Script Injection


(Daniel Baldwin) #1

Hi All,

Bit of an odd one, I have noted within the web application created by my employer that I can do script injections. Now I am a regular tester but I decided to have a play with this awesome list of strings that can help to uncover security vulnerabilities in the system - https://github.com/minimaxir/big-list-of-naughty-strings

Unfortunately one actually worked so I immediately raised this to my boss but it has been swept under the rug as a “Well it hasn’t been a problem for the last ten years, so we will fix it eventually”… That worries me and I feel they don’t understand the full gravity of the situation.

Now, I’m not one to let this drop just yet so is there a string I could input that will highlight the vulnerability of the site in a way they may understand? I have shown them <plaintext> (remove the *'s of course) is there a way of capturing the data on the page and downloading it into a text file or something similar to show this is serious?

Apologies, I only know Python surrounding Selenium so I have no idea where to start with JavaScript in order to do this…

Just to clarify, I’m not looking to break the site, I am the sole tester on the site and this is an isolated test site contained on my local machine so will not impact live or other users. I am just wanting to highlight this as a more serious issue.

If you have gotten this far through my essay, thank you.


(Joe) #2

Hello @danbaldwin!

One approach might be to phrase the issue (and it is a serious issue) in business terms.

Your description above tells me that a vulnerability exists when a certain string is submitted to a page. What might happen if you phrased the same issue as (I’m making this up!):

“When a user submits this string to the site, they have direct access to the database where they can read data from other users. This compromises our agreement with our users to maintain their privacy, and the information could be used to steal identities. Lastly, news of this could damage our reputation.”

That, in my opinion, would be a business issue.

Joe


(Daniel Baldwin) #3

Hey @devtotest,

Believe me I have tried… The initial response was that you have to physically login to the site to be able to do it… True yes, but what if the end user was deliberately trying to be malicious and then the following was the one I put above.

I think they need to see physical evidence of it dumping information out of the platform, I have attempted a simple SQL dump tables but fortunately for them it does stop this because that could have been a “biggie”.

Thanks for the advice!


(Joe) #4

Hello @danbaldwin!

I thought you might have pursued the suggestion already - good job!

As you know, we (the Testers we) find many defects in products that we dutifully log. In that log, we present the information as objectively as possible and record possible business impact. We have no influence past the record of the defect which, in this case, is frustrating (possibly profoundly frustrating). We can raise awareness to project managers and product owners as respectfully as we can. For all that, someone else decides what is a priority.

It seems like you might eventually succeed in finding damaging evidence which becomes part of the defect and could raise its priority. I encourage you to do so! I’ve found Pen testing to be complex and I have appreciated working with people skilled in that area. Perhaps consulting with someone in Pen testing could speed your quest?

Joe


(Daniel Baldwin) #5

Fingers crossed i do find something that makes the priority go up, unfortunately we don’t have any in house pen testers here (only a small company) so can’t consult anyone internally on this. Fingers crossed someone with experience see’s this post and may be able to shed some light on how I can proceed with this :slight_smile:

Thanks Joe!


(Janet) #6

Hi danbaldwin,

totally understand your frustration.
I am not a security tester, but a test manager and a person who wants to help to get dangerous/expensive bugs fixed.

As far as I understood:
You detected an issue, which can occur only if the user is logged in (enter the string and edit/steal data).

A few questions for your further research (no need to answer them here):

How easy is it, to hack yourself into this application? Is there a standard password for the admin? Does customer service/IT department of the customer know this? Written in manuals/instructions? Credentials in log files? And so on.

Does your company sell the software to customers? Or does the company operate it?

Does the software store PII data?
If yes: PII issues might get expensive (penalties and loss of reputation).

What would be the worst scenario, in case the application would be hacked? How could we misuse the stolen data? Or is the damage bigger, if data were edited?

You can search the internet for articles about Hackers being very successful and about IT-Admins who “hack” the systems of their former companies. Try to convince them, that the last ten years are over…

If they decide not to fix, then it is at least a decision.

Good luck!

PS: Have a look at the club, maybe there is a security tester? club.ministryoftesting.com/c/30-days-of-testing/30-days-of-security-testing

https://sudo.pagerduty.com/for_everyone/ found this in “free security training resources”