£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
Exploitation
Skip main navigation

Exploitation

In this video, you will be shown what information you can derive from a system by taking advantage of a security misconfiguration for OWASP Juice Shop
7.2
Welcome back to Security Misconfiguration session. In this second part, we will review some security misconfigurations we have already found in previous hands-on exploitations. We will jump straight to our intentionally vulnerable application and then move to the mitigation part. In our first session, we exploited the SQL injection vulnerability in the login form. At that time, we also found the security misconfiguration, but we didn’t give it too much attention. Let’s do it now.
61.9
As in our first session, submitting our payload returned an internal server error response. Let’s check the response body.
72.7
We got the JSON object, which we will copy to our text editor so that we can read it easily.
88.6
The return JSON has a single top level property called error, which includes several other properties and values that we will carefully analyze to compile information about our target system.
104.3
Starting with the message property, we see that the error was triggered by the database engine, which we now know that is a SQLite.
115.7
Let’s keep track of system knowledge we get from this error message.
139.9
The syntax error happens near this string, which is not something we have submitted. In fact, it looks like a hash. We will find several hash algorithm detectors online. Let’s try one of them.
174.5
So we now know that passwords are hashed using the MD5 algorithm.
193.3
Next, we have stack trace. Stack traces give us a few execution steps immediately before an exception has occurred.
216.8
In this case, based on the called script path, we know the application location in the file system.
247.2
We also know the application is written in Node.JS based on the node_modules folder in the path.
265.5
In the same way we know that implementation uses the npm sequelized package.
291.8
Continuing through the JSON error object, we can even find the exact SQL queries sent to the database, and now, we also know that there’s a users table which has at least three fields– email, password, and deletedAt.
330.3
There are other implementation details we may assume based on the error message. For instance, because of the deleteAt table field, user accounts shall not be really deleted, but instead soft deleted or flagged as deleted.
346.2
In our XML external entities session, XXE exploitation was only possible due to a security misconfiguration. Let’s check it.
375.3
While authenticated as a regular user, we have access to the Complain feature, which allows invoice uploads. We used it before to upload our malicious XML file.
437.9
This business-to-business feature has been deprecated, but the upload and the XML processing is still possible. Next, we will discuss what makes the application vulnerable and how to prevent it.

In this video, you will be shown what information you can derive from a system by taking advantage of a security misconfiguration for OWASP Juice Shop that you noted earlier in the course.

When you tried to log in to the OWASP Juice Shop with incorrect details, the JSON identified an SQLITE Error. In this video, you will learn how to take advantage of this error and how you can ultimately find out how the system hashes passwords.

This article is from the free online

Advanced Cyber Security Training: OWASP Top 10 and Web Application Fundamentals

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education