You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/api/v1/prescription/downloadfile - (below Steps to validate this vulnerability)
1. Open Swagger Interface of Appliation by Hover on "My Account" and Click on "API Explorer".
2. Go to Prescriptio APIs.
3. Expand GET /api/v1/prescription/downloadfile API.
4. click on "Try it Out" button
5. In file name textbox enter -> "..\..\..\..\..\..\..\..\..\..\Windows\System32\drivers\etc\Hosts".
6. Click On Execute button.
7. You will see the 200 message, along with "Download file" link
8. Click on the link and you will see the file downloaded in "Downloads" folder.
9. Open and view the Server Hosts file.
/Products/ViewPic - (below Steps to validate this vulnerability)
1. Go to Home Page
2. CLick on "SHOP" Menu
3. Click on any page image to view details of the image
4. Click on the image again to view the image in original size
5. Notice the browser address.
6. change the sFile parameter as "..\..\js\app.js"
7. Press enter and you will see the file opened in the browser.
A03:2021 - Cross Site Scripting Refelected
/Prescription - search textbox ( below Steps to valiadte this vulnerability)
1. Go to Home Page
2. Hover on the Menu PRESCRIPTIONS and click on "One-Off Prescription" submenu
3. In the search textbox, enter Payload = <i><script>alert('hi')</script></i>
4. Click search icon
5. you should see the javascript alert on the page.
A03:2021 - SQL Injection
/Products - search textbox ( below Steps to validate this vulnerability)
1. Go to Home Page
2. Login as "[email protected]", password as "password"
3. Hover on the Menu SHOP and click on "Health & Wellbeing" submenu
4. you should see the product listing page and could not see any option to create a new product (since this is admin functionality)
5. In the search textbox, enter Payload = <i>text','ef037f79-8f59-4078-89fe-bbdf786fe1d5'); Update AspNetUserRoles set RoleId='4ef1dab9-7bd9-4b8e-89b3-aa9d1c9e7d38'; --'</i>
6. Click search icon
7. you should see an error page, ignore the error and press browser back button.
6. Log Out from existing session
7. Login again with above user credentials
8. repeat steps 3.
9. you should now see "Create New" link and stumble thru admin areas as well.
A03:2021 - XXE Injection
/Prescription/upload - File Content textarea (below Steps to validate this vulnerability)
1. Go to Home Page
2. Hover on the Menu PRESCRIPTIONS and click on "Repeat Prescriptions" submenu
3. Upload any xml file by clicking on big grey box
4. Once you file uploaded successfully, you will be able to see the content of the xml file.
5. go to the <TEXTAREA> or large textbox, and replace the textbox content with the payload = <i><!--?xml version="1.0" ?--><!DOCTYPE replace[<!ENTITY example "Doe"> ]><userInfo><firstName>John</firstName><lastName>&example;</lastName></userInfo></i>
6. click on the "save" icon. this should reflect the executed xml into the next column with last name as "Doe"
7. Let's try another payload.
8. Follow Steps 3-5 using different xml file.
9. go to the <TEXTAREA> or large textbox, and replace the textbox content with the payload = <i><?xml version="1.0" encoding="utf-8"?><!DOCTYPE order[ <!ENTITY myExternalEntity SYSTEM "file:///C:/Windows/System32/drivers/etc/hosts">]><order>&myExternalEntity;</order></i>
10. now you should see the server hosts file in the next column.
A04:2021 : Insecure Design - CWE 209 Generation of Error Message Containing Sensitive Information
/Products - Search textbox
1. Go to Home Page
2. Hover on the Menu SHOP and click on "Health & Wellbeing" submenu
3. you should see the product listing page.
4. In the search textbox, enter payload = <i>text'
5. Click search icon
6. you should see error with sensitive data such as sql query being executed.
1. Create a zip file "test.zip" and add any file into this.
2. Run the IWA application i.e. Dotnet run or using Visual Studio
3. open postman
4. Creaete a new HTTP request, make sure this is a POST request
5. Set rqeuest URL as "https://localhost:5001/api/v1/file/uploadfile"
6. Create Query Parameter:
a. zipFileName = "test.zip"
b. targetDir = "..\..\IWA-DotNet"
7. Create Body Parameter:
c. New file type parameter as "file" = test.zip (created above)
8. Hit "Send"
9. You will get server path where the files got extracted. (Path Traversal executed)
10. Go to Server and verify the zip extracted contents.
A07 : Identification and Authentication Failures - CWE-287 Improper Authentication
/identity/account/forgotpassword - Forgot Password link
1. Go To Home Page
2. Click on User Icon (Top right panel)
3. Click on Login menu
4. Click on Forgot Password link.
5. Open "Chrome Developer Tools" by pressing F12 key, click on Network tab and wait for the requests to fall in.
6. A page will open asking user email address to send reset password link, enter "[email protected]" and press "Submit" button.
7. you will see the Forgot Password Confirmation page.
8. Go to "Developer Tools" window and go to request "forgotpassword" and click on "Cookies" tab.
9. You will see the response cookie of code, Copy the code and keep it. This code looks like the reset password code.
10. Microsoft Identity services comes with resetpassword page as default configuration.
11. open another window/tab in web browser, enter url "https://localhost:5001/identity/account/resetpassword", press enter.
12. error will show asking for code.
13. Lets add code as part of querystring, since emails usually send link for reset password.
14. Enter url "https://localhost:5001/identity/account/resetpassword?code=", append code you kept from step #9.
15. you will see the page to reset password with email and setting password, go ahead and reset the password for [email protected]
16. login with new credentials.
A08 : Software and Data Integrity Failures - Over Posting / Mass assignment Insecure Binder configuration
/api/v1/order/getorder - (below Steps to validate this vulnerability)
1. Open Swagger Interface of Appliation by Hover on "My Account" and Click on "API Explorer".
2. Go to Order APIs.
3. Expand GET /api/v1/order/getorder API.
4. click on "Try it Out" button
5. In Id textbox enter -> "1". Please observe IsAdmin drop down is not selected and showing as "-"
6. Click On Execute button.
7. You will see the 200 message, along with "Order Details", Please observe that user object and lineitems object are showing null.
8. Now, change the value of "IsAdmin" drop down to "true".
9. Click on Execute button.
10. You will see the 200 message, along with "Order Details", Please observe that user and LineItems objects are populated with information.
A09 : Security Logging and Monitoring Failures - CWE 117 Improper Output Sanitization for Logs
/identity/account/login - Email Address textbox
1. Go To Home Page
2. Click on User Icon (Top right panel)
3. Click on Login menu
4. Enter Email as "admin%27%0Ainfo%3A%20-%20MicroFocus.InsecureWebApp.Areas.Identity.Pages.Account.LoginModel%2B-%2BAuthenticationService%2B-%2BValidating%2Bcredentials.%0Ainfo%3A%20-%20MicroFocus.InsecureWebApp.Areas.Identity.Pages.Account.LoginModel%2B-%2BLogin.aspx%2B-%2BUser%2Blogged%2Bin.%0Ainfo%3A%20-%20MicroFocus.InsecureWebApp.Areas.Identity.Pages.Account.LoginModel%2B-%2BLogin.aspx%2B-%2BAuthenticating%2BUser%2B%27"
5. Open the console where the application is running and verify the logs
6. you will see the email id is updated as logs enteries.
A10:2021 - Server Side Request Forgery
/Products/Compare - URL Textbox (below Steps to validate this vulnerability)
1. Open Command Console in windows
2. Go to directory "IWA-DotNet\InsecureProductService"
3. Type "dotnet run" and press enter
4. External Product API will start
5. Now Open another command console in windows
6. Go to directory "IWA-DotNet\InsecureWebApp"
7. type "dotnet run" and press enter
8. Open web browser and go to "https://localhost:5001/"
9. Hover on the Menu SHOP and click on "Pull Products from Clinics" submenu
10. You will see the page with Textbox entry for External product service above.
11. Click on the button "Pull Products from Clinics"
12. you will see the result on the page
13. Now change the URL to external site "https://datausa.io/api/data?drilldowns=Nation&measures=Population"
14. Click on the button
15. you will see the result on the page from the external site.
16. Let's Try another payload
17. Create a new product and note down the ID.
18. change the URL to "https://127.0.0.1:5004/api/v1/products/delproduct/{ID CREATED ABOVE}"
19. verify that there is no content returned.
20. Go back to Product dashboard and check the product available.
/graphql - search parameter ( below Steps to validate this vulnerability)
1. Go to Home Page and add "/graphql" to the URL to view graphql UI
2. Click on Browse Schema button
3. Click Apply button
4. Go To Operations Tab
5. type following query, observe the keyword parameter:
query{
products (keyword: "", limit: 5) {
iD,
name,
price,
salePrice
}
}
6. you will see the products listed
7. change the query as per below, observe the keyword parameter:
query{
products (keyword: "a%'); Update Product set price=12.95 where ID=1; --'", limit: 5) {
iD,
name,
price,
salePrice
}
}
8. you will see the products listed but without 1st product.
9. Run the following command again, observe the keywork parameter:
query{
products (keyword: "", limit: 5) {
iD,
name,
price,
salePrice
}
}
10. you will see the price changed. go ahead and click Run again.