Shiparc Web App Security Assessment

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

During a penetration test, a security engineer identifies that an application transmits sensitive data, such as login credentials, in clear text. What is the most effective remediation strategy to address this vulnerability?

  • Implement rate limiting on login attempts to reduce the risk of brute-force attacks.
  • Regularly change default encryption keys.
  • Enforce HTTPS and utilize strong encryption protocols. (correct)
  • Implement a Web Application Firewall with default settings.

An attacker exploits a file upload vulnerability by uploading a malicious SVG file. Which of the following security measures would be MOST effective in preventing cross-site scripting (XSS) attacks in this scenario?

  • Implementing a strict password policy to prevent unauthorized file uploads.
  • Sanitizing filenames, validating file content, and storing user-uploaded files outside the web root. (correct)
  • Enabling HTTP Strict Transport Security (HSTS) to ensure secure connections.
  • Limiting the frequency of file uploads per user to prevent abuse.

A penetration tester discovers that the application's logout mechanism does not invalidate session tokens on the server-side. What potential impact does this pose to users?

  • Compromised session tokens could be reused by attackers, leading to unauthorized access even after logout. (correct)
  • The application's performance will be degraded due to increased server load.
  • Users will be unable to log back into the application after logging out.
  • Users will experience a slight delay when logging out of the application.

An organization discovers it is running an outdated version of Nginx (1.18.0). What is the MOST significant risk associated with this situation?

<p>Exposure to known vulnerabilities that could be exploited by attackers. (D)</p> Signup and view all the answers

A security analyst observes that the web application’s API responses include internal IP addresses. What is the potential risk associated with this?

<p>It could lead to potential exposure of sensitive data and help threat actors map internal infrastructure. (A)</p> Signup and view all the answers

Flashcards

HTTP Strict Transport Security (HSTS)

Enforces HTTPS connections, instructing browsers to reject HTTP requests.

Cross-Origin Resource Sharing (CORS)

Controls how web applications interact with resources from different origins.

Session Fixation

Occurs when an attacker forces a user to use a predetermined session ID

Email Spoofing

Used by attackers to forge email headers, making it appear legitimate.

Signup and view all the flashcards

File Upload Vulnerability

Occurs when web application allows users to upload files without proper validation.

Signup and view all the flashcards

Study Notes

General Details

  • Greenfield Marine Technologies' Shiparc Web App underwent a Web Application Vulnerability Assessment & Penetration Testing led by Vies Consulting Pvt Ltd.
  • A disclaimer prohibits using the report for purposes other than those stipulated by the work order.
  • The report is valid as of Feb 27, 2025, with any vulnerabilities discovered after that date not covered.
  • Configuration changes may impact the security posture and invalidate the report.
  • OWASP Top 10 Web "2021" & OWASP Top 10 API “2023" standard was followed.
  • Web application was tested using Company Admin, Vessel Admin, Management User and Crew User web access.
  • The tools used were Kali Linux, Burpsuite Community Edition, and OWASP ZAP.
  • Procedures performed were Web Portal Information Gathering, Vulnerability Assessment and Vulnerability Exploring / Penetration Testing

Vulnerability Findings

  • Time Based SQL Injection: Critical
  • Session Fixation leads to Vertical Privilege Escalation: Critical
  • File Upload leads to XSS: High
  • Internal IP Disclosure: High
  • Clear Text Transmission: High
  • Broken Authentication and Session Management: High
  • Arbitrary File Upload: High
  • Session Fixation: High
  • Weak Logout Mechanism: Medium
  • Email Spoofing: Medium
  • No Rate Limit on Contact Us: Medium
  • Exif Geo Location: Medium
  • Missing HTTP Strict Transport Security Header: Low
  • Failure to Invalidate Change Session After Password: Low
  • CORS Misconfiguration: Low
  • Vulnerable and Outdated Components in Use Ngnix 1.18.0: Low
  • Missing Security Headers: Low

Time Based SQL Injection

  • A SQL Injection vulnerability exists in the vesselId parameter of the API endpoint: /api/admin/reports/dashboard/app/home-reports.
  • The application fails to sanitize user input, allowing malicious SQL queries, confirmed using Burp Suite Repeater and SQLmap.
  • Data Exfiltration, Authentication Bypass, Database Corruption, and Denial of Service (DoS) are potential impacts.
  • Prevent SQL injection using prepared statements with Parameterized Queries
  • Block SQL injection attempts in real time using Web Application Firewall (WAF)
  • Restrict user permissions to minimize damage from attacks by limiting Database Privileges
  • Detect unusual delays that may indicate injection attempts by monitoring Query Execution Time.
  • It was observed that there is a 5-second delay in response.

Session Fixation Leads to Vertical Privilege Escalation

  • Session Fixation allows an attacker to hijack a user session by forcing them to use a predetermined session ID.
  • Attackers bypass authentication and escalate privileges if session tokens don't regenerate after authentication.
  • Admin Access, Sensitive Data Exposure, Configuration Manipulation, and Reputation and Compliance Risks are potential impacts.
  • Regenerate Session IDs on login by ensuring new session tokens are assigned after authentication.
  • Use Secure Session Cookies by enabling attributes for HttpOnly, Secure, and SameSite.
  • Implement Role-Based Access Control (RBAC) to restrict privilege escalation paths.
  • Enforce Session Expiry and Logout by automatically expiring inactive sessions and forcing reauthentication.

File Upload Leads to Cross Site Scripting

  • XSS vulnerability exists in the application if file uploads are allowed without proper validation or sanitization.
  • Exploiting this allows for execution of arbitrary scripts in the context of the victim's browser when viewing malicious files.
  • Session Hijacking, Data Theft, Website Defacement, Malware Distribution, and Unauthorized Access are potential impacts.
  • Mitigations include strict file validation, sanitizing filenames and content, storing files outside the web root, using Content Security Policy (CSP), limiting file permissions, and regular security testing.

Internal IP Disclosure

  • Internal IP Disclosure occurs when an application inadvertently exposes internal IP addresses through error messages, HTTP headers, or application responses.
  • Attackers can map the internal network, identify targets, and exploit misconfigurations within the infrastructure.
  • Network Reconnaissance, Targeted Exploitation, SSRF and Lateral Movement, and Compliance Risks are potential impacts.
  • Remove or obfuscate IP addresses in application responses and error messages.
  • Use Web Application Firewalls (WAF) to prevent information leakage through filtering rules.
  • Disable verbose error messages in production environments.
  • Implement VPNs and access controls to limit exposure, securing internal Network Access.
  • The IP address details are available from shodan.io of shiparc.ai

Clear Text Transmission

  • Clear text transmission occurs when sensitive data is transmitted without encryption, exposing it to interception.
  • Data Interception, Man-in-the-Middle (MITM) Attacks, Identity Theft, Loss of Data Integrity, and Regulatory Non-Compliance are potential impacts.
  • Enforce HTTPS Everywhere, use Strong Encryption Protocols, implement HTTP Strict Transport Security (HSTS), encrypt sensitive data end-to-end, and regularly monitor and update certificates.
  • The login request had credentials in plain text.

Broken Authentication and Session Management

  • This occurs when an application fails to properly secure user authentication and session handling mechanisms.
  • Account Compromise, Session Hijacking, Privilege Escalation, and Reputation Damage are potential impacts.
  • Implementing multi-factor authentication (MFA), using secure session tokens with proper expiration and invalidation, preventing brute-force attacks using account lockouts and CAPTCHA, securely storing passwords, and enforcing HTTPS with secure TLS configurations can remediate the vulnerability.

Arbitrary File Upload

  • Allowing file uploads without validating type, content, or execution permissions can lead to remote code execution (RCE).
  • Remote Code Execution (RCE), Complete Server Compromise, Privilege Escalation, Data Breach & Exfiltration, and Denial-of-Service (DoS) are potential impacts.
  • Restrict file types, use MIME type & magic number validation, store files securely, rename uploaded files, disable execution in upload directory, implement size limits, and use strong authentication & access controls.

Session Fixation

  • An attacker forces a user to use a predetermined session ID, so they take over the session once the victim logs in.
  • Session Hijacking, Unauthorized Access, Privilege Escalation, and Data Theft and Manipulation are potential impacts.
  • The remediation is to generate a new session ID upon user authentication, set secure session cookies by Store session IDs only in secure cookies and use the Httponly, Secure, and Samesite attributes and Enforce Session Expiry by Implementing session timeouts and automatic logout mechanisms.

Weak Logout Mechanism

  • Failure to properly terminate user sessions are Weak Logout Mechanisms.
  • Session Hijacking, Unauthorized Access, Data Leakage, and Compliance Risks are potential impacts.
  • Invalidate Sessions on Logout by destroying session tokens on both server and client side.
  • The remediation is implement Proper Token Expiry and Enforce Logout Across Devices.

Email Spoofing

  • Attackers forge email headers, making it appear as though the email comes from a legitimate source.
  • Implementation and enforcement of SPF, DKIM, and DMARC, enabling email filtering, user training, and monitoring email logs.
  • Results show that emails are able to be received on temporary emails as there is no DMARC and MX records configured at "[email protected]

No Rate Limit on Contact Us

  • Attackers can abuse the "Contact Us" page, can flood the system with bulk messages, perform email enumeration, or even launch denial-of-service (DoS) attacks.
  • Use CAPTCHA or reCAPTCHA, Enable Email Verification, Monitor and Block Abusive IPs and Implement Rate Limiting

Exif Geo Location

  • Storing latitude and longitude coordinates where the photo is taken in Exchangeable Image File Format (EXIF) metadata in images.
  • Privacy Violation: Users' exact locations can be exposed unintentionally. Targeted Attacks: Attackers can track individuals based on image locations. Corporate Espionage, Compliance risks and sensitive locations of businesses or facilities may be leaked.
  • Implementing EXIF Data Stripping, disabling Geo Tagging, Implementing server-side EXIF removal for user-uploaded content. Educating Users

Missing HTTP Strict Transport Security Header

  • With a missing HSTS header, attackers can perform man-in-the-middle (MITM) attacks, downgrade the connection to HTTP, potential data interception, credential theft, and unauthorized modifications of sensitive information.
  • Enable HSTS Header, register the domain for HSTS preloading in browsers and redirect HTTP to HTTPS

Failure to Invalidate Change Session After Password

  • Allows attackers to continue accessing the user's account with a stolen session token, even after the password is updated.
  • Implement Session Invalidation, Re-authentication, Session Management and Security Testing; and Notify Users

CORS Misconfiguration

  • When the server improperly allows cross-origin requests, it can expose sensitive data to unauthorized third parties.
  • The mitigation, is to Restrict Allowed Origins, implement proper server-side checks for allowed origins, Validate Origin Headers and Use Secure HTTP Methods

Vulnerable and Outdated Components in Use Ngnix 1.18.0

  • Exploit this by performing remote code execution (RCE), denial-of-service (DoS) attacks, or bypass security restrictions.
  • To remediate, Upgrade to the Latest Stable Version, enable Automatic Security Updates, Restrict Server Exposure and Monitor CVEs

Missing Security Headers

  • Missing CSP allows attackers to inject malicious scripts. Clickjacking Attacks: Without X-Frame-Options, attackers can embed the site in iframes for phishing.
  • Impletment Content Security Policy (CSP), Use X-Frame-Options, Enable X-Content-Type-Options and Set Referrer-Policy

Conclusion

  • The web app is vulnerable to the mentioned issues, which a threat actor with knowledge about the web app activity flow can exploit to bypass the security mechanism to gain vital information and disrupt the work-flow.
  • Apply logical security patches to mitigate the vulnerabilities and maintain readiness for subsequent assessments.
  • There are no general recommendation at the time of writing.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

Use Quizgecko on...
Browser
Open
Browser
Browser