Conducting a Basic Test Manually Against Hackazon

To perform manual vulnerability assessment requires a browser and a proxy tool. ZAP proxy is such a tool that commonly used in security testing arena. JRE is required to install and setup both these tools. Burpsuite, ZAP Proxy and JRE can downloaded from the following links:

ZAP proxy requires minimal configuration to setup. Sites tab shows the the tree map of the application. Enable “Set Break” as shown to intercept HTTP request and response when modification is needed after it leaves the browser.

Screen Shot 2018-06-04 at 3.40.46 PM.png Screen Shot 2018-06-04 at 3.41.39 PM.png

In addition to that, Ports can be bind by applying port number in “Options” >> “Local Proxy”

Screen Shot 2018-06-04 at 3.42.09 PM.png

Furthermore, browser must be configured to use the web proxy. This can be done within Mozilla Firefox via “Options” >> “Advanced” >> “Network” >> “Settings” configuration window. To test the proxy open http://localhost in the browser.

Screen Shot 2018-06-04 at 3.43.03 PM.png

All traffic from the web browser will route through burp proxy tool. Request and response can be intercepted and modified using proxy tool. Thus, using proxy tool and browser, manually test can be performed on Hackazon.

Screen Shot 2018-06-04 at 3.43.32 PM.png

How to find vulnerabilities from Hackazon application

Cross Site Scripting

URL: http://192.168.1.108/search?id=&searchString=NBA Parameter name: searchString Attack value: <script>alert(1)</script>

The following screenshot displays search functionality of the application. For example, we searched for “NBA” keyword and application search result based on user input.

Screen Shot 2018-06-04 at 3.47.17 PM.png

Enter a malicious script in the “Search” field.

Screen Shot 2018-06-04 at 3.48.16 PM.png

Javascript injected into the code is executed.

Screen Shot 2018-06-04 at 3.48.56 PM.png

OSCommand injection

URL: http://192.168.1.108/account/documents?page=delivery.html Parameter name: page Attack value: test|/bin/cat /etc/passwd

The following demonstrates the read document functionality of the application.

Screen Shot 2018-06-04 at 3.50.06 PM.png

We have injected a system command to to read a /etc/passwd system file.

Screen Shot 2018-06-04 at 3.50.35 PM.png

Application has executed a system command and shown a system file to end user.

Screen Shot 2018-06-04 at 3.51.14 PM.png

Unvalidated Redirect

URL: http://192.168.1.108/user/login?return_url=%2Faccount%2Fhelp_articles Parameter name: return_url Attack value: http://www.google.com

Hackazon application has functionality to redirect to an internal application page after a login. The application will redirect to a help_artical page after successful login.

Screen Shot 2018-06-04 at 3.55.00 PM.png

Replace the “return_url” parameter value from “/account/help_articles” to “http://www.google.com” and login into the application.

Screen Shot 2018-06-04 at 3.55.30 PM.png

Application allows user to redirect without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

Screen Shot 2018-06-04 at 3.55.59 PM.png