As it did last year, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of PT Application Firewall, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.
Warmup
The vulnerability was in the script that tracked user activity on the site.
POST /online.php HTTP/1.1
Host: choo-choo.phdays.com
Connection: keep-alive
Content-Length: 24
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36
{"timestamp":1432906707}
Timestamp field values from the JSON data in the POST request were not validated before using them in the SQL request:
The site had a form for searching tickets by forming XML and sending the request to the back end.
The vulnerability was in the "to" parameter of the script redirect.php. The flag was sent to fragment portions of URL where the redirection was executed, i.e. it wasn't sent to the server end. To get the flag, you should send the bot to another site with a page that could retrieve the value from location.hash and send it to the logger.
Bypassing options:
http://choo-choo.phdays.com/redirect.php?to=phdays.com:asd@host.com
http://choo-choo.phdays.com/redirect.php?to=http://ahack.ru%23.phdays.com/
http://choo-choo.phdays.com/redirect.php to=http%3a//www.samincube.com%3f\..\\www.phdays.com
XML External Entities Injection
The script that handled XML data was vulnerable to XXE. Bypassing required using of the external entity in the parameter entity:
The vulnerability was in the site's search page. To obtain the flag, you could send the bot's cookies to the site. Bypassing required using non-standard tag attributes that are processed by bootstrap-validator allowing executing the JS code:
Results
The winner of the contest is bushwhackers: Georgy Noseevich, Andrey Petukhov, and Alexander Razdobarov. The team solved all the tasks during the first day! (They won the last year's competition as well.) Mikhail Stepankin (ArtSploit) took second place, Eldar Zaitov (kyprizel) was the third. The winner received an iPad Air 2; a Sony Xperia Z3 went to the second place team; the third place team received a license for Burp Suite Professional.
During the contest, 271,390 requests were blocked (twice as many as during the last year's contest). This time, 302 contestants registered (compared to 101 last year). Only 18 participants managed to capture at least one flag.
Thanks to everyone who took part in the contest.
In my view, the last PHDays forum was quite successful. I discover a lot of innovate thing and receptions about software security and other stuff. Whats about general vulnerability I make some nice schemes, dissertation editing - they there. Thanks for nice photos!
ReplyDeleteNeed good health studies advice. I think i can help you with it.
ReplyDeleteI don't need help writing a paper but I always look for someone who can help me with the script. It's such a trouble for me.
ReplyDeleteStudyBay.com academic writing platform is actually owned by Edutec Limited - company registered in Malta. Despite this, there is reason to believe this is a Russian business. If you want to find info about “is studybay legit”, welcome to Scamfighter.
ReplyDeleteAlthough those who major in one of the physical sciences have an equal chance of acceptance when compared with “pre-pharmacy” students, pharmacy schools want to see evidence of a real interest in pharmaceuticals and the practice of the profession. A real interest is often due to a real interest in people, as pharmacists are in positions to education and influence patients. There is always the consideration of job security, but no one really goes to pharmacy school these days to become rich. There are easier ways to do that, like the entertainment industry or business administration. Make sure your reason for attending is the right reason. Click https://nursingessaywriting.com/pharmacy-personal-statement for detailed information.
ReplyDeleteAll Assignment Help review
ReplyDeleteMost of the students who look for an academic writing solution simply search for such on a site on the most widely used search engine and select anyone firm from the top websites there.But little do they know that going through a review of such websites will give you much insight about it which you can’t know by simply visiting it.
Need My Assignment Help ? Assignment help Provide best all Assignment Help to the student at cheapest cost.
ReplyDeleteAvail the MBA assignment help services from Students Assignment Help by our expert writers who are proficient in writing Assignments. We cater assignment writing help to meet your requirements. We deliver all the academic writing works on time.
ReplyDeleteThis is a wonderful constrain. I enjoyed the accruement lot. I acquisition scoring this communicator. Thanks for cropped this mensurable nub.
ReplyDeleteThe Apple has a pool of applications for its gadgets, and the vast majority of them will be on it as it were. imessage for pc, imessage for android The applications which are found in the iTunes store are extraordinarily implied for the Apple gadgets like iPhone, iPad or Mac.
ReplyDeleteI think this will surely helps students to make their work easily those who wants to start their career in this field and writing assignment services online is always appreciate the work which is related to students and for their better future.
ReplyDelete