The first FLOSSHack workshop will be held on July 1st, 2012 from noon to 4pm at Free Geek. The workshop's target will be the Ushahidi platform. An overview of the FLOSSHack workflow can be found on the "FLOSSHack for Participants" page. The primary organizers for this event are Timothy D. Morgan and Wil Clouser.
If you want to check out the code separately from the VM, the version of the source code for audit is the latest commit on the master branch. This can be obtained with:
git clone -b master git://github.com/ushahidi/Ushahidi_Web.git
Once the workshop begins, a Google+ Hangout will be created that remote participants may join. To receive an invite, please email
tim . morgan |at|
owasp . org with your Google email address/ID. In addition to Hangouts, the session will be streamed live on YouTube. A URL will be posted here later today for accessing that feed.
You are welcome to start looking for vulnerabilities right now. If you do find any vulnerabilities in the application prior to the workshop, please email them to
tim . morgan |at|
owasp . org. That way you get credit for them if you're the first to find a given flaw. At the end of the workshop, there will be prizes for both finding the "best" vulnerability and for finding the most vulnerabilities. Also, be sure to keep any flaws you find under wraps so that way Ushahidi has some time to correct everything before they are made public.
Ideas for Attacks
The application is designed to gather information about events from the general public and combine them into useful statistical and geographic reports. The following attack scenarios seem relevant (not all-inclusive):
- Cross-site Scripting (XSS): plenty of places to enter data and have it displayed later by other users. Reflected attacks also interesting
- SQL Injection: Using PHP with a MySQL database
- Authorization: supports user-defined roles. These roles can be configured with various sets of built-in access rights as well as an access level feature designed for controlling access to custom forms. Certainly any bypass of this privilege system would be interesting. Try setting up accounts with different privilege levels and see if you can get around any restrictions.
- File uploads: several forms allow file uploads of various types. These are frequently vectors for a variety of attacks, including directory traversal, uploads of executable content (like .php scripts within the web root), XSS via filenames and content, HTTP header injection via file names, and other content-type/file extension shenanigans.
- Privacy concerns: in some deployments, the application is used to gather reports of civil/human rights violations by governments and other entities. If you see a flaw in the application that could leak reporters' identities, this could be devastating for these deployments
- Software deployment: The provided VM is distinctly not security-hardened, so if you see a problem in the web server, database, or filesystem configuration, it may not be very relevant. However, if you find something along these lines and you find that the instructions in the Installation Guide would cause this same problem to come up for normal users, then it is definitely worth noting.
- The provided VM image apparently does not have PHP's GD imaging library packages installed. You'll want to install the
php5-gdpackage. This may cause a packaging conflict with the underlying GD library, but you can resolve it by installing the
libgd2-xpmversion of the GD library. After doing this, then restart PHP with:
- You may find it helpful to turn on PHP error reporting to immediately see in the UI when certain errors could be exploitable. To do this, edit the
/etc/php5/fpm/php.inifile, add the following line, and then restart PHP:
display_errors = On
Good luck and happy hunting!