Time spent: 5 hours spent in total

Objective: Identify vulnerabilities in three different versions of the Globitek website: blue, green, and red.

The six possible exploits are:

• Username Enumeration
• Insecure Direct Object Reference (IDOR)
• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Session Hijacking/Fixation

Each color is vulnerable to only 2 of the 6 possible exploits. First discover which color has the specific vulnerability, then write a short description of how to exploit it, and finally demonstrate it using screenshots compiled into a GIF.

Vulnerability #1: SQL Injection__________

Description: Injecting the id number of the workers

Vulnerability #2: Session Hijacking__

Description: A hacker can login without having to login with username and password using the session id from previous or other login.

Vulnerability #1: Username enumeration________

Description: hackers will be sure about the username because the actual username id gets bold when incorrect password is used and the text does not get bold if both incorrect username and passwords are entered.

Vulnerability #2: Cross-site Sripting

Description: Anyone can inject an XSS through the feedback form.

Vulnerability #1: Insecure direct Object reference______

Description: Anybody can have access to hidden accounts without logging in.

Vulnerability #2: CSFR____

Description:The user can update the database information without valid CSF token.