Halborn Logo
Draft

bitsCrunch Blackbox - bitsCrunch


Prepared by:

Halborn Logo

HALBORN

Last Updated 11/12/2024

Date of Engagement by: February 6th, 2024 - February 23rd, 2024

Summary

100% of all REPORTED Findings have been addressed

All findings

9

Critical

2

High

1

Medium

1

Low

3

Informational

2


1. Introduction

bitsCrunch engaged Halborn to conduct a blackbox assesment beginning on {startDate} and ending on {endDate} of their bitsCrunch App. The security assessment was scoped to GitHub source code to the Halborn team.

2. Assessment Summary

The team at Halborn was provided two weeks for the white-box pentest and assigned a full-time security engineer to verify the security of the staging's web applications. The security engineer is a penetration testing expert with advanced knowledge in web, recon, discovery & infrastructure penetration testing.

The goals of our security assessments are to improve the quality of systems by testing this as white-box approach to have an attacker perspective of targeting the staging web application.

In summary, Halborn identified security risks that were mostly addressed by the bitsCrunch team.

3. Test Approach and Methodology

Halborn followed a black-box approach and performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it. The following phases and associated tools were used throughout the term of the assessment:

- Mapping Content and Functionality

- Logic Flaws

- Access Handling

- Authentication/Authorization Flaws

- Rate Limitations Tests

- Brute Force Attempts

- Input Handling

- Response Manipulation

- Source Code Review

- Fuzzing of all input parameters

- Multiple Type of Injection (SQL/JSON/HTML/Command)

4. RISK METHODOLOGY

Vulnerabilities or issues observed by Halborn are ranked based on the risk assessment methodology by measuring the LIKELIHOOD of a security incident and the IMPACT should an incident occur. This framework works for communicating the characteristics and impacts of technology vulnerabilities. The quantitative model ensures repeatable and accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the Risk scores. For every vulnerability, a risk level will be calculated on a scale of 5 to 1 with 5 being the highest likelihood or impact.
RISK SCALE - LIKELIHOOD
  • 5 - Almost certain an incident will occur.
  • 4 - High probability of an incident occurring.
  • 3 - Potential of a security incident in the long term.
  • 2 - Low probability of an incident occurring.
  • 1 - Very unlikely issue will cause an incident.
RISK SCALE - IMPACT
  • 5 - May cause devastating and unrecoverable impact or loss.
  • 4 - May cause a significant level of impact or loss.
  • 3 - May cause a partial impact or loss to many.
  • 2 - May cause temporary impact or loss.
  • 1 - May cause minimal or un-noticeable impact.
The risk level is then calculated using a sum of these two values, creating a value of 10 to 1 with 10 being the highest level of security risk.
Critical
High
Medium
Low
Informational
  • 10 - CRITICAL
  • 9 - 8 - HIGH
  • 7 - 6 - MEDIUM
  • 5 - 4 - LOW
  • 3 - 1 - VERY LOW AND INFORMATIONAL

5. SCOPE

Out-of-Scope: New features/implementations after the remediation commit IDs.

6. Assessment Summary & Findings Overview

Critical

2

High

1

Medium

1

Low

3

Informational

2

Impact x Likelihood

HAL-01

HAL-02

HAL-04

HAL-03

HAL-05

HAL-06

HAL-07

HAL-08

HAL-09

Security analysisRisk levelRemediation Date
HAL-01 - SQL INJECTIONCriticalSolved - 02/22/2024
HAL-02 - DENIAL OF SERVICECriticalSolved - 02/22/2024
HAL-03 - MAIL SERVER MISCONFIGURATIONHighSolved - 05/27/2024
HAL-04 - LACK OF RESOURCES AND RATE LIMITINGMediumFuture Release
HAL-05 - MULTIPLE TLS MISCONFIGURATIONLowSolved - 05/27/2024
HAL-06 - MISSING SECURITY HEADERSLowFuture Release
HAL-07 - VERBOSE ERROR MESSAGESLowSolved - 05/27/2024
HAL-09 - RESPONSE MANIPULATION OR RESPONSE TAMPERINGInformationalAcknowledged
HAL-08 - IMPROPER INPUT VALIDATIONInformationalSolved - 05/27/2024

7. Findings & Tech Details

7.1 (HAL-01) SQL INJECTION

// Critical

Description

The bitsCrunch backend API is vulnerable to the SQL Injection Vulnerability. SQL injection (SQLi) refers to an injection attack in which an attacker can execute malicious SQL statements that control a web application's database server and is implementation-dependent.

The attacker can read, delete, update database data/tables, executing malicious commands. The endpoints found vulnerable was devnet with parameter /XXXXX?search=<vulnerable> to SQL injection attack (time based).

GET /api/profile/operator/0x9899f7313dc7435e21041ecca7c8adc6edc11532?limit=5&offset=0&search=NjTVGx'%7c%7cpg_sleep(20)-- 
HTTP/2Host: devnet-app.bitscrunch.com
Accept-Encoding: gzip, deflate, br
Accept: application/json, text/plain, /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Cache-Control: max-age=0
Cookie: GAESA=123asd123; pkid.9.285b=5a686a8be2d674bf.1707751267.; pkses.9.285b=1
Referer: https://devnet-app.bitscrunch.com/profile/0x9899f7313dc7435e21041ecca7c8adc6edc11532/operator
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Platform: Windows
Sec-Ch-Ua-Mobile: ?0

It was possible to retrieve all the database info, such as: tables, columns, users, permissions, and all data.

Note: The input POST/PUT/DELETE request or any write action over the BBDD was not checked since Halborn didn't want to compromise the integrity of the bitsCrunch database.


sqlmap.jpg
database_tables.png
Score
Impact: 5
Likelihood: 5
Recommendation

It is recommended to use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, thus solving SQL injection.

Remediation

SOLVED: The critical issue was solved by implementing proper parameterized queries.

7.2 (HAL-02) DENIAL OF SERVICE

// Critical

Description

Denial of Service (DoS) vulnerability that arises from the exploitation of SQL Injection (SQLi) vulnerabilities, specifically through the use of the PostgreSQL pg_sleep function. By injecting malicious SQL queries that include the pg_sleep function, an attacker can induce significant delays in the processing of database queries, effectively causing a denial of service for legitimate users and applications dependent on the database.

pg_sleep is a function in PostgreSQL that pauses the execution of a query for a specified amount of time (in seconds). While designed for legitimate uses such as process timing and testing, in the hands of an attacker, it becomes a tool for inducing deliberate delays in database response times.

The exploitation involves an attacker identifying a SQL injection point within an application that interacts with a PostgreSQL database. The attacker then crafts a query incorporating the pg_sleep function, causing the database to pause for a significant amount of time.


'; SELECT pg_sleep(10); --

This would cause the database to halt processing for 10 seconds, if injected into a vulnerable SQL query. Repeated or concurrent exploitation of this vulnerability can overwhelm the database, resulting in a DoS condition where legitimate requests cannot be processed in a timely manner.

Furthermore, there was not found any rate limit mechanisms (we have the PoC of sending +300req/min) which chained with this pg_sleep(20) could stack a high amount of requests with the sleep which will cause a major DoS on the application.

Note: A video PoC was shared with the client showing the impact of the vulnerability.

Score
Impact: 5
Likelihood: 5
Recommendation

It is recommended to use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, thus solving SQL injection.

Remediation

SOLVED: The critical issue was solved by implementing proper parameterized queries.

7.3 (HAL-03) MAIL SERVER MISCONFIGURATION

// High

Description

bitsCrunch mail server contained multiple misconfigurations, allowing an attacker to impersonate emails as bitsCrunch and performing scams/fraud/phishing users, which may result in financial and customer loss.

Proof of Concept
  • An email was sent under false pretences, purporting to originate from the email address noreply@bitscrunch.com.

email1.png
  • The individual identified as the victim, with the email address pau.carrasco@halborn.com, received an email from the attacker, who had assumed the identity of gobi@bitscrunch.com.

email2.png

  • Victim access malicious website.


email3.png
Score
Impact: 4
Likelihood: 4
Recommendation

Configure the SPF and DMARC records with the appropriate policies, preventing an attacker from spoofing emails on behalf of the company.

Remediation

SOLVED: The issue was solved by configuring the SPF v=spf1 include:_spf.google.com ~all and the DMARK to v=DMARC1; p= quarantine; rua=mailto:dd62a1cbfae64407adc2335298e1df48@dmarc-reports.cloudflare.net


7.4 (HAL-04) LACK OF RESOURCES AND RATE LIMITING

// Medium

Description

API requests consume resources such as network, CPU, memory, storage, and budget. This vulnerability occurs when too many requests arrive simultaneously, and the API does not have enough compute resources to handle those requests or increases the price of the invoice if using a pay-per-use mode.

An attacker could exploit this vulnerability to overload the API by sending more requests than it can handle. As a result, the API becomes unavailable or unresponsive to new requests.

Proof of Concept
ratelimit.png

NOTE: It was possible to send a lot of requests in a short time frame (300req/min).

Score
Impact: 4
Likelihood: 3
Recommendation

This vulnerability is due to the application accepting requests from users at a given time without performing request throttling checks. It is recommended to follow the following best practices:

- Implement a limit on how often a client can call the API within a defined timeframe.

- Notify the client when the limit is exceeded by providing the limit number and the time the limit will be reset.

Remediation

PENDING: The issue will be solved by implementing correct rate limit in a future release. Client already implemented Cloudflare, but the issue is not completely solved.


7.5 (HAL-05) MULTIPLE TLS MISCONFIGURATION

// Low

Description

Deprecated TLS Versions Offered is a security vulnerability that occurs when a server or application continues to support outdated and insecure versions of the Transport Layer Security (TLS) protocol. This exposes users to potential man-in-the-middle attacks, data interception, and decryption of sensitive information by malicious actors. Regularly updating and configuring systems to use only the latest, secure TLS versions is crucial in mitigating this risk and maintaining the integrity of data transmissions.


deprecated-tls-offered.png
Score
Impact: 3
Likelihood: 1
Recommendation

As the application functionality was hosted across multiple servers, the TLS configuration of each should be reviewed and updated to comply with security best practice and to minimize the risk of existing and future TLS vulnerabilities. \begin{itemize} \item Support for TLS 1.0 and TLS 1.1 should be disabled.\item Support for the weak cipher suites identified above should be removed. \item Key lengths of 256 bits and above should be used for symmetric encryption algorithms and a length of 4096 bits should be used for RSA algorithms. For asymmetric keys generated with ECC algorithms, the minimum recommended key size is 512 bits. \end{itemize} References [Lucky13 Vulnerability](https://crashtest-security.com/prevent-ssl-lucky13/)

Remediation

SOLVED: The issue was solved by not supporting of TLS 1.0 and TLS 1.1 and only TLS 2.0.


7.6 (HAL-06) MISSING SECURITY HEADERS

// Low

Description

Several security headers were missing from the bitsCrunch web application. These headers used by the client browser improve the security against common attacks.

Missing important security headers;

Content Security Policy, Strict-Transport-Security and X-XSS-Protection response headers.

- Strict-Transport-Security protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.

- Content-Security-Policy reduces or eliminates the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignoring all other scripts (including inline scripts and event-handling HTML attributes).

- X-XSS-Protection prevents pages from loading when they detect reflected cross-site scripting (XSS) attacks.

Score
Impact: 2
Likelihood: 2
Recommendation

Consider adding the response headers Strict-Transport-Security and X-Frame-Options with appropriate policies.

Remediation

PENDING: The issue will be solved by configuring the headers mentioned in a future release.


7.7 (HAL-07) VERBOSE ERROR MESSAGES

// Low

Description

Improper handling of errors can introduce a variety of security problems for software. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user.

These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site, and such messages are also disturbing to normal users.


Proof of Concept
error.png
Score
Impact: 2
Likelihood: 2
Recommendation

Make all cryptography-related error messages more generic. Another way to fix this issue could be implementing the error code - error message mapping.


Remediation

SOLVED: The issue was solved by limiting the error handling on the application.


7.8 (HAL-09) RESPONSE MANIPULATION OR RESPONSE TAMPERING

// Informational

Description

The current way the front end handles the user session was by directly requesting the backend the user information, it was possible to modify the request or the response to make the front end trust the input data and load the view.

It was important to mention that it does not mean that when performing the response, manipulation was possible to do the actions. However, it was possible to load the views in the front end as an operator or add data such as account number, etc.

Proof of Concept
tampering.png
Score
Impact: 1
Likelihood: 2
Recommendation

Verify in the front end that the user loaded data does correspond with the role user. Moreover, do not let restricted views from the backend to be served to non-authorized users.


Remediation

ACKNOWLEDGED: The bitsCrunch team acknowledged the issue.


7.9 (HAL-08) IMPROPER INPUT VALIDATION

// Informational

Description

The application does not validate or incorrectly validates the input from the user, which has not the properties that are required to process the data safely and correctly.

It is possible to safe information which contains characters such as &, >, <, ", ', {, }, [, ], # etc. which can potentially lead to other vulnerabilities such as:

- Cross site scripting

- SQL Injection

- Server site template injection

and so on. These characters are not being sanitized, in the frontend.


Proof of Concept

1. Introduce the characters in inputs fields.

validation.png
Score
Impact: 1
Likelihood: 1
Recommendation

Input validation should be applied on both syntactical and Semantic level. Syntactic validation should enforce correct syntax of structured fields (e.g. SSN, date, currency symbol). Semantic validation should enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range).

It is always recommended to prevent attacks as early as possible in the processing of the user's (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application.

Remediation

SOLVED: The issue was solved by filtering the input characters on the application.


Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.

© Halborn 2024. All rights reserved.