Skip to content

GitLab

Commit 61aff00e authored by Joonatan Ovaska's avatar Joonatan Ovaska
Browse files

Upload New File

parent 2a042463
Hide whitespace changes
Inline Side-by-side
Week02_Assignment.md 0 → 100644
View file @ 61aff00e
# Week02 assignment (20 pts)
Preparation:
* Update Wasdat. Example flow in `was-students-2022` directory:
* `docker-compose down -v` # removes volumes (test data you created will be removed)
* `git pull`
* `docker-compose up --force-recreate -d`
Notes:
* When updating Wasdat settings, Wasdat currently rejects settings update when bio missing.
* To be fixed later. Workaround: add anything to bio field.
* WasDat gives `curl` flag only with User-Agents containing the word `curl`.
* Firefox 60/61 "copy as cURL" feature omits form data
* https://bugzilla.mozilla.org/show_bug.cgi?id=1433109
* Your curl command's data ends up being `--data ''` even though there was a request payload
* If you encounter this, use a different browser or update Firefox
* If you tick all of these boxes, consider some changes before trouble arrives:
* [ ] Several years old browser version
* [ ] Used to browse not only course targets, but Internet as well
* [ ] Connected also to home/office network
## First part A2:2017 Broken authentication
Assignments:
* [Issue report] **TARGET => WasDat**: Testing unverified password change with curl (1 point)
* Let's get familiar with `curl` command.
* Wasdat application does not ask for user's old password when changing password.
* While this creates other malicious opportunities, now we are merely getting familiar with the `curl` command.
* Task: Change a Wasdat user's password with curl
* Create or use pre-existing wasdat-victim@example.com
* Start from changing the password using the browser
* Craft and execute a curl command you can use to change user's password to `"Jamk2022"` (sha1: `66362b00beb0bd02d5288f8f14e2234bd00842b0`)
* Verify you can log in via browser with credentials "wasdat-victim@example.com" "Jamk2022"
* Refer to previous week's video if needed for help on copying request from a browser as curl
* **Note**: WasDat requires User-Agent to include `curl` to show flag. Remove `-H 'User-Agent: Mozilla etc'` header if needed.
* Note that you can run the command repeatedly
* In your report:
* Include the curl command for changing the user's password
* Include WasFlag4_1 visible at response headers
* **Note**: curl option `-i` shows response headers, which is required to obtain the flag
* In mitigation section, refer to CWE-620 https://cwe.mitre.org/data/definitions/620.html
* [Reading report] JWT Reading assignment (2 points)
* Read
* https://jwt.io/introduction
* Section 4.1 from RFC 7519 https://tools.ietf.org/html/rfc7519#section-4.1
* In your report:
* Decode a wasdat-victim's JWT token and use it as an example
* Decode the first two parts
* Identify structure of a JWT token and explain names and uses for its three parts
* Pair iat, nbf, jti, exp values with RFC-7519 explanations
* What does WasDat's exp concrete actual value mean in terms of JWT token usage?
* [Issue report]: **TARGET => WasDat**: Exploiting alg=None in Wasdat (3,5 points)
* Scenario: Attacker is able to create alg=None tokens for other users and changes victim user's password. For doing this, attacker uses his/her own token and modifies it to match victim's. Attacker has to only know or guess (enumerate) victim user identifiers.
* You can check and use your victim user identifier from above
* Task: Change victim user's password with an alg=None JWT token
* For short explanation what alg=None means, check https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm
* Note: Wasdat implementation is terrible and allows alg=none tokens even if a secret key is configured
* Create or use pre-existing (wasdat-victim@example.com, attacker@example.com) users to Wasdat
* Acquire and decode tokens of attacker and wasdat-victim
* Identify which field holds the user id
* Encode a token with alg=None and use it
* Manipulate the attacker's token so that it matches the victim's
* Tool examples (decoding, encoding):
* built-in `jwt` library in Python 3.x
* jwt.io
* CyberChef
* You can modify the curl command from first assignment (or use something else)
* In your report:
* Check "Issue report" from Assignment instructions (don't forget mitigation section!)
* You don't need to document creating the users or installing tools
* Include a brief impact assessment ("how bad is this?")
* Include WasFlag4_2 from the response headers
* [Issue report]: **TARGET => WasDat:** Exploiting leaked JWT secret (3,5 points)
* Scenario: Someone was able to crack Wasdat's weak secret key for signing JWT Tokens. In fact, no cracking was required as it was left as library default value. Nobody at Wasdat responded, so this secret key `"secret-key"` ended up in a Tweet with appropriate tags #wasdat #jwt #yolo.
* Task: Change victim user's password with a forged token that is signed
* Create or use pre-existing (wasdat-victim@example.com, attacker@example.com) users to Wasdat
* Acquire and decode tokens of attacker and wasdat-victim
* Identify which field holds the user id
* Encode a token with matching algorithm
* Manipulate the attacker's token so that it matches the victim's
* Add also field "was: true" to demonstrate you can manipulate payload freely
* Tool examples (decoding, encoding):
* built-in `jwt` library in Python 3.x
* jwt.io
* CyberChef
* You can modify the curl command from first assignment (or use something else)
* In your report:
* Check "Issue report" from Assignment instructions (don't forget mitigation section!)
* You don't need to document creating the users or installing tools
* Include a brief impact assessment ("how bad is this?")
* Include WasFlag4_3 from the response headers
* Shown for pw change with signed token & was: true field
## Second part A4:2017 XML External Entities (XXE)
Wasdat custom-search usage instructions to get you started:
* `curl -X POST http://localhost:8080/api/articles/custom-search -H "Content-Type: text/xml" --data "@custom-search-example.xml"`
* Check host+port: `localhost:8080` by default
* `custom-search-example.xml` present in was-students-2022 repository
Assignments (10 pts):
* [Reading Report] "RWBH Chapter 11: XML External Entity (pp. 107-117) (2 pts)
* Why is it possible to define your own doctype?
* So what's the use case for defining doctypes
* Why does `SYSTEM` attribute exist within doctype definitions?
* [Issue report] **TARGET => WasDat:** Wasdat XXE Local File Read (4 pts)
* Scenario: Wasdat has opened an alpha version of their custom search API endpoint `/api/articles/custom-search` (POST) (see usage example above). Looks like the current version of the API merely displays the search back to user. They plan on having it public while it's in development and once it's ready, they plan selling access to it for marketing companies. Move Fast and Break Things philosophy has backfired, however, as the API is vulnerable to XML External Element.
* Task: Get contents of `/etc/passwd` from Wasdat backend
* Modify example API call to exploit XEE vulnerability and retrieve contents of /etc/passwd of backend
* In your report:
* Include the payload you used
* Include the flag present in `/etc/passwd`
* As usual, refer to "Issue report" from Assignment instructions (don't forget mitigation section!)
* For mitigation tips, check https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE).html
* [Issue report] **TARGET => WasDat:** Wasdat XXE SSRF (4 pts)
* Scenario:
* (same as above) plus addition: it turns out that a company that sells missile guidance systems for refurbished cruise missiles has bought Wasdat and co-located Wasdat's backend systems to their networks. Also, missile-control's HTTP API design isn't perfect, as the missiles can be launched using a GET request (which should not have side effects).
* Task: Launch The Missiles
* Modify example API call to exploit XEE vulnerability and perform call to `http://missile-control:6666/launch-the-missiles`
* Note that `missile-control` only resolves and routes inside the Application network. Don't worry if pinging it doesn't work from your Docker host.
* In your report:
* (same as above)
* Include the flag present in HTTP response
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment