Prepared by:
HALBORN
Last Updated 11/12/2024
Date of Engagement by: February 6th, 2024 - February 23rd, 2024
100% of all REPORTED Findings have been addressed
All findings
9
Critical
2
High
1
Medium
1
Low
3
Informational
2
bitsCrunch
engaged Halborn to conduct a blackbox assesment
beginning on {startDate} and ending on {endDate} of their bitsCrunch App
. The security assessment was scoped to GitHub source code to the Halborn team.
The team at Halborn was provided two weeks for the white-box pentest and assigned a full-time security engineer to verify the security of the staging's web applications. The security engineer is a penetration testing expert with advanced knowledge in web, recon, discovery & infrastructure penetration testing.
The goals of our security assessments are to improve the quality of systems by testing this as white-box approach to have an attacker perspective of targeting the staging web application.
In summary, Halborn identified security risks that were mostly addressed by the bitsCrunch team
.
Halborn followed a black-box approach and performed a combination of manual and automated security testing to balance efficiency, timeliness, practicality, and accuracy regarding the scope of the pentest. While manual testing is recommended to uncover flaws in logic, process and implementation; automated testing techniques assist enhance coverage of the infrastructure and can quickly identify flaws in it. The following phases and associated tools were used throughout the term of the assessment:
- Mapping Content and Functionality
- Logic Flaws
- Access Handling
- Authentication/Authorization Flaws
- Rate Limitations Tests
- Brute Force Attempts
- Input Handling
- Response Manipulation
- Source Code Review
- Fuzzing of all input parameters
- Multiple Type of Injection (SQL/JSON/HTML/Command)
Critical
2
High
1
Medium
1
Low
3
Informational
2
Impact x Likelihood
HAL-01
HAL-02
HAL-04
HAL-03
HAL-05
HAL-06
HAL-07
HAL-08
HAL-09
Security analysis | Risk level | Remediation Date |
---|---|---|
HAL-01 - SQL INJECTION | Critical | Solved - 02/22/2024 |
HAL-02 - DENIAL OF SERVICE | Critical | Solved - 02/22/2024 |
HAL-03 - MAIL SERVER MISCONFIGURATION | High | Solved - 05/27/2024 |
HAL-04 - LACK OF RESOURCES AND RATE LIMITING | Medium | Future Release |
HAL-05 - MULTIPLE TLS MISCONFIGURATION | Low | Solved - 05/27/2024 |
HAL-06 - MISSING SECURITY HEADERS | Low | Future Release |
HAL-07 - VERBOSE ERROR MESSAGES | Low | Solved - 05/27/2024 |
HAL-09 - RESPONSE MANIPULATION OR RESPONSE TAMPERING | Informational | Acknowledged |
HAL-08 - IMPROPER INPUT VALIDATION | Informational | Solved - 05/27/2024 |
// Critical
The bitsCrunch
backend API is vulnerable to the SQL Injection Vulnerability. SQL injection (SQLi) refers to an injection attack in which an attacker can execute malicious SQL statements that control a web application's database server and is implementation-dependent.
The attacker can read, delete, update database data/tables, executing malicious commands. The endpoints found vulnerable was devnet with parameter /XXXXX?search=<vulnerable> to SQL injection attack (time based).
GET /api/profile/operator/0x9899f7313dc7435e21041ecca7c8adc6edc11532?limit=5&offset=0&search=NjTVGx'%7c%7cpg_sleep(20)--
HTTP/2Host: devnet-app.bitscrunch.com
Accept-Encoding: gzip, deflate, br
Accept: application/json, text/plain, /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Cache-Control: max-age=0
Cookie: GAESA=123asd123; pkid.9.285b=5a686a8be2d674bf.1707751267.; pkses.9.285b=1
Referer: https://devnet-app.bitscrunch.com/profile/0x9899f7313dc7435e21041ecca7c8adc6edc11532/operator
Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Platform: Windows
Sec-Ch-Ua-Mobile: ?0
It was possible to retrieve all the database info, such as: tables, columns, users, permissions, and all data.
Note: The input POST/PUT/DELETE request or any write action over the BBDD was not checked since Halborn
didn't want to compromise the integrity of the bitsCrunch
database.
It is recommended to use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, thus solving SQL injection.
SOLVED: The critical issue was solved by implementing proper parameterized queries.
// Critical
Denial of Service (DoS) vulnerability that arises from the exploitation of SQL Injection (SQLi) vulnerabilities, specifically through the use of the PostgreSQL pg_sleep function. By injecting malicious SQL queries that include the pg_sleep function, an attacker can induce significant delays in the processing of database queries, effectively causing a denial of service for legitimate users and applications dependent on the database.
pg_sleep is a function in PostgreSQL that pauses the execution of a query for a specified amount of time (in seconds). While designed for legitimate uses such as process timing and testing, in the hands of an attacker, it becomes a tool for inducing deliberate delays in database response times.
The exploitation involves an attacker identifying a SQL injection point within an application that interacts with a PostgreSQL database. The attacker then crafts a query incorporating the pg_sleep function, causing the database to pause for a significant amount of time.
'; SELECT pg_sleep(10); --
This would cause the database to halt processing for 10 seconds, if injected into a vulnerable SQL query. Repeated or concurrent exploitation of this vulnerability can overwhelm the database, resulting in a DoS condition where legitimate requests cannot be processed in a timely manner.
Furthermore, there was not found any rate limit mechanisms (we have the PoC of sending +300req/min) which chained with this pg_sleep(20) could stack a high amount of requests with the sleep which will cause a major DoS on the application.
Note: A video PoC was shared with the client showing the impact of the vulnerability.
It is recommended to use parameterized queries when dealing with SQL queries that contain user input. Parameterized queries allow the database to understand which parts of the SQL query should be considered as user input, thus solving SQL injection.
SOLVED: The critical issue was solved by implementing proper parameterized queries.
// High
bitsCrunch
mail server contained multiple misconfigurations, allowing an attacker to impersonate emails as bitsCrunch
and performing scams/fraud/phishing users, which may result in financial and customer loss.
An email was sent under false pretences, purporting to originate from the email address noreply@bitscrunch.com
.
The individual identified as the victim, with the email address pau.carrasco@halborn.com
, received an email from the attacker, who had assumed the identity of gobi@bitscrunch.com
.
Victim access malicious website.
Configure the SPF
and DMARC
records with the appropriate policies, preventing an attacker from spoofing emails on behalf of the company.
SOLVED: The issue was solved by configuring the SPF v=spf1 include:_spf.google.com ~all
and the DMARK to v=DMARC1; p= quarantine; rua=mailto:dd62a1cbfae64407adc2335298e1df48@dmarc-reports.cloudflare.net
// Medium
API requests consume resources such as network, CPU, memory, storage, and budget. This vulnerability occurs when too many requests arrive simultaneously, and the API does not have enough compute resources to handle those requests or increases the price of the invoice if using a pay-per-use mode.
An attacker could exploit this vulnerability to overload the API by sending more requests than it can handle. As a result, the API becomes unavailable or unresponsive to new requests.
NOTE: It was possible to send a lot of requests in a short time frame (300req/min).
This vulnerability is due to the application accepting requests from users at a given time without performing request throttling checks. It is recommended to follow the following best practices:
- Implement a limit on how often a client can call the API within a defined timeframe.
- Notify the client when the limit is exceeded by providing the limit number and the time the limit will be reset.
PENDING: The issue will be solved by implementing correct rate limit in a future release. Client already implemented Cloudflare, but the issue is not completely solved.
// Low
Deprecated TLS Versions Offered is a security vulnerability that occurs when a server or application continues to support outdated and insecure versions of the Transport Layer Security (TLS) protocol. This exposes users to potential man-in-the-middle attacks, data interception, and decryption of sensitive information by malicious actors. Regularly updating and configuring systems to use only the latest, secure TLS versions is crucial in mitigating this risk and maintaining the integrity of data transmissions.
As the application functionality was hosted across multiple servers, the TLS configuration of each should be reviewed and updated to comply with security best practice and to minimize the risk of existing and future TLS vulnerabilities. \begin{itemize} \item Support for TLS 1.0 and TLS 1.1 should be disabled.\item Support for the weak cipher suites identified above should be removed. \item Key lengths of 256 bits and above should be used for symmetric encryption algorithms and a length of 4096 bits should be used for RSA algorithms. For asymmetric keys generated with ECC algorithms, the minimum recommended key size is 512 bits. \end{itemize} References [Lucky13 Vulnerability](https://crashtest-security.com/prevent-ssl-lucky13/)
SOLVED: The issue was solved by not supporting of TLS 1.0 and TLS 1.1 and only TLS 2.0.
// Low
Several security headers were missing from the bitsCrunch web application. These headers used by the client browser improve the security against common attacks.
Missing important security headers;
Content Security Policy, Strict-Transport-Security and X-XSS-Protection response headers.
- Strict-Transport-Security
protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies.
- Content-Security-Policy
reduces or eliminates the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. A CSP compatible browser will then only execute scripts loaded in source files received from those allowed domains, ignoring all other scripts (including inline scripts and event-handling HTML attributes).
- X-XSS-Protection
prevents pages from loading when they detect reflected cross-site scripting (XSS) attacks.
Consider adding the response headers Strict-Transport-Security
and X-Frame-Options
with appropriate policies.
PENDING: The issue will be solved by configuring the headers mentioned in a future release.
// Low
Improper handling of errors can introduce a variety of security problems for software. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user.
These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site, and such messages are also disturbing to normal users.
Make all cryptography-related error messages more generic. Another way to fix this issue could be implementing the error code - error message
mapping.
SOLVED: The issue was solved by limiting the error handling on the application.
// Informational
The current way the front end handles the user session was by directly requesting the backend the user information, it was possible to modify the request or the response to make the front end trust the input data and load the view.
It was important to mention that it does not mean that when performing the response, manipulation was possible to do the actions. However, it was possible to load the views in the front end as an operator or add data such as account number, etc.
Verify in the front end that the user loaded data does correspond with the role user. Moreover, do not let restricted views from the backend to be served to non-authorized users.
ACKNOWLEDGED: The bitsCrunch team acknowledged the issue.
// Informational
The application does not validate or incorrectly validates the input from the user, which has not the properties that are required to process the data safely and correctly.
It is possible to safe information which contains characters such as &, >, <, ", ', {, }, [, ], #
etc. which can potentially lead to other vulnerabilities such as:
- Cross site scripting
- SQL Injection
- Server site template injection
and so on. These characters are not being sanitized, in the frontend.
1. Introduce the characters in inputs fields.
Input validation should be applied on both syntactical and Semantic level. Syntactic validation should enforce correct syntax of structured fields (e.g. SSN, date, currency symbol). Semantic validation should enforce correctness of their values in the specific business context (e.g. start date is before end date, price is within expected range).
It is always recommended to prevent attacks as early as possible in the processing of the user's (attacker's) request. Input validation can be used to detect unauthorized input before it is processed by the application.
SOLVED: The issue was solved by filtering the input characters on the application.
Halborn strongly recommends conducting a follow-up assessment of the project either within six months or immediately following any material changes to the codebase, whichever comes first. This approach is crucial for maintaining the project’s integrity and addressing potential vulnerabilities introduced by code modifications.
// Download the full report
* Use Google Chrome for best results
** Check "Background Graphics" in the print settings if needed