Learning Web Security – 1.1- Java Script Disclosure, Hardcoded password

1. Hardcoded Password Uses

The use of Hardcoded password is considered to be a security risk because it makes it easy for an attacker to access sensitive data if they are able to obtain access to source code

Exploitation Description

Steps to Reproduce:-

1. Navigation to URL
2. Open your browser debugger by pressing F12
3. Click on Network and Refresh the page
4. Open the java-script and look for where the password is stored. You will see functions with submit names.

POC:-

1. Example image provides granular view of the network field

2. Hard coded password can be seen from the above image, which is in a JS for authentication of the application

2. Vulnerable Java Script Disclosure

This might imply that problems are swiftly found and fixed upstream, leading to a continuous flow of security update that must be installed

Exploitation Description

Steps to Reproduce:-

1. Go to URL.
2. Check-in the source code for Java script library version
3. Or you can use retire.js for finding vulnerable libraries

POC:-

This image contains vulnerable Java script libraries.

3. Weak Encoding for Password

Weak encoding for the password is a security vulnerability that occurs when an application stores password in a weak encoding format. This can allow the attackers to crack the password and gain access to the application or the underlying system.

Exploitation Description

Steps to Reproduce:-

1. Go to the URL.
2. Login with the credentials and capture the request.
3. Now send a request to the repeater.
4. Password is encoded and it seems base64.
5. Select password, right click it and send it to the decoder

1. Above image contains Encoded password.

2. Above image contains a decoded password of the user.