Time spent: 5 hours spent in total
Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.
The six possible exploits are:
- Username Enumeration
- Insecure Direct Object Reference (IDOR)
- SQL Injection (SQLi)
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Session Hijacking/Fixation
Each color is vulnerable to only 2 of the 6 possible exploits. First discover which color has the specific vulnerability, then write a short description of how to exploit it, and finally demonstrate it using screenshots compiled into a GIF.
Vulnerability #1: SQL Injection__________
Description: Injecting the id number of the workers
Vulnerability #2: Session Hijacking__
Description: A hacker can login without having to login with username and password using the session id from previous or other login.
Vulnerability #1: Username enumeration________
Description: hackers will be sure about the username because the actual username id gets bold when incorrect password is used and the text does not get bold if both incorrect username and passwords are entered.
Vulnerability #2: Cross-site Sripting
Description: Anyone can inject an XSS through the feedback form.
Vulnerability #1: Insecure direct Object reference______
Description: Anybody can have access to hidden accounts without logging in.
Vulnerability #2: CSFR____
Description:The user can update the database information without valid CSF token.