30 Days of Security Testing – Day Twenty-Four

The challenge for Day Twenty-Four is – Use a suggestion from the OWASP Web Application Security Checklist.

To attack this challenge I went to the OWASP JuiceShop here

The OWASP JuiceShop is an intentionally vulnerable web app that allows people to test out exploits, kind of a “Don’t do what Donny Don’t Does” for web development.

Donny

 

First I thought I’d try test for weak password policy, I clicked on Register here to create a new user and entered the name mike@example.com and for the password I picked password.  I was prompted to add an answer to a security question, which I entered the answer 123.

Success! I was in.  This is pretty obviously a bad idea.  There wasn’t even an attempt to make me use a capital letter, number or special character as a minimum level for complexity – anyone could guess this password, or run a simple dictionary attack to try get in.

Next I thought I’d try testing for a weak lockout mechanism.

I logged out as mike@example.com and tried to log back in with an incorrect password, I hit the login button and was met with a prompt “incorrect username or password”, so I tried it again, then hit the login button 145 times and still didn’t get locked out (or at least it appeared that I didn’t get locked out).  If the app is locking me out without me seeing it, and send an alert that someone has tried to login 147 times with the same password within 2mins – great! If there has been no attempt to lock me out, and there has been no notification – not so great.  This leaves the door open to a brute force attack.

I also noticed that when I had the developer tools open when I was trying to log in, and I received a 401 error against the login request it would show the attempted password in plain text. I tried this again by using the correct password and could see it clear as day,  it would be very easy for an attacker to intercept a legitimate login attempt and hijack a user’s login.

This quick test took about 10 mins and already highlighted some pretty basic oversights.

This was the JuiceShop, so it really was low-hanging fruit but I’m new at this, and wanted to see how to find some vulnerabilities first hand.

I’d recommend having a play in the JuiceShop and trying to work your way through the OWASP Checklist (or having a look at the pwning the juiceshop guide)

 

 

 


 

Thanks for reading my post and following my progress through the 30 Days of Security Testing.

For more on Security Testing please visit here  or any of my other ramblings visit here

Feel like joining in? Sign into the WeTest Slack group and get involved!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: