Hi guys
Yip I'm a noob. I've been reading up as much as I can about website security, but I've come to the conclusion that to truly know if a website is secure then you really to be speaking to people that know how to break website security.
I have a website that I have been trying to penetration test so that I can demonstrate to the website owners why they need to redesign it. There are a number of things that the website does that seem to me to be serious breaches of security but I only have a vague idea and very little skills on how to demonstrate it to my (potential) clients.
1. the login form is on http. Is there a way to hack a form like this outright or is the only real way to sniff a network for when someone tries to login?
2. When user requests a password reset it sends the user an email directly with the password in plain text.
I've run a few vulnerability scanners to see if I can do an SQL injection, and although it picked two serious vulnerabilities I wasn't able to get to the MySQL database through them (probably not doing it right)
The website in question is www.modelbase.co.za and my profile on it is marclucado@gmail.com pass: joe.
(please don't post or communicate using the profile!)
Penetration Test
-
Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Penetration Test
1. The main thing with http logins is indeed all sorts of wiretapping problems. Be it a MITM, sniffing unprotected wifi, public accesspoints, rouge accesspoints, malicious proxies. There's all sorts of stuff that can go wrong.
2. This really is a pretty hard problem to solve in most cases. If you're going to send someone a password over email at least you should ensure it won't be valid very long. Something like generating a password for a new user that needs to be changed at the first login.
3. (I know there was no point 3, but never mind that.) Try something like SQLmap to see if the SQLi is easily exploitable. I'm all for learning how to do it manually but in this case it's about demonstrating to your target that it's a viable attack.
2. This really is a pretty hard problem to solve in most cases. If you're going to send someone a password over email at least you should ensure it won't be valid very long. Something like generating a password for a new user that needs to be changed at the first login.
3. (I know there was no point 3, but never mind that.) Try something like SQLmap to see if the SQLi is easily exploitable. I'm all for learning how to do it manually but in this case it's about demonstrating to your target that it's a viable attack.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.
-
marcl
- n00b
- Posts: 2
- Joined: Wed Jul 30, 2014 9:53 am
Re: Penetration Test
Thanks for the pointers. I'm really a beginner so trying to learn python just to be able to use SQLmap seemed a bit much (but it's on my to do list). So I looked around for more user friendly options. Found webcruiser and although it doesn't seem to work very well with sql injection, (or maybe I'm doing it wrong!), it works great with scanning the site and finding vulnerabilities.Cool_Fire wrote:1. The main thing with http logins is indeed all sorts of wiretapping problems. Be it a MITM, sniffing unprotected wifi, public accesspoints, rouge accesspoints, malicious proxies. There's all sorts of stuff that can go wrong.
2. This really is a pretty hard problem to solve in most cases. If you're going to send someone a password over email at least you should ensure it won't be valid very long. Something like generating a password for a new user that needs to be changed at the first login.
3. (I know there was no point 3, but never mind that.) Try something like SQLmap to see if the SQLi is easily exploitable. I'm all for learning how to do it manually but in this case it's about demonstrating to your target that it's a viable attack.
Two things happened, first I used the "POST data resend" function on webcruiser to start with. and for some reason the password on my test account got messed up. (again, idiot at the keyboard) so I requested a reset of my password which duly arrived in my inbox - only the password field was...empty. It took me a moment to realize that the password field wasn't empty but contained "#####". Using this knowledge and suspecting I had broken something somewhere I tried a few other accounts that I do not have the passwords to but had found emails for and voila, using "#####" as the password I was able to enter every account.
What I don't know is whether that fatal flaw was always there or did I accidentally do this with webcruiser?
Since this method of entry meant that the user's password was changed to "#####" in the process instead of me actually getting the original password, I watched a few tutorials on webcruiser and found that all of them used webcruiser to find vulnerabilities and Havij to exploit them. So I found a copy of Havij and started testing a vulnerability or two. It seemed effective, but was so amazingly slow (or is that me again?) that eventually the server on the other end seemed to shut down completely. Not sure exactly what happened, but it can't have been good...
Any more tips? Otherwise I could probably take what I've learned already and approach the owners.
PS ##### represents something else, I obviously don't want to leave this site open to abuse by every tom dick and sally that might happen past this forum. If you would like to discuss this more please feel free to message me directly - I would really appreciate the input.
UPDATE: Just before I published this I checked the site and it's back up again with my old password in tact. Looks like they ran a backup after my messing up the database.
-
Cool_Fire
- Not a sandwich
- Posts: 1912
- Joined: Fri May 09, 2003 1:20 pm
- Location: 41 6d 73 74 65 72 64 61 6d
- Contact:
Re: Penetration Test
I don't know webcruiser other than by having heard it exists but it sounds like it's not very careful about it's queries and can be quite destructive to the database backend and this is never what you want. SQLmap may seem daunting if you're not familiar with tools like that but it really isn't very hard to get it to do something reasonable. (And it tries it's very best to not do any destructive queries with normal settings)
Beyond that, since your interest (from what I read here) seems to be mostly web stuff so it'd make sense to start learning about the HTTP protocol, some html and css, maybe some javascript. Then also the backend languages that are common for web stuff. Php would be a good place to start there. Knowledge about databases will definitely be useful too and MySQL is by far the most common one you'll find for web stuff there but even just some general knowledge about how SQL queries work will be helpful.
Beyond all that it's very useful to know some amount of programming so you can write some scripts for specific things you run into and python would be a decent option there.
You'll notice that all of these things aren't related to specific tools, methods or vulnerabilities. This is because it's far more important to understand the fundamentals of the system. I really cannot overstate how important this is. It is effectively 99.9% of what hacking is about. You need to know the system better than the person that built it so you can find what the people that made it missed. Once you have that you'll automatically start writing little scripts to make it easier for yourself and then you may find a good tool exists for what you're doing.
The key difference between this and just learning to use the tool right away is that you'll understand what the tool is doing. You'll know what you need to tell the tool to do in order to make it work. It's the difference between blindly poking at something by means of a tool and actually doing a sophisticated strike and just having the tool make it a little easier and faster for you.
Beyond that, since your interest (from what I read here) seems to be mostly web stuff so it'd make sense to start learning about the HTTP protocol, some html and css, maybe some javascript. Then also the backend languages that are common for web stuff. Php would be a good place to start there. Knowledge about databases will definitely be useful too and MySQL is by far the most common one you'll find for web stuff there but even just some general knowledge about how SQL queries work will be helpful.
Beyond all that it's very useful to know some amount of programming so you can write some scripts for specific things you run into and python would be a decent option there.
You'll notice that all of these things aren't related to specific tools, methods or vulnerabilities. This is because it's far more important to understand the fundamentals of the system. I really cannot overstate how important this is. It is effectively 99.9% of what hacking is about. You need to know the system better than the person that built it so you can find what the people that made it missed. Once you have that you'll automatically start writing little scripts to make it easier for yourself and then you may find a good tool exists for what you're doing.
The key difference between this and just learning to use the tool right away is that you'll understand what the tool is doing. You'll know what you need to tell the tool to do in order to make it work. It's the difference between blindly poking at something by means of a tool and actually doing a sophisticated strike and just having the tool make it a little easier and faster for you.
If we're breaking the rules, then how come you can't catch us? You can't find us? I know why. Cause, it's ... MAGIC!
Hackerthreads chat, where the party is going 24/7.
Hackerthreads chat, where the party is going 24/7.