tryhackme.com
Open in
urlscan Pro
2606:4700:10::ac43:1b0a
Public Scan
URL:
https://tryhackme.com/room/introwebapplicationsecurity
Submission: On July 18 via manual from US — Scanned from DE
Submission: On July 18 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /feedback
<form method="post" action="/feedback" id="roomFeedbackForm" class="d-none mt-3">
<input type="hidden" name="_csrf" value="fc8yoS7d-EUzxrlSpfMkdKLmaa3t5MRE76Sw">
<input type="hidden" name="roomCode" value="introwebapplicationsecurity">
<input type="hidden" name="type" value="rooms">
<input type="hidden" name="redirect" value="json">
<div class="form-group">
<label class="mb-0" for="like">What do you like about the room?</label>
<textarea type="text" name="like" id="like" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="dislike">What don't you like about the room?</label>
<textarea type="text" name="dislike" id="dislike" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="details">Please send your suggestions, ideas and comments!</label>
<textarea id="details" type="text" name="details" class="form-control" style="padding: 5px;"></textarea>
</div>
<button type="submit" id="submitBtn" class="btn btn-success">Send Feedback</button>
</form>Text Content
We use cookies to ensure you get the best user experience. For more information
contact us. Read more
Got it!
* Learn
* Compete
King of the Hill
Attack & Defend
Leaderboards
Platform Rankings
* Networks
Throwback
Attacking Active Directory
Wreath
Network Pivoting
* For Education
Teaching
Use our security labs
Create Labs
Upload & Deploy VMs
* For Business
* Login
* Join Now
* Learn
* Compete
King of the Hill
Attack & Defend
Leaderboards
Platform Rankings
* Networks
Throwback
Attacking Active Directory
Wreath
Network Pivoting
* For Education
Teaching
Use our security labs
Create Labs
Upload & Deploy VMs
* For Business
* Login
* Join Now
4140
WEB APPLICATION SECURITY
Start AttackBox
Use Kali Linux
Web-based Kali Machine
Use AttackBox
Recommended
Show Split View Cloud Details Awards Help
Clone Room Writeups Reset Progress Leave
Learn about web applications and explore some of their common security issues.
To access material, start machines and answer questions login.
* Chart
* Scoreboard
* Discuss
* Writeups
* More
Difficulty: Easy
Rank Username Total Score
DISCORD
Come join our Discord server for support or further discussions
FORUM
Read or post on the dedicated forum post
There are no writeups submitted.
Add Writeup
Submit
Writeups should have a link to TryHackMe and not include any passwords/cracked
hashes/flags
This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 191550 users are in here and this room is 449 days
old.
Created by tryhackme and strategos
Active Machine Information
Loading...
Loading...
Loading...
Loading...
0%
Task 1 Introduction
Every one of us uses different programs on our computers. Generally speaking,
programs run on our computers, using our computer’s processing power and
storage. Moreover, to use a program, we need to install it first. What if we can
use any program without installation?
A web application is like a “program” that we can use without installation as
long as we have a modern standard web browser, such as Firefox, Safari, or
Chrome. Consequently, instead of installing every program you need, you only
need to browse the related page. The following are some examples of web
applications:
* Webmail such as Tutanota, Protonmail, Outlook, and Gmail
* Online office suites such as Microsoft Office 365 (Word, Excel, and
PowerPoint), Google Drive (Docs, Sheets, and Slides), and Zoho Office
(Writer, Sheet, and Show)
* Online shopping such as Amazon.com, AliExpress, and Etsy
Thousands more examples provide a myriad of services. Other examples include
online banking, money transfer, weather forecast, and social media.
The idea of a web application is that it is a program running on a remote
server. A server refers to a computer system running continuously to “serve” the
clients. In this case, the server will run a specific type of program that can
be accessed by web browsers.
Consider an online shopping application. The web application will read the data
about the products and their details from a database server. A database is used
to store information in an organized way. Examples include information about
products, customers, and invoices. A database server is responsible for many
functions, including reading, searching, and writing to the database. The online
shopping web application might need more than one database to access, for
example:
* Products database: This database contains details about the products, such as
name, images, specifications, and price.
* Customers database: It contains all details related to customers, such as
name, address, email, and phone number.
* Sales database: We expect to see what each customer has purchased and how
they paid in this database.
We can already see the amount of information stored in any online shopping
system. Suppose an attacker manages to exploit (hack) the web application and
steal the customers’ database. In that case, this will lead to a significant
loss for the company and its customers.
The image below shows searching for an item on an online shopping site. In the
simplest version, the search will take four steps:
1. The user enters an item name or related keywords in the search field. The
web browser sends the search keyword(s) to the online shopping web
application.
2. The web application queries (searches) the products database for the
submitted keywords.
3. The product database returns the search results matching the provided
keywords to the web application.
4. The web application formats the results as a friendly web page and returns
them to the user.
From the user’s perspective, they will only access an elegant online shop where
all the technical infrastructure is hidden.
Many companies offer bug bounty programs. A bug bounty program allows the
company to offer a reward for anyone who discovers a security vulnerability
(weakness) in the company’s systems. The main condition is that the found
vulnerability is within the bug bounty scope and rules. Among many others,
Google, Microsoft, and Facebook have bug bounty programs. Discovering a bug can
earn you from a few hundred USD to tens of thousands of USD, depending on the
severity of the vulnerability, i.e., the weakness you discovered.
Answer the questions below
What do you need to access a web application?
Login to answer..
Task 2 Web Application Security Risks
Let’s say that you want to buy an item from an online shop. There are certain
functions that you would expect to be able to do on this web application. Most
straightforwardly, the online order might go as follows:
There are a few main categories of common attacks against web applications.
Consider the following steps and related attacks.
* Log in at the website: The attacker can try to discover the password by
trying many words. The attacker would use a long list of passwords with an
automated tool to test them against the login page.
* Search for the product: The attacker can attempt to breach the system by
adding specific characters and codes to the search term. The attacker’s
objective is for the target system to return data it should not or execute a
program it should not.
* Provide payment details: The attacker would check if the payment details are
sent in cleartext or using weak encryption. Encryption refers to making the
data unreadable without knowing the secret key or password.
We cannot cover everything, but we will present a few formal categories from
OWASP Top Ten. Don’t worry if these techniques sound alien to you; TryHackMe
walks you through each vulnerability.
IDENTIFICATION AND AUTHENTICATION FAILURE
Identification refers to the ability to identify a user uniquely. In contrast,
authentication refers to the ability to prove that the user is whom they claim
to be. The online shop must confirm the user’s identity and authenticate them
before they can use the system. However, this step is prone to different types
of weaknesses. Example weaknesses include:
* Allowing the attacker to use brute force, i.e., try many passwords, usually
using automated tools, to find valid login credentials.
* Allowing the user to choose a weak password. A weak password is usually easy
to guess.
* Storing the users’ passwords in plain text. If the attacker manages to read
the file containing the passwords, we don’t want them to be able to learn the
stored password.
BROKEN ACCESS CONTROL
Access control ensures that each user can only access files (documents, images,
etc.) related to their role or work. For example, you don’t want someone in the
marketing department to access (read) the finance department’s documents.
Example vulnerabilities related to access control include:
* Failing to apply the principle of the least privilege and giving users more
access permissions than they need. For example, an online customer should be
able to view the prices of the items, but they should not be able to change
them.
* Being able to view or modify someone else’s account by using its unique
identifier. For example, you don’t want one bank client to be able to view
the transactions of another client.
* Being able to browse pages that require authentication (logging in) as an
unauthenticated user. For example, we cannot let anyone view the webmail
before logging in.
INJECTION
An injection attack refers to a vulnerability in the web application where the
user can insert malicious code as part of their input. One cause of this
vulnerability is the lack of proper validation and sanitization of the user’s
input.
CRYPTOGRAPHIC FAILURES
This category refers to the failures related to cryptography. Cryptography
focuses on the processes of encryption and decryption of data. Encryption
scrambles cleartext into ciphertext, which should be gibberish to anyone who
does not have the secret key to decrypt it. In other words, encryption ensures
that no one can read the data without knowing the secret key. Decryption
converts the ciphertext back into the original cleartext using the secret key.
Examples of cryptographic failures include:
* Sending sensitive data in clear text, for example, using HTTP instead of
HTTPS. HTTP is the protocol used to access the web, while HTTPS is the secure
version of HTTP. Others can read everything you send over HTTP, but not
HTTPS.
* Relying on a weak cryptographic algorithm. One old cryptographic algorithm is
to shift each letter by one. For instance, “TRY HACK ME” becomes “USZ IBDL
NF.” This cryptographic algorithm is trivial to break.
* Using default or weak keys for cryptographic functions. It won’t be
challenging to break the encryption that used 1234 as the secret key.
Don’t worry if these techniques look challenging or sophisticated at first.
TryHackMe has dedicated in-depth rooms to help you understand and experiment
with the various attacks against web applications.
Answer the questions below
You discovered that the login page allows an unlimited number of login attempts
without trying to slow down the user or lock the account. What is the category
of this security risk?
Login to answer..
You noticed that the username and password are sent in cleartext without
encryption. What is the category of this security risk?
Login to answer..
Task 3 Practical Example of Web Application Security
View Site
This task will investigate a vulnerable website that uses Insecure Direct Object
References (IDOR). IDOR falls under the category of Broken Access Control.
Broken access control means that an attacker can access information or perform
actions not intended for them. Consider the case where a web server receives
user-supplied input to retrieve objects (files, data, documents) and that they
are numbered sequentially. Let’s say that the user has permission to access a
photo named IMG_1003.JPG. We might guess that there are also IMG_1002.JPG and
IMG_1004.JPG; however, the web application should not provide us with that image
even if we figured out its name. In general, an IDOR vulnerability can occur if
too much trust has been placed on that input data. In other words, the web
application does not validate whether the user has permission to access the
requested object.
Just providing the correct URL for a user or a product does not necessarily mean
the user should be able to access that URL. For instance, consider the product
page https://store.tryhackme.thm/products/product?id=52. We can expect this URL
to provide details about product number 52. In the database, items would be
assigned numbers sequentially. The attacker would try other numbers such as 51
or 53 instead of 52; this might reveal other retired or unreleased products if
the web application is vulnerable.
Let’s consider a more critical example; the URL
https://store.tryhackme.thm/customers/user?id=16 would return the user with
id=16. Again, we expect the users to have sequential ID numbers. The attacker
would try other numbers and possibly access other user accounts. This
vulnerability might work with sequential files; for instance, if the attacker
sees 007.txt, the attacker might try other numbers such as 001.txt, 006.txt, and
008.txt. Similarly, if you were ID number 16 and ID number 17 was another user,
by changing the ID to 17, you could see sensitive data that belongs to another
user. Likewise, they can change the ID to 16 and see sensitive data that belongs
to you. (Of course, we assume here that the system is vulnerable to IDOR.)
Click on “View Site,” and let’s see this in action. You will see a page showing
an Inventory Management System. If you click on the “Planned Shipments” tab, you
will discover that an attacker has managed to mix things up as part of sabotage
plans. Notice how they send the wrong tires to each assembly line; for instance,
they assign scooter tires and motorcycle tires to bike assembly! If left
unfixed, all tires will go to the wrong assembly.
We will hack the system back and undo the attacker’s steps. On “Your Activity,”
you can see the activity of one of the users. We have reason to believe that
this website has an IDOR vulnerability.
Answer the questions below
Check the other users to discover which user account was used to make the
malicious changes and revert them. After reverting the changes, what is the flag
that you have received?
Login to answer..
Hint
Created by tryhackme and strategos
This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 191550 users are in here and this room is 449 days
old.
--------------------------------------------------------------------------------
Copyright TryHackMe 2018-2023128 City Road, London, EC1V 2NX
LEARN
* Hacktivities
* Leaderboards
* Paths
DOCS
* Teaching
* About Us
* Blog
* Buy Vouchers
SOCIALS
* Twitter
* Email
* Discord
* Forum
WEB-BASED MACHINE INFORMATION
Use the web-based machine to attack other target machines you start on
TryHackMe.
* Public IP:
* Private IP: (Use this for your reverse shells)
* Username:
* Password:
* Protocol:
--------------------------------------------------------------------------------
* To copy to and from the browser-based machine, highlight the text and press
CTRL+SHIFT+C or use the clipboard
* When accessing target machines you start on TryHackMe tasks, make sure you're
using the correct IP (it should not be the IP of your AttackBox)
×
Complete the room to earn this badge
QUESTION HINT
×
...
×
CONGRATULATIONS
You've completed the room! Share this with your friends:
Leave feedback
What do you like about the room?
What don't you like about the room?
Please send your suggestions, ideas and comments!
Send Feedback
TO ACCESS THIS MACHINE, YOU NEED TO EITHER
×
Use a VPN
Connect to our network via a VPN
See Instructions
or
Use the AttackBox
Use a web-based attack machine (recommended)
Start AttackBox
EXPIRING SOON
Your machine is going to expire soon. Close this and add an hour to stop it from
terminating!
Close
EXPIRED MACHINE
Your machine has expired and terminated.
Close
HOW TO ACCESS MACHINES
×
Now you've started your machine, to access it you need to either
Download your VPN configuration file and import it into a OpenVPN client
Control a web-based machine with everything you need, all from inside your
browser
×
Close
RESET YOUR PROGRESS
×
Warning You will keep your points but all your answers in this room will be
erased.
Yes, please!
CLOUD INFORMATION
×
* Environment
* Credentials
GENERATING YOUR CERTIFICATE
×
HEY THERE, WHAT'S YOUR NAME?
If you want your name to appear on your certificate, please fill the field
below.
Full Name
YOU'RE HERE INCOGNITO? IT'S OK!
If you chose skip, your username will be used instead!
Generate with my full name
Generate with my username
Video Solution
Writeups
Forum Post
Knowledge Base
Ask Community
Show Connection Options
To access target machines you need to either:
AttackBox
Use a browser-based attack machine
OpenVPN
Connect to our network via a VPN
View the dedicated OpenVPN access page for more information
WHAT OPERATING SYSTEM ARE YOU USING?
* Windows
* Linux
* MacOS
1. Download your OpenVPN configuration pack.
2. Download the OpenVPN GUI application.
3. Install the OpenVPN GUI application. Then open the installer file and follow
the setup wizard.
4. Open and run the OpenVPN GUI application as Administrator.
5. The application will start running in the system tray. It's at the bottom of
your screen, near the clock. Right click on the application and click Import
File.
6. Select the configuration file you downloaded earlier.
7. Now right click on the application again, select your file and click Connect
1. Download your OpenVPN configuration pack.
2. Run the following command in your terminal: sudo apt install openvpn
3. Locate the full path to your VPN configuration file (normally in your
~/Downloads folder).
4. Use your OpenVPN file with the following command: sudo openvpn
/path/to/file.ovpn
1. Download your OpenVPN configuration pack.
2. Download OpenVPN for MacOS.
3. Install the OpenVPN GUI application, by opening the dmg file and following
the setup wizard.
4. Open and run the OpenVPN GUI application.
5. The application will start running and appear in your top bar. Right click
on the application and click Import File -> Local file.
6. Select the configuration file you downloaded earlier.
7. Right click on the application again, select your file and click connect.
HAVING PROBLEMS?
* If you can access 10.10.10.10, you're connected.
* Downloading and getting a 404? Go the access page and switch VPN servers.
* Getting inline cert error? Go the access page and switch VPN servers.
* If you are using a virtual machine, you will need to run the VPN inside that
machine.
* Is the OpenVPN client running as root? (On Windows, run OpenVPN GUI as
administrator. On Linux, run with sudo)
* Have you restarted your VM?
* Is your OpenVPN up-to-date?
* Only 1 OpenVPN connection is allowed. (Run ps aux | grep openvpn - are there
2 VPN sessions running?)
* Still having issues? Check our docs out.
ATTACKBOX
Use your own web-based linux machine to access machines on TryHackMe
To start your AttackBox in the room, click the Start AttackBox button. Your
private machine will take 2 minutes to start.
Free users get 1 free AttackBox hour. Subscribed users get more powerful
machines with unlimited deploys.
Hide IP