Your goal in this challenge is to identify, execute, and document web vulnerabilities found within this application. The goal of the challenge is to write a report identifying the vulnerabilities you discovered. At a minimum, you should include a description and demonstration of the exploit. Feel free to include screenshots, payloads, code snippets, and any other supporting assets to better describe and demonstrate the vulnerability.
Below is a list of known vulnerabilities within the application, although there are almost certainly additional vulnerabilities beyond this list. For each class of vulnerability, we have included various goals for you to achieve in demonstrating the exploits possible with the vulnerability. These are categorized by their relative difficult to execute.
You do not have to achieve every goal on the list, nor do you need to discover every vulnerability. Do your best; if you get stuck move on to another task. The quality and substance of your report is more important than achieving 100% of the goals listed here. Limit yourself to around 5-10 hours of effort for this challenge.
The application has grossly insufficient authorization and access controls in place. Combined with easily predictable IDs, it is trivial to modify the content of other users.
- Level 1: Identify an action in the app which has insufficient access control.
- Level 2: Demonstrate how a user can edit the content of another user.
- Level 3: Demonstrate an exploit of the weakly designed interface which will allow the edit and delete action buttons to be revealed for all posts.
- Level 4: Demonstrate an in-browser script which will iterate over and delete all posts.
- Level 5: Provide recommendations no how this application's access control can be improved.
All newly registered users should be created as Subscribers, which gives them read-only access to the app. However, the Register / Create Account screen is vulnerable to parameter pollution which can allow the user to give themself any access role level.
- Level 1: Demonstrate parameter pollution on the register page.
- Level 2: Demonstrate how to register a new user with elevated privileges.
- Level 3: Identify another instance of parameter pollution vulnerability within the application.
The application contains at least one SQL injection vulnerability.
- Level 1: Identify the SQL injection vulnerability within the application.
- Level 2: Demonstrate a SQL injection exploit on the application and document your injection strategy and payload.
- Level 3: Identify the section of code which introduces this vulnerability.
- Level 4: Demonstrate a SQL injection exploit which causes permanent damage to the application database.
- Level 5: Recommend improvements to the application which would reduce or prevent the vulnerabilities discovered.
The application is vulnerable to multiple XSS attack vectors.
- Level 1: Identify a XSS attack vector and demonstrate a basic XSS exploit.
- Level 2: Demonstrate a non-persistent XSS attack.
- Level 3: Demonstrate a persistent XSS attack.
- Level 4: Demonstrate a XSS attack which logs the user out of the application.
- Level 5: Demonstrate a XSS attack which alters user or post data.
- Level 6: Recommend improvements to the application which would reduce or prevent the vulnerabilities discovered.
The application uses signed session payloads to prevent session hijacking. However, let's simulate the case where the session secret is too easy to guess. The session secret can be found in the .env file.
- Level 1: Identify the mechanism used to store user sessions (i.e. LocalStorage, SessionStorage, cookies, JWT tokens, etc...)
- Level 2: Document the deobfuscated session payload.
- Level 3: Demonstrate how Session Replay can be executed if you have access to the session payload.
- Level 4: Document how to modify and resign the session payload using the "discovered" secret.
- Level 5: Use a modified session payload to impersonate another user.
- Level 6: Recommend improvements to the application which would reduce or prevent the vulnerabilities discovered.
The application contains a timing-based vulnerability which can be used to determine sensitive information.
- Level 1: Identify the part of the application which contains a timing-based vulnerability and identify the specific information it is leaking to attackers.
- Level 2: Demonstrate the timing attack and use it to show how sensitive information can be obtained.
- Level 3: Recommend improvements to the application which would reduce or prevent the vulnerabilities discovered.
This application has been infected with malicious code which has been cleverly hidden and obfuscated.
- Level 1: Identify any indication of the malicious code in action.
- Level 2: Explain what the malicious code is doing and what information it is stealing.
- Level 3: Identify any parts of the injected malicious code within the application's codebase.
- Level 4: Document and explain the complete workflow of the malicious code. Include code snippets of all malicious code payloads.