerability has to be fixed in order to protect privacy. This is my fight to secure the world against insecure applications.

# I have also attached my profile so that you know me better and be confident about who you are talking to ( I also connected with you on LinkedIn and sent a request on Facebook ). Thanks!

# The URL to the Proof of Concept / Video: https://drive.google.com/open?id=0BziNB3kxUI6kZURMOHBoX21zTFU (Please watch this and continue reading)

#1 In the video, the hacker (I am demonstrating as a hacker so that it helps you better) tries to gain access to /admin login form. However, he / she fails at DrLalPathLabs as /admin is not the valid URL.

#2 The next step is, the hacker thinks about /robots.txt page and then tries to crawl the URLs disallowed. Usually, disallowed URLs are kind of sensitive pages and this is one of the heuristic for the hacker to find admin login form or any other sensitive pages.

The /robots.txt page provides the URL of admin login form. Woah! This is the first vulnerability as the admin login form doesn’t check for any IP specific access. Anyone across the web globally can access this page with the URL.

#3 Using the /lpladmin/AdminLogin.aspx URL, the hacker sees the login form of admin.

// Risks Associated
## There is no CAPTCHA or any Turing test component for the login form here. It’s bit ironic that, the user login on the homepage or some other forms has CAPTCHA, but the admin (which is the core of the application) doesn’t have any kind of CAPTCHA.
## Due to no CAPTCHA or any IP banning on repeated requests (Basically, IDS intrusion detection system), hacker can easily employ brute-force attack and crack the credentials using Brutus or any other open-source hacker utilities. I recommend to fix this as soon as possible. In my experience, it doesn’t take more than 6 hours to crack this by using high-end GPUs.
// Counter-measure
## Make sure the URL is not accessible by anyone on the web. Maybe a specific static IP can be used to access the admin form. In that way, we block anyone from accessing the admin to crack the credentials.
## Remove the admin URL from the robots.txt (We don’t want robots / search engine spiders to crawl these because these are confidential. However, we are making it much easier by providing these in robots.txt file). #fail
## For the quicker fix, you may want to add reCAPTCHA by Google to admin login form so that we don’t allow hackers to employ bots to crack credentials. And also, change the URL (Maybe other hackers are aware of this URL by now) and then don’t add it in robots.txt

Well, I got to run to a meeting. I hope this information helps! If you need any more details, I am here to help! And let’s talk once you read this.

9880952643 / And my twitter ID @santhoshst (Just like to share my social media ;-)).