Overview

Under the Gratis Pentest 2017, we have evaluated security postures of open source applications. For Gratis 2017 we have selected KeystoneJS. In this blog, we are discussing KeystoneJS Open Source Penetration Testing Report and releasing the vulnerabilities details.

KeystoneJS is a powerful Node.js content management system and web app framework built on express and mongoose. Keystone makes it easy to create sophisticated web sites and apps and comes with a beautiful auto-generated Admin UI.

The pentest team at SecureLayer7 performed penetration tests for two days and successfully reported 6 Vulnerabilities to KeystoneJS and the has following vulnerabilities.

1. CSV Excel Macro Injection

CSV injection is nothing but a formula injection. It takes place if an attacker injects malicious payload and the victim exports the malicious file on to his system. Here the attacker injects malicious payload starting with ‘=,+,-,@’. If the CSV file is not properly validated and open on the target system it can execute the command, which can gain complete control of the target system. A system warning shows up while opening a malicious file that contains the payload. CSV injection can lead to client-side command injection. It is recommended that the server should validate the user input that is starting with +,-,=,@ and append ” ‘ ” before such characters.

2. Application wide CSRF Bypass

In CSRF, the attacker performs malicious activities. This includes changing the email, password, submit form depending upon the nature of the action. There are different techniques to bypass CSRF.

Using the CSRF token of another account: Log In to the application with account A. Capture the request and copy the token, then login with B account and replace it with token A. Creating a token of the same length: Some times the server generates a token of fixed length which, if not validated properly, can replace token with the attacker’s generated token length. Removing CSRF token: Here the attacker removes the CSRF token and forwards the request. Bypass with XSS: With the help of XSS, the attacker can grab the token and use it further to exploit the application. Changing the Request method: If any sensitive information is passed in POST, then try changing the request method to GET.

3. Cross Site Scripting

Cross Site Scripting or XSS can be of various types, namely: Reflected, Stored, or DOM-based.

Stored Cross Site Scripting, also known as Persistent XSS, has the most impact of all. It arises when the Vulnerable Web Page allows any user to include or write their own Javascript code inside the existing Web Application, which is then stored onto the Server or Database. Thus, every-time a normal user visits the application, the database or server loads the “extra” Javascript code added by the malicious entity, and the same gets executed in the victim’s browser.

This vulnerability can be leveraged to perform various kinds of attacks, but the most common and damaging attack is to steal the victim’s session cookies and hijack their Session.

4. Weak Password Policy

Weak Password Policy means not enabling necessary restrictions on the type of password to be used by the user. A weak password policy increases the probability of an attacker having success using brute force and dictionary attacks against user accounts.

The Password policy enforces the password complexity including length and mixed character requirements.

Download the Entire Report from here and you can download the latest patch from here

Soon we will be releasing the new dates for the Gratis Pentest 2018 – Stay Tuned!