The challenge for Day Twenty-Four is – Use a suggestion from the OWASP Web Application Security Checklist.
To attack this challenge I went to the OWASP JuiceShop here
The OWASP JuiceShop is an intentionally vulnerable web app that allows people to test out exploits, kind of a “Don’t do what Donny Don’t Does” for web development.
First I thought I’d try test for weak password policy, I clicked on Register here to create a new user and entered the name email@example.com and for the password I picked password. I was prompted to add an answer to a security question, which I entered the answer 123.
Success! I was in. This is pretty obviously a bad idea. There wasn’t even an attempt to make me use a capital letter, number or special character as a minimum level for complexity – anyone could guess this password, or run a simple dictionary attack to try get in.
Next I thought I’d try testing for a weak lockout mechanism.
I logged out as firstname.lastname@example.org and tried to log back in with an incorrect password, I hit the login button and was met with a prompt “incorrect username or password”, so I tried it again, then hit the login button 145 times and still didn’t get locked out (or at least it appeared that I didn’t get locked out). If the app is locking me out without me seeing it, and send an alert that someone has tried to login 147 times with the same password within 2mins – great! If there has been no attempt to lock me out, and there has been no notification – not so great. This leaves the door open to a brute force attack.
I also noticed that when I had the developer tools open when I was trying to log in, and I received a 401 error against the login request it would show the attempted password in plain text. I tried this again by using the correct password and could see it clear as day, it would be very easy for an attacker to intercept a legitimate login attempt and hijack a user’s login.
This quick test took about 10 mins and already highlighted some pretty basic oversights.
This was the JuiceShop, so it really was low-hanging fruit but I’m new at this, and wanted to see how to find some vulnerabilities first hand.
I’d recommend having a play in the JuiceShop and trying to work your way through the OWASP Checklist (or having a look at the pwning the juiceshop guide)
Thanks for reading my post and following my progress through the 30 Days of Security Testing.
Feel like joining in? Sign into the WeTest Slack group and get involved!