SecureBank
  • About SecureBank
  • A01:2021 – Broken Access Control
    • About
    • Challenges
  • A02:2021 – Cryptographic Failures
    • About
    • Challenges
  • A03:2021 – Injection
    • About
    • Challenges
  • A04:2021 – Insecure Design
    • About
    • Challenges
  • A05:2021 – Security Misconfiguration
    • About
    • Challenges
  • A06:2021 – Vulnerable and Outdated Components
    • About
    • Challenges
  • A07:2021 – Identification and Authentication Failures
    • About
    • Challenges
  • A08:2021 – Software and Data Integrity Failures
    • About
    • Challenges
  • A09:2021 – Security Logging and Monitoring Failures
    • About
  • A10:2021 – Server-Side Request Forgery (SSRF)
    • About
    • Challenges
  • CROSS SITE SCRIPTING (XXS)
    • About
    • Challenges
  • XML External Entities (XXE)
    • About
    • Challenges
  • Miscellaneous
    • Invalid Model
    • Invalid Redirect
    • Directory Browsing
    • Simultaneous Request
    • reDOS
Powered by GitBook
On this page
  • CWE-261 Weak Encoding for Password
  • Get another user available funds
  • Solution
  • Get another user profile image
  • Solution
  • Enumeration of transactions
  • Solution
  • Path Traversal
  • Solution

Was this helpful?

  1. A02:2021 – Cryptographic Failures

Challenges

To solve these challenges, we need to manually look inside the requests of SecureBank.

PreviousAboutNextAbout

Last updated 2 years ago

Was this helpful?

CWE-261 Weak Encoding for Password

In case of database breach, all users will have their passwords leaked. Because the server is saving passwords in plaintext, the attacker won’t have to brute force password hashes. Passwords should always be salted and then hashed with a strong hashing algorithm, in order to protect our users to best of our ability.

We can immediately see that we have two network requests in which the user is passed as a parameter.

Get another user available funds

This request accepts username and returns the balance of the account. By changing the username, we can get the account balance of other users.

Solution

  1. In request change /User/GetAvailbleFunds?user={username}

Get another user profile image

In this challenge, you need to get another user's profile image.

Solution

  1. In request change user to desired username/User/ProfileImage?user={username}.

Enumeration of transactions

The project is created using an MVC CRUD pattern. If responses are filtered only on the table page, we might miss the enumeration of the models produced by the CRUD pattern. In our case, transactions are refined in the first table by the logged user. When choosing the action, we can notice that there is some ID in the URL. If we change ID, we can enumerate it and view all the transactions created in the SecureBank.

Solution

  1. Go to /Transaction/Details/{transaction id}

  2. Try to change the transaction id until you get a transaction that belongs to another user.

You will find the flag in the response header.

Path Traversal

Looking further into the request, we can notice the ProfileImage returns file. Trying to change the username to the file path, we immediately see some unusual behavior. Recognizing that this is a .NET Core application, we can attempt to get an appsetting.json file located on the path../appsettings.jsonor ../../appsettings.jsondepending on the system the app is running.

Solution

  1. You know that the application framework is .Net Core, so you are looking for appsettings.json.

  2. Go to /api/User/ProfileImage?user={username} and depending on how the application is hosted, set username to ../appsettings.json or ../../appsettings.json

You will find the flag in the response header.