In the realm of cybersecurity, vigilance is paramount. As expertise quickly evolves, so too do the exploitation strategies accessible to malicious attackers. In this dynamic surroundings, organizations should deploy proactive protection mechanisms to harden their digital fortress towards potential breaches. One such necessary protection mechanism is penetration testing. It is a proactive cybersecurity measure that discovers vulnerabilities, together with simulated assaults on pc techniques or networks. This article takes a deep dive into current penetration testing tasks that exposed vital vulnerabilities, highlighting the significance of proactive safety measures in an more and more advanced digital world.
During a routine penetration check for a shopper, the Deloitte Middle East Cybersecurity workforce found a seemingly innocuous subdomain housing a third-party utility, Vaales Technologies’ V-QRS utility. V-QRS is a software program utility that enables any enterprise to create digital enterprise playing cards based mostly on fast response (QR) codes and close to area communication (NFC) techniques. The system consists of an internet dashboard in a cell app and an online utility.
During the penetration testing course of, we found the URL https://SANITIZED/user-profile/6/Da**va. Here, “6” acts as a sequence quantity and “Da***va” represents the total identify. The hyperlink shops varied particulars resembling the person’s identify and title (Head of Finance), cellphone quantity (together with private), work e mail, and, though the corporate chooses to not make it public, a photograph. Masu.
The workforce then determined to research the potential of extracting extra information from the portal, significantly information about CEOs. Strangely, I modified the quantity within the request from “6” to “1”. Initially, the workforce thought it would not work until you offered your actual identify. But to my shock, the system responded positively even to the pseudonym, revealing details about the CEO.
After discovering misconfigurations within the utility in addition to IDOR, they determined to extract information about all the firm. Using the BurpSuite setup (an online penetration testing utility), we have been in a position to efficiently retrieve company-wide information about workers, together with their names, job titles, private cellphone numbers, and e mail addresses.
At first look, it might appear innocuous, as the information seems to be “public” and supposed for sharing. However, as soon as such data is accessible, it may be misused by black hat hackers aka cyber criminals for malicious functions. This information can be utilized to ship personalised phishing emails and cellphone calls, create faux commercials, and overload communication channels. Additionally, black hat hackers, armed with private data, can try brute drive assaults towards exterior OWA (Outlook Web Access) and different login portals. Once compromised, it may launch Active Directory login assaults and trigger extreme harm. After additional investigation, I discovered that the error was in two of her recordsdata. Our investigation revealed that the enter validation mechanism was sluggish, paving the best way for potential SQL injection assaults.
SQL injections (A03:2021 – OWASP Top 10 Injections) symbolize one other formidable adversary within the cybersecurity area. The affect of a profitable exploit can vary from information leakage to finish system compromise.
In our case, the earlier request https://SANITIZED/user-profile/6/Da**va may be very acquainted for SQL requests, the place “6” is just the ID of the person desk within the database. Yes, it was one thing like `. SELECT * from customers the place id=’6.’` With this in thoughts, I attempted to enter my malicious request in that area. I arrange the SQLmap utility and carried out blind SQL injection. As a results of our reconnaissance, we have been in a position to extract database username and password hashes that might be utilized in additional penetration testing actions.
Armed with our findings, we at the moment are utilizing MITER CVE (publicly recognized Cybersecurity Vulnerabilities and Risks), which supplies a standardized naming conference for figuring out and monitoring safety vulnerabilities. We promptly reported the vulnerability to the group that shops the dictionary. This is a necessary step in selling transparency and safety. Collaboration inside the cybersecurity neighborhood. He was then supplied with two of his CVE numbers: CVE-2024-24312 (SQLi) and CVE-2024-24313 (IDOR). This expedited the dissemination of vital data to stakeholders and enabled speedy remediation efforts.
References https://www.cve.org/CVERecord?id=CVE-2024-24312.https://www.cve.org/CVERecord?id=CVE-2024-24313. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References. https://owasp.org/www-community/attack/SQL_Injection. https://v-qrs.com/.
Source hyperlink