WEBVTT 00:00:00.000 --> 00:00:07.160 align:middle line:90% 00:00:07.160 --> 00:00:10.010 align:middle line:84% Welcome back to Security Misconfiguration session. 00:00:10.010 --> 00:00:11.810 align:middle line:84% In this second part, we will review 00:00:11.810 --> 00:00:14.030 align:middle line:84% some security misconfigurations we have already 00:00:14.030 --> 00:00:16.890 align:middle line:84% found in previous hands-on exploitations. 00:00:16.890 --> 00:00:19.190 align:middle line:84% We will jump straight to our intentionally vulnerable 00:00:19.190 --> 00:00:22.340 align:middle line:84% application and then move to the mitigation part. 00:00:22.340 --> 00:00:25.170 align:middle line:84% In our first session, we exploited the SQL injection 00:00:25.170 --> 00:00:27.800 align:middle line:90% vulnerability in the login form. 00:00:27.800 --> 00:00:31.010 align:middle line:84% At that time, we also found the security misconfiguration, 00:00:31.010 --> 00:00:33.230 align:middle line:84% but we didn't give it too much attention. 00:00:33.230 --> 00:00:34.220 align:middle line:90% Let's do it now. 00:00:34.220 --> 00:01:01.920 align:middle line:90% 00:01:01.920 --> 00:01:04.800 align:middle line:84% As in our first session, submitting our payload 00:01:04.800 --> 00:01:07.050 align:middle line:84% returned an internal server error response. 00:01:07.050 --> 00:01:08.460 align:middle line:90% Let's check the response body. 00:01:08.460 --> 00:01:12.700 align:middle line:90% 00:01:12.700 --> 00:01:16.150 align:middle line:84% We got the JSON object, which we will copy to our text editor 00:01:16.150 --> 00:01:17.710 align:middle line:90% so that we can read it easily. 00:01:17.710 --> 00:01:28.600 align:middle line:90% 00:01:28.600 --> 00:01:31.570 align:middle line:84% The return JSON has a single top level property 00:01:31.570 --> 00:01:34.510 align:middle line:84% called error, which includes several other properties 00:01:34.510 --> 00:01:36.460 align:middle line:84% and values that we will carefully 00:01:36.460 --> 00:01:39.185 align:middle line:84% analyze to compile information about our target system. 00:01:39.185 --> 00:01:44.330 align:middle line:90% 00:01:44.330 --> 00:01:46.130 align:middle line:84% Starting with the message property, 00:01:46.130 --> 00:01:47.870 align:middle line:84% we see that the error was triggered 00:01:47.870 --> 00:01:51.440 align:middle line:84% by the database engine, which we now know that is a SQLite. 00:01:51.440 --> 00:01:55.740 align:middle line:90% 00:01:55.740 --> 00:01:57.480 align:middle line:84% Let's keep track of system knowledge 00:01:57.480 --> 00:01:58.860 align:middle line:90% we get from this error message. 00:01:58.860 --> 00:02:19.930 align:middle line:90% 00:02:19.930 --> 00:02:23.290 align:middle line:84% The syntax error happens near this string, which is not 00:02:23.290 --> 00:02:25.030 align:middle line:90% something we have submitted. 00:02:25.030 --> 00:02:27.550 align:middle line:90% In fact, it looks like a hash. 00:02:27.550 --> 00:02:31.060 align:middle line:84% We will find several hash algorithm detectors online. 00:02:31.060 --> 00:02:32.190 align:middle line:90% Let's try one of them. 00:02:32.190 --> 00:02:54.510 align:middle line:90% 00:02:54.510 --> 00:02:56.760 align:middle line:84% So we now know that passwords are 00:02:56.760 --> 00:02:59.220 align:middle line:90% hashed using the MD5 algorithm. 00:02:59.220 --> 00:03:13.290 align:middle line:90% 00:03:13.290 --> 00:03:15.850 align:middle line:90% Next, we have stack trace. 00:03:15.850 --> 00:03:18.420 align:middle line:84% Stack traces give us a few execution steps 00:03:18.420 --> 00:03:20.850 align:middle line:84% immediately before an exception has occurred. 00:03:20.850 --> 00:03:36.760 align:middle line:90% 00:03:36.760 --> 00:03:40.120 align:middle line:84% In this case, based on the called script path, 00:03:40.120 --> 00:03:42.460 align:middle line:84% we know the application location in the file system. 00:03:42.460 --> 00:04:07.190 align:middle line:90% 00:04:07.190 --> 00:04:10.160 align:middle line:84% We also know the application is written in Node.JS 00:04:10.160 --> 00:04:13.130 align:middle line:84% based on the node_modules folder in the path. 00:04:13.130 --> 00:04:25.460 align:middle line:90% 00:04:25.460 --> 00:04:28.160 align:middle line:84% In the same way we know that implementation uses 00:04:28.160 --> 00:04:29.585 align:middle line:90% the npm sequelized package. 00:04:29.585 --> 00:04:51.820 align:middle line:90% 00:04:51.820 --> 00:04:53.470 align:middle line:84% Continuing through the JSON error 00:04:53.470 --> 00:04:56.410 align:middle line:84% object, we can even find the exact SQL queries sent 00:04:56.410 --> 00:04:59.420 align:middle line:84% to the database, and now, we also 00:04:59.420 --> 00:05:01.640 align:middle line:84% know that there's a users table which 00:05:01.640 --> 00:05:03.800 align:middle line:90% has at least three fields-- 00:05:03.800 --> 00:05:05.930 align:middle line:90% email, password, and deletedAt. 00:05:05.930 --> 00:05:30.250 align:middle line:90% 00:05:30.250 --> 00:05:32.140 align:middle line:84% There are other implementation details 00:05:32.140 --> 00:05:34.690 align:middle line:84% we may assume based on the error message. 00:05:34.690 --> 00:05:38.140 align:middle line:84% For instance, because of the deleteAt table field, 00:05:38.140 --> 00:05:41.350 align:middle line:84% user accounts shall not be really deleted, but instead 00:05:41.350 --> 00:05:43.540 align:middle line:84% soft deleted or flagged as deleted. 00:05:43.540 --> 00:05:46.240 align:middle line:90% 00:05:46.240 --> 00:05:49.510 align:middle line:84% In our XML external entities session, 00:05:49.510 --> 00:05:52.210 align:middle line:84% XXE exploitation was only possible due 00:05:52.210 --> 00:05:54.400 align:middle line:90% to a security misconfiguration. 00:05:54.400 --> 00:05:55.330 align:middle line:90% Let's check it. 00:05:55.330 --> 00:06:15.270 align:middle line:90% 00:06:15.270 --> 00:06:17.700 align:middle line:84% While authenticated as a regular user, 00:06:17.700 --> 00:06:19.770 align:middle line:84% we have access to the Complain feature, 00:06:19.770 --> 00:06:22.080 align:middle line:90% which allows invoice uploads. 00:06:22.080 --> 00:06:25.320 align:middle line:84% We used it before to upload our malicious XML file. 00:06:25.320 --> 00:07:17.940 align:middle line:90% 00:07:17.940 --> 00:07:20.820 align:middle line:84% This business-to-business feature has been deprecated, 00:07:20.820 --> 00:07:24.870 align:middle line:84% but the upload and the XML processing is still possible. 00:07:24.870 --> 00:07:27.840 align:middle line:84% Next, we will discuss what makes the application vulnerable 00:07:27.840 --> 00:07:30.350 align:middle line:90% and how to prevent it. 00:07:30.350 --> 00:07:31.000 align:middle line:90%