Placeholder Image

About The Client

The client was a start-up company focusing on business data and documents. Their primary product was a secure web app which allowed businesses to liaise with service industry professionals, such as solicitors, accountancy firms and business management companies. The web app allowed companies and their service providers to create, edit and share various documents necessary for general company operation.

Project Brief

This report details the results of penetration testing on the beta-test.example.co.uk host. Only resources directly served by this host have been considered to be in scope of this test. However, references to other systems that are used by this system have also been included for reference. While they have been included, no direct penetration tests have been performed on these other hosts.

Vulnerabilities Discovered

Forensic Analysis

The beta-test.example.co.uk server has an IP address of [REDACTED] which has the reverse DNS hostname [REDACTED]. The server is situated in the City of London in the [REDACTED] data centre.

The server contains the following open ports running the specified software: –

  • SSH: 22/tcp, OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  • HTTP: 80/tcp, nginx 1.13.3
  • HTTPS: 443/tcp, nginx 1.13.3 (SSL certificate common name: beta-test.example.co.uk, 2017-12-11 to 2018-03-11, issued by Let’s Encrypt CA)

From the list of open ports, the server has been identified as running Ubuntu Linux. The system consists of the following main components: –

  • A web-based admin interface requiring authentication via a login page and authenticated session. Based on various responses, this appears to be running using the Laravel PHP framework.
  • A JSON RESTful API containing both authenticated and unauthenticated routes.
  • A set of OAuth2 routes allowing a user to request a bearer token for access to the RESTful API. This system probably uses Laravel Passport.

When processing references, the Envestnet Yodlee API (https://developer.yodlee.com/Yodlee_API) is being used.

Exploitable Application Routes

The following routes all return a HTTP 500 (Internal Server Error) response. The application appears to be running in production mode meaning that no sensitive information is being leaked via error messages or exception stack traces, which is good. However, the fact that these cause an error indicates that they are potentially exploitable as they are causing the server to abort the request due to an unknown error.

  • GET /api/reference/identity/[ID_GOES_HERE]
  • GET /reference/[ID_GOES_HERE]
  • GET /reference/process/[ID_GOES_HERE]
  • GET /test2
  • HEAD /api/reference/identity/[ID_GOES_HERE]
  • POST /api/reference
  • POST /api/reference/response/[ID_GOES_HERE]
  • POST /api/reference/transactions/[ID_GOES_HERE]
  • POST /replace
  • POST /test

Requests to GET /reference/[ID_GOES_HERE] return generated HTML detailing the reference specified by the ID. Within these pages, it appears that some PHP variables are being output directly, such as a PHP array in the case of “Aliases”. These values appear to be written to the HTTP response without proper escaping, which means that this page could potentially be vulnerable to XSS attacks. For example, if an attacker could control what appears in one of these array elements, then they could potentially cause the browser displaying it to evaluate arbitrary HTML and JavaScript. This could be used to perform common XSS attacks such as cookie stealing, allowing the attacker to assume the role of the user viewing the record (privilege escalation).

The form displayed at GET /replace contains a field used for uploading a file containing “xmlTransactions”. Posting this form returns a HTTP 500 error (mentioned above) so no further testing can be made. However, this form could potentially provide the following attack vectors if not properly implemented: –

  • Arbitrary file uploads: the form handler must ensure that uploaded files are XML format.
  • Arbitrary file size uploads: the form handler should ensure that files are limited to a suitable size, otherwise an attacker could upload large files and potentially cause denial of service or undesired costs.
  • Path traversal: the form handler should properly sanitise the uploaded file name, ideally storing the file in a fixed location and with a generated name. If not performed correctly, an attacker might be able to upload files to arbitrary locations on the server, potentially overwriting existing files or allowing a script under their control to be executed.

Information Disclosure Vulnerabilities

The GET /api/reference/linkaccount/[ID_GOES_HERE]/ route returns a page containing a form which submits to [REDACTED]/authenticate/private-uksandbox60/?channelAppName=[REDACTED]. The form is hidden from view but contains the following fields: –

  • app: [REDACTED]
  • rsession: [REDACTED]
  • token: [REDACTED]
  • redirectReq: true
  • extraParams: callback=https://beta-test.example.co.uk/api/reference/linkaccount/callback/[ID_GOES_HERE]

These values are visible to authenticated users, so they need to be checked to make sure they are not sensitive in nature.

The resulting page returned when posting the above form also contains lots of potentially sensitive information, such as IDs (appId, channelId, brand, id) as well as some keys ([REDACTED]). Again, care needs to be taken to ensure that none of this information can be used in a malicious fashion as this is available to any authenticated user. As this server is out of the scope of this test, no further investigation has been undertaken at this time.

The GET /api/banks route is accessible without authentication. This is probably by design but should be double checked to make sure that no sensitive information is being given to unauthenticated users.

Conclusions and Following Steps

The new Movem website was far more usable and attractive to users, providing a much better range of tools with which to review previously rented houses and to identify potential new houses which match their rental requirements. This was reflected in the increased number of visitors and housing reviews which appeared on the new site, and Movem was able to make the leap from being a student focused property site, into a main stream general lettings site. Movem has also managed to further raise a number of investment rounds – including two rounds of crowdfunding – which stands as a testament to the trust and interest which the site has built with its user base and the wider public.

Similar Projects

Get In Touch

Thank you for your interest in our business. If you have any questions about our services, a project you’d like us to help with, or if you just want to say hello, please don’t hesitate to get in touch. We look forward to hearing from you!