Security flaws in America's Biggest Marketplace Website: Full Report of Most Common Flaws and Remediation

« back   February 20th, 2018 by

2017 has been a hot year for hackers and the trend shows no sign of stopping. Major hacks, data breaches, vulnerability exploitation have led to millions in losses for the organizations who failed in establishing proper web application security. The instances of cybercrime are increasing every year, also the cost associated with the attacks are increasing. In a recent survey by ZDNet, 53% of decision-makers said that they will prioritize cybersecurity in their 2018-19 budget. According to WhiteHat Security report, out of total breaches reported in 2017, 30% featured involved attacks on web applications and 62% featured hacking to exploit vulnerabilities. It was also concluded that despite growing security awareness, applications continue to remain vulnerable across all industries.

As a pilot, our in-house security experts conducted a security scan of America’s biggest online marketplace website. And we realized that website had many critical vulnerabilities which could be weaponized to deliver malicious content or files to users, display and alter user content allowing a wide range of attacks that could be even more dangerous.

Vulnerability: A user can delete an attachment of some other user’s assignment and hence delete the database at the server.

Issue: Privilege Escalation- CSRF

As illustrated in the above video, an attacker can register and make a profile on the website. Then they have the access to upload, edit and delete documents/images on their profile. An attacker can click on delete to delete their own document and intercept this delete request using a tool called Burp. The attacker can then change the assignment_id and asset_id in the POST request to delete some other user’s assignment details.

Vulnerability: Any user can see the description of another users assignment. Information leak among users.

Issue: Privilege Escalation- Horizontal

An attacker can navigate to the assignment section in their profile, replace their user id with another user ID in the URL and then append description into the URL. The description of that another user is visible to the attacker.

Vulnerability: Java exception message displayed in the response body.

Issue: Error Handling

Displaying error_handling.jpg

The exception message which is thrown as a response contains information which could be further exploited by the attacker.

Vulnerability 4: Any other user is able to access/download data from other user’s database using direct URLs.

Issue: Method Interchange/CSRF Token Missing

An attacker can easily download the data of any user by copying the download URL. This is because a GET request is triggering instead of the POST request when downloading attachments. Secondly, A CSRF token is missing with the request triggered.

Vulnerability 5: User should be able to upload only selected files types as documents/assets.

Issue:  Unrestricted File Upload

An attacker can easily make a profile and upload files to the server that can be abused to exploit other vulnerable sections of an application. For example, an attacker can upload an executable file which can attack and exploit other parts of the application.

The above vulnerability report is proof that an application has one or more serious vulnerabilities open during a given time period. According to WHS report, close to 50% applications remain vulnerable every single day of the year. We have been helping organizations for the past 10 years with security solutions to uncover all vulnerability gaps. Our security reporting follows industry standards such as OWASP and SANS. We provide an impact assessment and detailed mitigation proposal for remediation consultation post threat exploitation.

Share your website/application and security concerns with us. Our consultants will perform a Pilot Scan and will get back to you with a report of critical security bugs.

Avail a Free Pilot Security Scan->

Leave a Reply

Your email address will not be published. Required fields are marked *