Conducting a Basic Test Manually Against Hackazon
To perform manual vulnerability assessment requires a browser and a proxy tool. ZAP proxy is such a tool that commonly used in security testing arena. JRE is required to install and setup both these tools. Burpsuite, ZAP Proxy and JRE can downloaded from the following links:
- ZAP Proxy: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
- JRE: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
ZAP proxy requires minimal configuration to setup. Sites tab shows the the tree map of the application. Enable “Set Break” as shown to intercept HTTP request and response when modification is needed after it leaves the browser.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.40.46 PM.png)
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.41.39 PM.png)
In addition to that, Ports can be bind by applying port number in “Options” >> “Local Proxy”
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.42.09 PM.png)
Furthermore, browser must be configured to use the web proxy. This can be done within Mozilla Firefox via “Options” >> “Advanced” >> “Network” >> “Settings” configuration window. To test the proxy open http://localhost
in the browser.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.43.03 PM.png)
All traffic from the web browser will route through burp proxy tool. Request and response can be intercepted and modified using proxy tool. Thus, using proxy tool and browser, manually test can be performed on Hackazon.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.43.32 PM.png)
How to find vulnerabilities from Hackazon application
Cross Site Scripting
URL: http://192.168.1.108/search?id=&searchString=NBA
Parameter name: searchString
Attack value: <script>alert(1)</script>
The following screenshot displays search functionality of the application. For example, we searched for “NBA” keyword and application search result based on user input.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.47.17 PM.png)
Enter a malicious script in the “Search” field.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.48.16 PM.png)
Javascript injected into the code is executed.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.48.56 PM.png)
OSCommand injection
URL: http://192.168.1.108/account/documents?page=delivery.html
Parameter name: page
Attack value: test|/bin/cat /etc/passwd
The following demonstrates the read document functionality of the application.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.50.06 PM.png)
We have injected a system command to to read a /etc/passwd
system file.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.50.35 PM.png)
Application has executed a system command and shown a system file to end user.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.51.14 PM.png)
Unvalidated Redirect
URL: http://192.168.1.108/user/login?return_url=%2Faccount%2Fhelp_articles
Parameter name: return_url
Attack value: http://www.google.com
Hackazon application has functionality to redirect to an internal application page after a login. The application will redirect to a help_artical page after successful login.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.55.00 PM.png)
Replace the “return_url” parameter value from “/account/help_articles” to “http://www.google.com” and login into the application.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.55.30 PM.png)
Application allows user to redirect without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.
![](/api/docs/file/product-documentation__master/appspider/images/Screen Shot 2018-06-04 at 3.55.59 PM.png)