In the realm of cybersecurity, vigilance is paramount. As technology rapidly evolves, so too do the exploitation methods available to malicious attackers. In this dynamic environment, organizations must deploy proactive defense mechanisms to harden their digital fortress against potential breaches. One such important defense mechanism is penetration testing. It is a proactive cybersecurity measure that discovers vulnerabilities, including simulated attacks on computer systems or networks. This article takes a deep dive into recent penetration testing projects that revealed critical vulnerabilities, highlighting the importance of proactive security measures in an increasingly complex digital world.
During a routine penetration test for a client, the Deloitte Middle East Cybersecurity team discovered a seemingly innocuous subdomain housing a third-party application, Vaales Technologies' V-QRS application. V-QRS is a software application that allows any business to create digital business cards based on quick response (QR) codes and near field communication (NFC) systems. The system consists of an online dashboard in a mobile app and a web application.
Often overlooked, these hidden locations in your digital infrastructure can serve as entry points for malicious attackers. Recognizing the importance of thorough inspections, we began conducting inspections. A review of the subdomain revealed insecure direct object references (IDORs) and structured query language (SQL) injections (malicious queries are inserted into input fields, allowing attackers to manipulate the database backend). Two critical vulnerabilities have been discovered. Exploitation of these vulnerabilities could allow unauthorized access to sensitive data, compromising system integrity and confidentiality.
In the digital environment, IDOR (A01:2021 – OWASP Top 10 Access Control Destruction) remains a persistent threat. This vulnerability occurs when an application fails to properly validate user access to resources. IDOR allows attackers to bypass access controls and gain unauthorized access to restricted functionality and data. In this case, thorough testing revealed that user permissions were not properly applied, leaving the system vulnerable to manipulation.
During the penetration testing process, we discovered the URL https://SANITIZED/user-profile/6/Da**va. Here, “6” acts as a sequence number and “Da***va” represents the full name. The link stores various details such as the individual's name and title (Head of Finance), phone number (including personal), work email, and, although the company chooses not to make it public, a photo. Masu.
The team then decided to investigate the possibility of extracting additional data from the portal, particularly data about CEOs. Strangely, I changed the number in the request from “6” to “1”. Initially, the team thought it wouldn't work unless you provided your real name. But to my surprise, the system responded positively even to the pseudonym, revealing information about the CEO.
After discovering misconfigurations in the application as well as IDOR, they decided to extract data about the entire company. Using the BurpSuite setup (a web penetration testing application), we were able to successfully retrieve company-wide data about employees, including their names, job titles, personal phone numbers, and email addresses.
At first glance, it may seem innocuous, as the data appears to be “public” and intended for sharing. However, once such information is accessible, it can be misused by black hat hackers aka cyber criminals for malicious purposes. This data can be used to send personalized phishing emails and phone calls, create fake advertisements, and overload communication channels. Additionally, black hat hackers, armed with personal information, can attempt brute force attacks against external OWA (Outlook Web Access) and other login portals. Once compromised, it can launch Active Directory login attacks and cause severe damage. Further investigation revealed that the error was in two of her files. Our investigation revealed that the input validation mechanism was sluggish, paving the way for potential SQL injection attacks.
SQL injections (A03:2021 – OWASP Top 10 Injections) represent another formidable adversary in the cybersecurity field. The impact of a successful exploit can range from data leakage to complete system compromise.
In our case, the previous request https://SANITIZED/user-profile/6/Da**va is very familiar for SQL requests, where “6” is simply the ID of the user table in the database. Yes, it was something like `. SELECT * from users where id='6.'` With this in mind, I tried to enter my malicious request in that field. I set up the SQLmap application and performed blind SQL injection. As a result of our reconnaissance, we were able to extract database username and password hashes that will be used in further penetration testing actions.
Armed with our findings, we are now using MITER CVE (publicly known Cybersecurity Vulnerabilities and Risks), which provides a standardized naming convention for identifying and tracking security vulnerabilities. We promptly reported the vulnerability to the organization that stores the dictionary. This is an essential step in promoting transparency and security. Collaboration within the cybersecurity community. He was then provided with two of his CVE numbers: CVE-2024-24312 (SQLi) and CVE-2024-24313 (IDOR). This expedited the dissemination of critical information to stakeholders and enabled rapid remediation efforts.
The course of this penetration testing project highlighted the constant need for proactive cybersecurity measures. By carefully identifying and addressing vulnerabilities, organizations can strengthen their defenses against emerging threats. Collaboration, transparency, and swift action are the cornerstones of effective cybersecurity and ensure a resilient digital ecosystem for everyone.
by Ali Khan,Partner,Risk Advisory, Ivan GlinkinSenior Manager, Infrastructure Security, Deloitte Middle East
References
- https://www.cve.org/CVERecord?id=CVE-2024-24312.
- https://www.cve.org/CVERecord?id=CVE-2024-24313.
- https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/04-Testing_for_Insecure_Direct_Object_References.
- https://owasp.org/www-community/attack/SQL_Injection.
- https://v-qrs.com/.
