Midlands Testers Meetup – The Dark Side of the Web

After a long time, I happened to feel adrenaline rush as a speaker which was exceptional. Yes, I am speaking about Midlands Testers Meetup that happened in Solihull in United Kingdom.

How did I end up in Midlands Testers Meetup?

I was invited to do a Security Testing Workshop at TestBash Brighton. Once the news was out, I got an invite from Midlands Testers Meetup organisers Ranjit and Raji. I had never met these folks before, but knew them through Twitter (social media). I knew that Ranjit was always keen on getting me to UK in order to speak with testers and share my knowledge in testing. Like they say, everything happens at the right time; and the right time happened to be March 2017 ūüôā I humbly accepted the invite and then submitted a description of my talk for Midlands Testers Meetup which was requested by Ranjit and Raji to put it on Meetup.com and also advertise to get RSVP.

I also created a poster with the help of my creative designer (Ajay S Menon), and the poster looked like this,

The Day: March 28, 2017 (How did the day start?)

My dearest friend Tracy Stevenson joined me at the meetup and I thank her very much for traveling with me in the train (From Eastleigh to Solihull) and not making me feel lonely. I enjoyed speaking with her on the train with jokes and some interesting topics. We arrived at the Ramada Hotel in the noon and we thought of spending time pampering ourselves at the Top Nail Shop and Kings Barbers (We loved this barber shop in Solihull). We had to be at the venue by 06:15 PM in the Ramada Hotel (Bar). I was hungry after getting a great haircut and a luxury hot towel shave ūüėČ We ordered some food and then Ranjit, Raji and other testers (participants) joined at the bar. I started to exchange some words with testers and then headed out for quick smoke with Tracy before my talk started. And then my talk starts at 07:00 PM.

Key points of my talk

  • Started my talk by “WOW”ing the participants by doing some live hacking
  • Demonstrated server side hacks
  • Demonstrated usage of security testing tools which mainly included BurpSuite, Mantra Web Browser, nMap and some addons
  • Cracked some jokes in between about security and made the participants laugh
  • Simple versus complex – We did “crack / guess the password exercise”.
  • The feedback by testers was amazing. They loved every bit of my talk and were satisfied.
  • After my talk, the participants wanted to talk more to me and I gave all my time. (I do not feel like having food when testers are around me. I am excited to talk to testers because I can eat food anytime :D)
  • Some of the participants requested for security testing full-day workshop and they were ready to pay (I am thinking about it).
  • Thanks to Ranjit, Raji and Matt (Sponsor) for being so welcoming and sweet.

I wish to do some workshops and speak at Midlands Testers whenever I am in United Kingdom / Solihull.

 

SECURITY TESTING TOOL-SET FOR NEWBIE

  • nmap – Scan ports and identify the ports that have to be closed or filtered. I insist on having them “filtered” instead of “closed”. I used nmap on testinsane.com and here is the result. (Note that, you have to get the IP address of the website you intend to scan. And IP address can be retrieved from your terminal command “ping website-name”. And once you see the IP address, use “sudo nmap -sS website-ip-address”

santhoshs-air:~ santhoshshivanandtuppad$ sudo nmap -sS 143.95.75.172
Password:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-21 16:46 GMT
Nmap scan report for ip-143-95-75-172.iplocal (143.95.75.172)
Host is up (0.12s latency).
Not shown: 983 filtered ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
26/tcp   open  rsftp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
554/tcp  open  rtsp
587/tcp  open  submission
990/tcp  open  ftps
993/tcp  open  imaps
995/tcp  open  pop3s
1433/tcp open  ms-sql-s
3306/tcp open  mysql
7070/tcp open  realserver

Nmap done: 1 IP address (1 host up) scanned in 8.32 seconds
santhoshs-air:~ santhoshshivanandtuppad$

 

Applause – uTest – Hacked Admin Panel – AUTHORIZATION ATTACK (OWASP TOP 10)

Steps that I performed to find this AUTHORIZATION Vulnerability in Applause / uTest

#1 Login to my tester account using my credentials

#2 Go to “Change Password” feature

#3 Enter my new password credentials

(Before I submit the form, I open Network tab from Developer Tools in Mozilla Firefox)

#4 I submitted the “Change Password” form

#5 I see PUT request for accountinfo page (This is to change password).

(I clicked on “Edit and Resend” for “accountinfo” request in order to make the edits in the request body )

#6 I see a user id of mine and I replace the ID and email with Peter Shih (I knew his email address because its available to utest tester. But, how did I find his user ID? Well, recently uTest released social networking feature on uTest where you can visit any testers or staff profile. It was interesting to see the profile picture tag having user id. This was for every user of uTest platform. I did a right-click on Peter Shih’s profile picture and clicked on “Inspect Element” to find out the user id in the HTML tag).

#7 I submitted the new request and I saw that request was successful.

#8 Later, I went to login form and entered Peter Shih’s email address and the password that I had set for Peter Shih. In the video, you see that I was successful in logging in to Peter Shih’s account which had admin role.

HIGHLIGHTS / RISKS

#1 The admin ids should always have email address which is not shared with any user (Its good to have a secret email account for admin logging in. Do not use the email id which is known by many people on the web and also don’t use the known email to create admin account).

#2 Never put your user ids in client-side code or request body. Sensitive data has to be encrypted very well and hard to decode using online decoders.

#3 As I could replace the id and change password for anyone on the utest platform, I could write automation script in order to change password for all the users by using the ids fetched through profile picture HTML tag of all users. In short, I could block all users on utest platform and stop the utest services for long time by always scheduling a script to keep changing their password on every 30 minutes. But, I did not do that because I love helping the global businesses to protect their users data and also bring security awareness in business people.

I am the #CleanWebMovement

Email transcript (The email that I sent to Applause team)

Santhosh said,

Hey Peter & Bryan,

Yes brother, its been long time. I may fly to New York sometime in May to speak at a security conference (May we we can catch-up for a beer and testing talks).

===============

Here are the quick details, I need to run to have some beer! ūüėČ

I have attached a video (GIF format). If your engineering team needs more information even after looking into the video attachment, then let me know ūüôā I will be here to help you with the more details.

@Peter, Please change your password now. I used your ID to analyze the risk and I do not wanted to use some users ID because that may cause problem to your users. Its a critical vulnerability, I could login to your profile and from there I will be able to perform all the admin actions. Its in the video, you can see it.

I insist that this needs to be taken as high priority for the fix. You never know, black-hats may be looking for such things always!

Thanks for the e-mail, it was great to hear from you after a long time ūüôā

Take care!

— Santhosh Tuppad
Testing is Exploratory!
Peter replied,

Thanks for sending this over. Definitely let me know the days you ate planning to speak and I’ll do my best to make it! I met your colleagues last year and it would be great to finally meet you.

@Bryan – feel free to get in contact with Santhosh directly. He’s an awesome tester.

I also re-tested the vulnerability and found that it was fixed. It was great working with Applause / uTest team where I could help them fixing this security vulnerability.