Blog

TOP 10 vulnerabilities from a1qa. Part 2

We keep familiarizing you with the most curios security vulnerabilities that were detected by a1qa team on real projects.
15 December 2016
Cybersecurity testing
Article by a1qa
a1qa

In our previous post security testing engineer Vadim Kulish talked about five threats that took us no long to be detected. Today we continue with the hardest nuts to crack.

#6. Executable files upload

The tested app enabled to upload .exe files that could be accessed using an absolute file path. The contents of the file were checked, while its extension – was not. The files with the php code couldn’t be uploaded either.

When we were auditing the app, we changed the php file by adding HTML elements to its beginning. The .php extension was left untouched. As a result, we got the complete access to the server and could execute console commands.

Root cause: inadequate .exe files check.

Exploitation threat: getting complete control over the web application.

#7. SQL injection

In security testing, SQL injection is a code injection to the legitimate SQL statement that is inserted into an application entry field for execution. SQL injections may be of different types:

  • Visible (the results of the attack can be seen by an attacker);
  • Blind injections (the results of the injection are not visible and to get the data we apply the brute force search: the character is valid when the app changes its workflow or the time lag appears).

Possible threats of the SQL injection:

  • Data theft;
  • Authentication bypass;
  • Getting server access control.

Sometimes, to automate the process of injection detection we use an open source penetration tool SQLMAP. However, more often we do it manually.

In our case, the injection was detected on the Home page of the website in the Search element.

Root cause: no input data check mechanisms.

Exploitation threat: getting complete access to the application database.

#8. Local files reading

We were testing the multi user application that stored personal data of its users. The app was built with defects and we could input the local file name in our entry and see the file contents.

Exploiting this vulnerability we managed to get a configuration file that allowed us to get in any account in the app. As the application allowed sending and receiving messages we could reset the users’ passwords and get the links the users would receive to change passwords. By following the link we changed passwords and logged into the app.

Root cause: no input data check mechanisms.

Exploitation threat: access to the web application configuration files.

#9. NoSQL injection

You already know that there is such a threat as a SQL injection. Are there NoSQl injections? Of course! Redis, MongoDB, memcached belong to the non-relational databases and malicious users couldn’t pass them by.

NoSQL ≠ No Injection

The main difference is that NoSQL databases don’t support SQL-like languages. Every database may use its own language. That’s why the number of potential threats increases.

When testing the app we dealt with the MongoDB database.

What did we discover?

The app had API that could be queried. The authentication to the app was implemented with a 32-character token that couldn’t be cracked. After giving a thought, we decided to manipulate the parameter. We learnt the MongoDB documentation and found out that it was possible to input regular expressions into the query and thus minimize the data for the query. As a result, the 32-character parameter was cut down to only 4 symbols that could be guessed to enter the app.

Root cause: no input data check mechanisms.

Exploitation threat:  application authentication bypassing.

#10. Race hazard

It’s probably the most interesting vulnerability we’ve ever come across and it was detected in the finance app.

The race hazard or race condition is the result of the multithreaded application poor design. When it occurs, several threads try to get a concurrent access to the shared memory location and at least one of them performs writing. As a result, the reading thread gets wrong values that were previously changed by the writing thread.

What did our team? We tried to create several concurrent queries to the web application. Actually, the web application is a good example of the multithreaded app as it may have many users working with it simultaneously. The key condition is that the writing (either of the file or to the database) should be performed. On our project, the writing was performed into the database. We generated some queries about money transfer and in return got more than we expected!

To make it more clear: for X coins a user gets Y coins. We generated 10 simultaneous queries to exchange X coins for rubles. As a result, X coins were deducted from our account and we were lucky to get 10*Y rubles.

Root cause: wrong application design.

Exploitation threat: money theft.

To avoid all these threats we urge the companies to conduct regular security checks and test the software products for all kinds of vulnerabilities.

By addressing the professional team, you’ll be confident that your solution poses no risks to users.

More Posts

2 December 2024,
by a1qa
6 min read
Addressing 4 security issues for digital transformation programs
Find out the top 4 safety challenges of digital transformation and a QA playbook to address them and contribute to a higher level of cybersecurity.
Cybersecurity testing
black-friday
5 November 2024,
by a1qa
4 min read
Get ready for Black-Friday-to-Cyber-Monday shopping: 5 testing types to include in your QA strategy
What’s your nightmare during Black Friday and Cyber Monday shopping? If it’s a loss of sales, read about the ways to prevent this in the article.
Cybersecurity testing
Functional testing
Localization testing
Performance testing
Usability testing
QA for retail software
29 August 2024,
by a1qa
4 min read
QA to address key pain points in retail 
Explore how QA helps address the main challenges that retailers face when developing software.
Cybersecurity testing
Functional testing
Performance testing
Usability testing
QA for fintech
7 May 2024,
by a1qa
5 min read
Navigating the fintech frontier in 2024: QA’s role in delivering high-quality financial software 
Unveil the future of fintech innovations and learn to refine their quality with the help of software testing.
Blockchain app testing
Cybersecurity testing
Quality assurance
Telecom trends 2024
15 April 2024,
by a1qa
5 min read
QA’s role in adopting telecom trends for 2024 
Let’s dive into the transformative trends set to redefine the telco industry in 2024 and discover QA strategies to adopt them with precision.
Cloud-based testing
Cybersecurity testing
Functional testing
General
Migration testing
Performance testing
QA trends
Quality assurance
Test automation
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
15 February 2024,
by a1qa
4 min read
On the pulse of 2024: optimizing the adoption of eHealth trends with QA
Generative AI, cybersecurity, AR/VR — come and explore how these trends are reshaping the future of healthcare and how QA helps implement them with confidence.
Cybersecurity testing
Functional testing
Performance testing
QA trends
Navigating the future: QA trends that will define 2024. Part 2
30 January 2024,
by a1qa
4 min read
Navigating the future: QA trends that will define 2024. Part 2
We continue exploring QA trends, helping businesses remain competitive in 2024.
Cloud-based testing
Cybersecurity testing
QA trends
Quality assurance
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
8 December 2023,
by a1qa
3 min read
The year in valuable conversations: recapping 2023 a1qa’s roundtables for IT executives 
From dissecting novel industry trends to navigating effective ways of enhancing software quality — let’s recall all a1qa’s roundtables. Join us!
Big data testing
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
QA trends
Quality assurance
Test automation
Usability testing
Web app testing
6 top reasons why business should invest in software quality
9 November 2023,
by a1qa
4 min read
6 top reasons why business should invest in software quality
We congratulate you on the World Quality Day with the article by Alina Karachun, Account director at a1qa, having 10+ years of QA expertise. Delve into it to explore the reasons why businesses should prioritize software quality.
Cybersecurity testing
Functional testing
General
Interviews
Performance testing
Quality assurance

Get in touch

Please fill in the required field.
Email address seems invalid.
Please fill in the required field.
We use cookies on our website to improve its functionality and to enhance your user experience. We also use cookies for analytics. If you continue to browse this website, we will assume you agree that we can place cookies on your device. For more details, please read our Privacy and Cookies Policy.