SecureBank
  • About SecureBank
  • A01:2021 – Broken Access Control
    • About
    • Challenges
  • A02:2021 – Cryptographic Failures
    • About
    • Challenges
  • A03:2021 – Injection
    • About
    • Challenges
  • A04:2021 – Insecure Design
    • About
    • Challenges
  • A05:2021 – Security Misconfiguration
    • About
    • Challenges
  • A06:2021 – Vulnerable and Outdated Components
    • About
    • Challenges
  • A07:2021 – Identification and Authentication Failures
    • About
    • Challenges
  • A08:2021 – Software and Data Integrity Failures
    • About
    • Challenges
  • A09:2021 – Security Logging and Monitoring Failures
    • About
  • A10:2021 – Server-Side Request Forgery (SSRF)
    • About
    • Challenges
  • CROSS SITE SCRIPTING (XXS)
    • About
    • Challenges
  • XML External Entities (XXE)
    • About
    • Challenges
  • Miscellaneous
    • Invalid Model
    • Invalid Redirect
    • Directory Browsing
    • Simultaneous Request
    • reDOS
Powered by GitBook
On this page
  • CWE-756: Missing Custom Error Page
  • Swagger
  • Solution
  • Hidden page
  • Solution
  • Registration with admin role
  • Solution

Was this helpful?

  1. A05:2021 – Security Misconfiguration

Challenges

PreviousAboutNextAbout

Last updated 3 years ago

Was this helpful?

CWE-756: Missing Custom Error Page

Current configuration of the project is set to debug. In case of a thrown exception, the attacker can see a lot of information, including parts of source code, which they never should be able to.

Swagger

Find SecureBank swagger.

Solution

Go to /swagger . You will find the flag in the swagger description.

Hidden page

Find a page that was used during development.

Solution

If you look through api/Auth/Register source code in the browser, you will find a one javascript method is commented out.

You will find the flag if you go to: /Auth/RegisterAdmin.

Registration with admin role

You need to register a new user with admin role.

Solution

If we look at the response of api/Auth/Login, we see that it returns the following json.

{
    "id": 0,
    "userName": "carson.alexander@ssrd.io",
    "password": null,
    "name": null,
    "surname": null,
    "userRight": 0,
    "cookie": "Y2Fyc29uLmFsZXhhbmRlckBzc3JkLmlv-079f6a2418056497a2651c7d72d787c79d5d7095dedd68e95464ba631de16625-0",
    "status": "ok",
    "siteAction": null,
    "token": null
}

Auth/Register uses the same model. Next register a new user with userRight set to a number >50

{
    "id": 0,
    "userName": "testAdmin@ssrd.io",
    "password": "Password1!",
    "name": null,
    "surname": null,
    "userRight": 100,
    "cookie": null,
    "status": null,
    "siteAction": null,
    "token": null
}

You will find the flag in the response header.