Difference between revisions of "FLOSSHack One"

From OWASP
Jump to: navigation, search
Line 7: Line 7:
 
If you want to check out the code separately from the VM, the version of the source code for audit is the latest commit on the [https://github.com/ushahidi/Ushahidi_Web/tree/master master branch].  This can be obtained with:
 
If you want to check out the code separately from the VM, the version of the source code for audit is the latest commit on the [https://github.com/ushahidi/Ushahidi_Web/tree/master master branch].  This can be obtained with:
 
   git clone -b master git://github.com/ushahidi/Ushahidi_Web.git
 
   git clone -b master git://github.com/ushahidi/Ushahidi_Web.git
 +
 +
 +
=== Joining Remotely ===
 +
Once the workshop begins, a Google+ Hangout will be created that remote participants may join.  To receive an invite, please email <code>tim . morgan |at| </code><code>owasp &#x2e; org</code> with your Google email address/ID.  In addition to Hangouts, the session will be streamed live on YouTube.  ''A URL will be posted here later today for accessing that feed.''
  
  

Revision as of 12:59, 1 July 2012

The first FLOSSHack workshop will be held on July 1st, 2012 from noon to 4pm at Free Geek. The workshop's target will be the Ushahidi platform. An overview of the FLOSSHack workflow can be found on the "FLOSSHack for Participants" page. The primary organizers for this event are Timothy D. Morgan and Wil Clouser.


Contents

Getting Started

The Ushahidi developers have provided us a virtual machine image which has a recent version of the platform pre-installed. You can obtain this here (the online README).

If you want to check out the code separately from the VM, the version of the source code for audit is the latest commit on the master branch. This can be obtained with:

 git clone -b master git://github.com/ushahidi/Ushahidi_Web.git


Joining Remotely

Once the workshop begins, a Google+ Hangout will be created that remote participants may join. To receive an invite, please email tim . morgan |at| owasp . org with your Google email address/ID. In addition to Hangouts, the session will be streamed live on YouTube. A URL will be posted here later today for accessing that feed.


Competition Notes

You are welcome to start looking for vulnerabilities right now. If you do find any vulnerabilities in the application prior to the workshop, please email them to tim . morgan |at| owasp . org. That way you get credit for them if you're the first to find a given flaw. At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities. Also, be sure to keep any flaws you find under wraps so that way Ushahidi has some time to correct everything before they are made public.


Ideas for Attacks

The application is designed to gather information about events from the general public and combine them into useful statistical and geographic reports. The following attack scenarios seem relevant (not all-inclusive):

  • Cross-site Scripting (XSS): plenty of places to enter data and have it displayed later by other users. Reflected attacks also interesting
  • SQL Injection: Using PHP with a MySQL database
  • Authorization: supports user-defined roles. These roles can be configured with various sets of built-in access rights as well as an access level feature designed for controlling access to custom forms. Certainly any bypass of this privilege system would be interesting. Try setting up accounts with different privilege levels and see if you can get around any restrictions.
  • File uploads: several forms allow file uploads of various types. These are frequently vectors for a variety of attacks, including directory traversal, uploads of executable content (like .php scripts within the web root), XSS via filenames and content, HTTP header injection via file names, and other content-type/file extension shenanigans.
  • Privacy concerns: in some deployments, the application is used to gather reports of civil/human rights violations by governments and other entities. If you see a flaw in the application that could leak reporters' identities, this could be devastating for these deployments
  • Software deployment: The provided VM is distinctly not security-hardened, so if you see a problem in the web server, database, or filesystem configuration, it may not be very relevant. However, if you find something along these lines and you find that the instructions in the Installation Guide would cause this same problem to come up for normal users, then it is definitely worth noting.


Suggested Tools

Web attack proxies are probably going to be the most useful to begin with, such as Burp and ZAP. You may also find w3af and sqlmap useful.


Other Tips

  • The provided VM image apparently does not have PHP's GD imaging library packages installed. You'll want to install the php5-gd package. This may cause a packaging conflict with the underlying GD library, but you can resolve it by installing the libgd2-xpm version of the GD library. After doing this, then restart PHP with:
 /etc/init.d/php5-fpm restart
  • You may find it helpful to turn on PHP error reporting to immediately see in the UI when certain errors could be exploitable. To do this, edit the /etc/php5/fpm/php.ini file, add the following line, and then restart PHP:
 display_errors = On

Good luck and happy hunting!