Manual Web Application Testing
Posted Sep 3, 2019 11:01 AM
Recently we had a fellow member who wanted to test their site’s security, the original request can be seen at https://hackforums.net/showthread.php?tid=5995820 . I am not awesome at web applications and with my current grueling work schedule, it’s difficult to find time. Also I more specialize in network pentesting, but I thought I would give it a shot. If I had found anything I already told myself that I would immediately stop and contact the site owner. Tools are there to make your day easier I use manual auditing, I do not walk in and shoot a ton of scripts or tools at a target I always figure that the very last thing is actually touching the target. For notes I use CherryTree, for an intercepting proxy I use OWASP ZAP, for checking the ssl certificate sslscan, for bruteforcing URI’s dirbuster or gobuster, Wappalyzer is also on my browser as well as on ZAP and finally one of my most important tools Google. Another thing I want to touch upon is that during anything where confidential information could possibly land in the wrong hands, use a VPN safe guard your communications as well as information.
The first part of any engagement would be reconnaissance, we want to know as much as we can about a target before engaging. We want to know subdomains in order to perhaps better find the actual IP of the server in question, so the little things matter. Using conventional tools or resources in different ways also can make the difference between success and failure. Here I used dnsdumpster, dnsrecon, VirusTotal, and builtwith.
Target: cyberscan.org:
DNS:
Quote:dnsrecon -d cyberscan.org[*]
[*]Performing General Enumeration of Domain: cyberscan.org
[-] DNSSEC is not configured for cyberscan.org
[*]SOA aron.ns.cloudflare.com 173.245.58.69
[*]NS aron.ns.cloudflare.com 173.245.58.69
[*]NS tim.ns.cloudflare.com 173.245.59.145
[-] Could not Resolve MX Records for cyberscan.org
[*]A cyberscan.org 104.27.169.40
[*]A cyberscan.org 104.27.168.40
[*]TXT cyberscan.org ca3-e1027ac0012d4dbd8ac1b6373f69f9d8
[*]Enumerating SRV Records
[-] No SRV Records Found for cyberscan.org
[+] 0 Records Found
DNS Servers
aron.ns.cloudflare.com.
173.245.58.69
aron.ns.cloudflare.com
AS13335 Cloudflare Inc
United States
tim.ns.cloudflare.com.
173.245.59.145
tim.ns.cloudflare.com
AS13335 Cloudflare Inc
United States
MX Records This is where email for the domain goes...
TXT Records Find more hosts in Sender Policy Framework (SPF) configurations
"ca3-e1027ac0012d4dbd8ac1b6373f69f9d8"
Host Records (A) this data may not be current as it uses a static database (updated monthly)
cyberscan.org
HTTP: cloudflare
TCP8080: cloudflare
TLS:
Quote:sslscan cyberscan.org
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to 104.27.168.40
Testing SSL server cyberscan.org on port 443 using SNI name cyberscan.org
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384 Curve P-256 DHE 256
Preferred TLSv1.1 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA Curve P-256 DHE 256
SSL Certificate:
Signature Algorithm: ecdsa-with-SHA256
Subject: sni.cloudflaressl.com
Altnames: DNS:sni.cloudflaressl.com, DNS:cyberscan.org, DNS:*.cyberscan.org
Issuer: CloudFlare Inc ECC CA-2
Not valid before: Aug 4 00:00:00 2019 GMT
Not valid after: Aug 3 12:00:00 2020 GMT
Serving IP Address
74.208.236.49 (VT)
Apache/2.4.37 (Win64) PHP/7.2.14 Server at cyberscan.org Port 80
[*]
Whois:
Quote:whois cyberscan.org
Domain Name: CYBERSCAN.ORG
Registry Domain ID: D402200000011099524-LROR
Registrar WHOIS Server: whois.registrar.eu
Registrar URL: http://www.openprovider.com
Updated Date: 2019-08-04T20:01:25Z
Creation Date: 2019-08-04T19:55:54Z
Registry Expiry Date: 2020-08-04T19:55:54Z
Registrar Registration Expiration Date:
Registrar: Hosting Concepts B.V. d/b/a Openprovider
Registrar IANA ID: 1647
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +31.104482297
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registrant Organization: Whois Privacy Protection Foundation
Registrant State/Province: Zuid-Holland
Registrant Country: NL
Name Server: TIM.NS.CLOUDFLARE.COM
Name Server: ARON.NS.CLOUDFLARE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form https://www.icann.org/wicf/)
>>> Last update of WHOIS database: 2019-09-03T07:14:58Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
Access to Public Interest Registry WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator, a Registrar, or Afilias except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy.
The Registrar of Record identified in this output may have an RDDS service that can be queried for additional information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
[*]
Google:
I often will try to Google dork a specific site to check for metadata in files which may reveal further technologies or information which would be useful. Unfortunately the site at the time was so new that no results were coming up.
Technologies:
https://builtwith.com/cyberscan.org
I used wappalyzer to find many of these and looked at the source code. All technologies identified I will also Google and check if they may be vulnerable.
Quote:Other Information: Use token: "cyberseal-crypter" to scan for free mentioned in thread.
[*]
Now that we have a rough idea of what is involved we saw that CloudFlare was in play so while I don’t run automated tools I knew that testing the functionality of each part of the site was in order. How does CloudFlare work? A rather simple break down is that CloudFlare is in the middle between yourself and the server. It mirrors and caches websites and updates these with requests.
![[Image: What_is_Cloudflare_v7.png]](https://support.cloudflare.com/hc/article_attachments/360029342112/What_is_Cloudflare_v7.png)
I started by using the token from the thread, from there I uploaded a test file, which helped me figure out some of the directory structure this can also be used to identify backend or API’s.
One of the responses after uploading it helped me figure out where the files are going and a naming pattern:
Quote:{"status":0,"msg":"File Uploaded Succesfully!","path":"uploads\/xdARTserver_asm.exe","id":"xdART"}
[*]
Backend/directory structure:
Quote:blueimp upload : https://github.com/blueimp/jQuery-File-Upload
/cdn-cgi/
/cdn-cgi/l
/cdn-cgi/scripts/
/cdn-cgi/scripts/5c5dd728
/css/
/css/font-awesome
/iconss/
/images/
/imgresults/
/rs-plugin/
uploads\/8ANvgserver.exe (my file)
[*]
After my first couple of uploads I noticed something I had multiple tokens being sent in the source code. I quickly deleted all the cookies and cache and went back in this time using one of these other tokens, to my surprise several worked. At this point my notes below reflect what happened next:
![[Image: cyberscanorg-1.png]](https://i.ibb.co/s15SWBm/cyberscanorg-1.png)
Quote:Token Disclosure--STOP contact site owner
[*]
Quickly I replicated the steps and documented them so it would be easy for the site owner to reproduce and see the problem for themselves.
Steps
Quote:Step 1. Use "cyberseal-crypter" token
Step 2: Upload and scan a file
Step 3: Click on home (Takes you back to https://cyberscan.org/index.php )
Step 4: Tokens will be on the refreshed page
NOTE: CyberSeal contacted via PM and chat knows of the issue
NOTE: Owner said it is fixed and good to go on more testing
[*]
In the end I did not find cool sql injection, or xxs but just by looking at the source code I did see all the available tokens. Had I been someone who was up to no good I could have bought a “Bronze” account used that token and after my first scan moved up to “Gold” and probably denied other users from using the service which they paid for, as only two IP's can be used in a 24 hour period. I contacted the site owner who asked for this initial testing to be performed in regards to writing this before writing and made sure to edit the original picture of the tokens.
In conclusion helping other members of the community is a good thing, be it keeping their site a bit more secure or just giving good advice to help that member who needs help. Also we saw how automated tools would not have really helped us as the site was protected by CloudFlare and that manual methods are perhaps daunting on large sites but for smaller sites they can produce results. Also we saw that with our manual methods we could quickly start to figure out where we could interact with the backend or what folders or API is at work.
