tryhackme.com
Open in
urlscan Pro
2606:4700:10::ac43:1b0a
Public Scan
URL:
https://tryhackme.com/room/introwebapplicationsecurity
Submission: On July 18 via manual from US — Scanned from DE
Submission: On July 18 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST /feedback
<form method="post" action="/feedback" id="roomFeedbackForm" class="d-none mt-3">
<input type="hidden" name="_csrf" value="fc8yoS7d-EUzxrlSpfMkdKLmaa3t5MRE76Sw">
<input type="hidden" name="roomCode" value="introwebapplicationsecurity">
<input type="hidden" name="type" value="rooms">
<input type="hidden" name="redirect" value="json">
<div class="form-group">
<label class="mb-0" for="like">What do you like about the room?</label>
<textarea type="text" name="like" id="like" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="dislike">What don't you like about the room?</label>
<textarea type="text" name="dislike" id="dislike" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="details">Please send your suggestions, ideas and comments!</label>
<textarea id="details" type="text" name="details" class="form-control" style="padding: 5px;"></textarea>
</div>
<button type="submit" id="submitBtn" class="btn btn-success">Send Feedback</button>
</form>
Text Content
We use cookies to ensure you get the best user experience. For more information contact us. Read more Got it! * Learn * Compete King of the Hill Attack & Defend Leaderboards Platform Rankings * Networks Throwback Attacking Active Directory Wreath Network Pivoting * For Education Teaching Use our security labs Create Labs Upload & Deploy VMs * For Business * Login * Join Now * Learn * Compete King of the Hill Attack & Defend Leaderboards Platform Rankings * Networks Throwback Attacking Active Directory Wreath Network Pivoting * For Education Teaching Use our security labs Create Labs Upload & Deploy VMs * For Business * Login * Join Now 4140 WEB APPLICATION SECURITY Start AttackBox Use Kali Linux Web-based Kali Machine Use AttackBox Recommended Show Split View Cloud Details Awards Help Clone Room Writeups Reset Progress Leave Learn about web applications and explore some of their common security issues. To access material, start machines and answer questions login. * Chart * Scoreboard * Discuss * Writeups * More Difficulty: Easy Rank Username Total Score DISCORD Come join our Discord server for support or further discussions FORUM Read or post on the dedicated forum post There are no writeups submitted. Add Writeup Submit Writeups should have a link to TryHackMe and not include any passwords/cracked hashes/flags This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 191550 users are in here and this room is 449 days old. Created by tryhackme and strategos Active Machine Information Loading... Loading... Loading... Loading... 0% Task 1 Introduction Every one of us uses different programs on our computers. Generally speaking, programs run on our computers, using our computer’s processing power and storage. Moreover, to use a program, we need to install it first. What if we can use any program without installation? A web application is like a “program” that we can use without installation as long as we have a modern standard web browser, such as Firefox, Safari, or Chrome. Consequently, instead of installing every program you need, you only need to browse the related page. The following are some examples of web applications: * Webmail such as Tutanota, Protonmail, Outlook, and Gmail * Online office suites such as Microsoft Office 365 (Word, Excel, and PowerPoint), Google Drive (Docs, Sheets, and Slides), and Zoho Office (Writer, Sheet, and Show) * Online shopping such as Amazon.com, AliExpress, and Etsy Thousands more examples provide a myriad of services. Other examples include online banking, money transfer, weather forecast, and social media. The idea of a web application is that it is a program running on a remote server. A server refers to a computer system running continuously to “serve” the clients. In this case, the server will run a specific type of program that can be accessed by web browsers. Consider an online shopping application. The web application will read the data about the products and their details from a database server. A database is used to store information in an organized way. Examples include information about products, customers, and invoices. A database server is responsible for many functions, including reading, searching, and writing to the database. The online shopping web application might need more than one database to access, for example: * Products database: This database contains details about the products, such as name, images, specifications, and price. * Customers database: It contains all details related to customers, such as name, address, email, and phone number. * Sales database: We expect to see what each customer has purchased and how they paid in this database. We can already see the amount of information stored in any online shopping system. Suppose an attacker manages to exploit (hack) the web application and steal the customers’ database. In that case, this will lead to a significant loss for the company and its customers. The image below shows searching for an item on an online shopping site. In the simplest version, the search will take four steps: 1. The user enters an item name or related keywords in the search field. The web browser sends the search keyword(s) to the online shopping web application. 2. The web application queries (searches) the products database for the submitted keywords. 3. The product database returns the search results matching the provided keywords to the web application. 4. The web application formats the results as a friendly web page and returns them to the user. From the user’s perspective, they will only access an elegant online shop where all the technical infrastructure is hidden. Many companies offer bug bounty programs. A bug bounty program allows the company to offer a reward for anyone who discovers a security vulnerability (weakness) in the company’s systems. The main condition is that the found vulnerability is within the bug bounty scope and rules. Among many others, Google, Microsoft, and Facebook have bug bounty programs. Discovering a bug can earn you from a few hundred USD to tens of thousands of USD, depending on the severity of the vulnerability, i.e., the weakness you discovered. Answer the questions below What do you need to access a web application? Login to answer.. Task 2 Web Application Security Risks Let’s say that you want to buy an item from an online shop. There are certain functions that you would expect to be able to do on this web application. Most straightforwardly, the online order might go as follows: There are a few main categories of common attacks against web applications. Consider the following steps and related attacks. * Log in at the website: The attacker can try to discover the password by trying many words. The attacker would use a long list of passwords with an automated tool to test them against the login page. * Search for the product: The attacker can attempt to breach the system by adding specific characters and codes to the search term. The attacker’s objective is for the target system to return data it should not or execute a program it should not. * Provide payment details: The attacker would check if the payment details are sent in cleartext or using weak encryption. Encryption refers to making the data unreadable without knowing the secret key or password. We cannot cover everything, but we will present a few formal categories from OWASP Top Ten. Don’t worry if these techniques sound alien to you; TryHackMe walks you through each vulnerability. IDENTIFICATION AND AUTHENTICATION FAILURE Identification refers to the ability to identify a user uniquely. In contrast, authentication refers to the ability to prove that the user is whom they claim to be. The online shop must confirm the user’s identity and authenticate them before they can use the system. However, this step is prone to different types of weaknesses. Example weaknesses include: * Allowing the attacker to use brute force, i.e., try many passwords, usually using automated tools, to find valid login credentials. * Allowing the user to choose a weak password. A weak password is usually easy to guess. * Storing the users’ passwords in plain text. If the attacker manages to read the file containing the passwords, we don’t want them to be able to learn the stored password. BROKEN ACCESS CONTROL Access control ensures that each user can only access files (documents, images, etc.) related to their role or work. For example, you don’t want someone in the marketing department to access (read) the finance department’s documents. Example vulnerabilities related to access control include: * Failing to apply the principle of the least privilege and giving users more access permissions than they need. For example, an online customer should be able to view the prices of the items, but they should not be able to change them. * Being able to view or modify someone else’s account by using its unique identifier. For example, you don’t want one bank client to be able to view the transactions of another client. * Being able to browse pages that require authentication (logging in) as an unauthenticated user. For example, we cannot let anyone view the webmail before logging in. INJECTION An injection attack refers to a vulnerability in the web application where the user can insert malicious code as part of their input. One cause of this vulnerability is the lack of proper validation and sanitization of the user’s input. CRYPTOGRAPHIC FAILURES This category refers to the failures related to cryptography. Cryptography focuses on the processes of encryption and decryption of data. Encryption scrambles cleartext into ciphertext, which should be gibberish to anyone who does not have the secret key to decrypt it. In other words, encryption ensures that no one can read the data without knowing the secret key. Decryption converts the ciphertext back into the original cleartext using the secret key. Examples of cryptographic failures include: * Sending sensitive data in clear text, for example, using HTTP instead of HTTPS. HTTP is the protocol used to access the web, while HTTPS is the secure version of HTTP. Others can read everything you send over HTTP, but not HTTPS. * Relying on a weak cryptographic algorithm. One old cryptographic algorithm is to shift each letter by one. For instance, “TRY HACK ME” becomes “USZ IBDL NF.” This cryptographic algorithm is trivial to break. * Using default or weak keys for cryptographic functions. It won’t be challenging to break the encryption that used 1234 as the secret key. Don’t worry if these techniques look challenging or sophisticated at first. TryHackMe has dedicated in-depth rooms to help you understand and experiment with the various attacks against web applications. Answer the questions below You discovered that the login page allows an unlimited number of login attempts without trying to slow down the user or lock the account. What is the category of this security risk? Login to answer.. You noticed that the username and password are sent in cleartext without encryption. What is the category of this security risk? Login to answer.. Task 3 Practical Example of Web Application Security View Site This task will investigate a vulnerable website that uses Insecure Direct Object References (IDOR). IDOR falls under the category of Broken Access Control. Broken access control means that an attacker can access information or perform actions not intended for them. Consider the case where a web server receives user-supplied input to retrieve objects (files, data, documents) and that they are numbered sequentially. Let’s say that the user has permission to access a photo named IMG_1003.JPG. We might guess that there are also IMG_1002.JPG and IMG_1004.JPG; however, the web application should not provide us with that image even if we figured out its name. In general, an IDOR vulnerability can occur if too much trust has been placed on that input data. In other words, the web application does not validate whether the user has permission to access the requested object. Just providing the correct URL for a user or a product does not necessarily mean the user should be able to access that URL. For instance, consider the product page https://store.tryhackme.thm/products/product?id=52. We can expect this URL to provide details about product number 52. In the database, items would be assigned numbers sequentially. The attacker would try other numbers such as 51 or 53 instead of 52; this might reveal other retired or unreleased products if the web application is vulnerable. Let’s consider a more critical example; the URL https://store.tryhackme.thm/customers/user?id=16 would return the user with id=16. Again, we expect the users to have sequential ID numbers. The attacker would try other numbers and possibly access other user accounts. This vulnerability might work with sequential files; for instance, if the attacker sees 007.txt, the attacker might try other numbers such as 001.txt, 006.txt, and 008.txt. Similarly, if you were ID number 16 and ID number 17 was another user, by changing the ID to 17, you could see sensitive data that belongs to another user. Likewise, they can change the ID to 16 and see sensitive data that belongs to you. (Of course, we assume here that the system is vulnerable to IDOR.) Click on “View Site,” and let’s see this in action. You will see a page showing an Inventory Management System. If you click on the “Planned Shipments” tab, you will discover that an attacker has managed to mix things up as part of sabotage plans. Notice how they send the wrong tires to each assembly line; for instance, they assign scooter tires and motorcycle tires to bike assembly! If left unfixed, all tires will go to the wrong assembly. We will hack the system back and undo the attacker’s steps. On “Your Activity,” you can see the activity of one of the users. We have reason to believe that this website has an IDOR vulnerability. Answer the questions below Check the other users to discover which user account was used to make the malicious changes and revert them. After reverting the changes, what is the flag that you have received? Login to answer.. Hint Created by tryhackme and strategos This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 191550 users are in here and this room is 449 days old. -------------------------------------------------------------------------------- Copyright TryHackMe 2018-2023128 City Road, London, EC1V 2NX LEARN * Hacktivities * Leaderboards * Paths DOCS * Teaching * About Us * Blog * Buy Vouchers SOCIALS * Twitter * Email * Discord * Forum WEB-BASED MACHINE INFORMATION Use the web-based machine to attack other target machines you start on TryHackMe. * Public IP: * Private IP: (Use this for your reverse shells) * Username: * Password: * Protocol: -------------------------------------------------------------------------------- * To copy to and from the browser-based machine, highlight the text and press CTRL+SHIFT+C or use the clipboard * When accessing target machines you start on TryHackMe tasks, make sure you're using the correct IP (it should not be the IP of your AttackBox) × Complete the room to earn this badge QUESTION HINT × ... × CONGRATULATIONS You've completed the room! Share this with your friends: Leave feedback What do you like about the room? What don't you like about the room? Please send your suggestions, ideas and comments! Send Feedback TO ACCESS THIS MACHINE, YOU NEED TO EITHER × Use a VPN Connect to our network via a VPN See Instructions or Use the AttackBox Use a web-based attack machine (recommended) Start AttackBox EXPIRING SOON Your machine is going to expire soon. Close this and add an hour to stop it from terminating! Close EXPIRED MACHINE Your machine has expired and terminated. Close HOW TO ACCESS MACHINES × Now you've started your machine, to access it you need to either Download your VPN configuration file and import it into a OpenVPN client Control a web-based machine with everything you need, all from inside your browser × Close RESET YOUR PROGRESS × Warning You will keep your points but all your answers in this room will be erased. Yes, please! CLOUD INFORMATION × * Environment * Credentials GENERATING YOUR CERTIFICATE × HEY THERE, WHAT'S YOUR NAME? If you want your name to appear on your certificate, please fill the field below. Full Name YOU'RE HERE INCOGNITO? IT'S OK! If you chose skip, your username will be used instead! Generate with my full name Generate with my username Video Solution Writeups Forum Post Knowledge Base Ask Community Show Connection Options To access target machines you need to either: AttackBox Use a browser-based attack machine OpenVPN Connect to our network via a VPN View the dedicated OpenVPN access page for more information WHAT OPERATING SYSTEM ARE YOU USING? * Windows * Linux * MacOS 1. Download your OpenVPN configuration pack. 2. Download the OpenVPN GUI application. 3. Install the OpenVPN GUI application. Then open the installer file and follow the setup wizard. 4. Open and run the OpenVPN GUI application as Administrator. 5. The application will start running in the system tray. It's at the bottom of your screen, near the clock. Right click on the application and click Import File. 6. Select the configuration file you downloaded earlier. 7. Now right click on the application again, select your file and click Connect 1. Download your OpenVPN configuration pack. 2. Run the following command in your terminal: sudo apt install openvpn 3. Locate the full path to your VPN configuration file (normally in your ~/Downloads folder). 4. Use your OpenVPN file with the following command: sudo openvpn /path/to/file.ovpn 1. Download your OpenVPN configuration pack. 2. Download OpenVPN for MacOS. 3. Install the OpenVPN GUI application, by opening the dmg file and following the setup wizard. 4. Open and run the OpenVPN GUI application. 5. The application will start running and appear in your top bar. Right click on the application and click Import File -> Local file. 6. Select the configuration file you downloaded earlier. 7. Right click on the application again, select your file and click connect. HAVING PROBLEMS? * If you can access 10.10.10.10, you're connected. * Downloading and getting a 404? Go the access page and switch VPN servers. * Getting inline cert error? Go the access page and switch VPN servers. * If you are using a virtual machine, you will need to run the VPN inside that machine. * Is the OpenVPN client running as root? (On Windows, run OpenVPN GUI as administrator. On Linux, run with sudo) * Have you restarted your VM? * Is your OpenVPN up-to-date? * Only 1 OpenVPN connection is allowed. (Run ps aux | grep openvpn - are there 2 VPN sessions running?) * Still having issues? Check our docs out. ATTACKBOX Use your own web-based linux machine to access machines on TryHackMe To start your AttackBox in the room, click the Start AttackBox button. Your private machine will take 2 minutes to start. Free users get 1 free AttackBox hour. Subscribed users get more powerful machines with unlimited deploys. Hide IP