For the first time I started playing with HTML when I was in Junior College (Post School - 11th Standard). I learn HTML & basics of scripting - Java, asp, vb at that tender age, heh! In my educational life, I always loved programing languages even though I couldn't master any but I loved playing with them! I always loved creating simple websites, mostly static because I couldn't do much hands on when it comes to scripting. By the way I created a website for my Girl (back in 2008/09) with funky love songs running in the background, I ended up taking that website down when her mother saw it! Funny isn't it, well it wasn't! :-D
So since then whenever I come across any website I have a habit of looking at it's source code, just like that! And I still continued that habit ;-)
There are two recent incidents that happened because of which I thought to write this post. I being a student of MBA - IT Business Management with special interest and specialization in Information Security, I always try to find out vulnerabilities in everything around me, this includes people as well! Jokes apart, I came across two websites of Premier B-Schools from India. These B-Schools are very renowned and people from all around India participate in it. One of these comes in top 20 B-Schools of India *cough* *cough*
So when I heard about event arranged by this 'One of the Top 20 B-Schools of India' say College 'ABC_1', I came to my hostel and started browsing through it. Trust me the user experience was pathetic! And as usual I right clicked >> View Page Source. I noticed a strange thing in this website, there were couple of places where they had commented many things. Mostly images & links of sponsors. I felt bit unusual, I browsed more and finally I thought to check its directory listings. I expected it to be *Access Denied to Public* but to my surprise I could see www.ABC_1.com/images to be opened, exclusively for me may be ;-) And I tried hitting some common directory names but my bad, they didn't had any of those.
I again started going through the source code and I found out one director called /manage. And I realized that may be this the one which will be the gateway for the admin panel. And it worked, due to careless directory permissions I could see Admin Panel infront of my eyes! Very unprofessional web designing, by the way did I tell you this website is created by a Web Development company who is having around 10/15 clients. After seeing Admin Panel I thought I will have to use some SQL Injections but before that I thought to use some common ID/Password combinations and to my surprise with one very common combination I got through! *Yaaaayyy*
I got access to Admin section where I could manage photos and contents on the website. I could even see the list of registrations that are done for various competitions in that event. I could even change the passowrd and admin details.
But I have got my basics clear about Information Security, so I stopped myself and informed the respective people regarding this vulnerability. Following is the report that I sent to the B-School.
After reporting this incident, the vulnerability got patched. Directory is no more accessible to public, I couldn't check admin panel though!
After this incident, I started looking carefully into other B-School's Event websites. Today when I was browsing through source code of another B-School, again it comes in Top 50 B-School's in India. I could exploit it's Vulnerability. Poor directory permissions and authentication is the reason behind it. I have reported it to the concern people, again!
There's another website that I recently observed, this belongs to investment consultants from Pune. This website was created in ASP.net while earlier two were coded in PHP. The Investment Consultant's website had a pathetic security mechanism when it comes to user authentication.
I tried commonly used UserID/Password combinations but I failed, so I checked forgot password page. Surprisingly it was a worst password retrieval mechanism I have ever seen. You just need to put user-id, it asks you for Hint Question & Answer and if you guess it correct. Dialogue box is prompted with valid passoword, WORST isn't it?
So conclusion out of these three incident is no matter how much you invest in Technology, if your builders/architects are careless when it comes to Security. You are ultimately going to fail, BIG TIME.
If website developers take proper care, such vulnerabilities will never arise!
Do let me know your views/suggestions on my Risk Analysis ;-)
So since then whenever I come across any website I have a habit of looking at it's source code, just like that! And I still continued that habit ;-)
There are two recent incidents that happened because of which I thought to write this post. I being a student of MBA - IT Business Management with special interest and specialization in Information Security, I always try to find out vulnerabilities in everything around me, this includes people as well! Jokes apart, I came across two websites of Premier B-Schools from India. These B-Schools are very renowned and people from all around India participate in it. One of these comes in top 20 B-Schools of India *cough* *cough*
So when I heard about event arranged by this 'One of the Top 20 B-Schools of India' say College 'ABC_1', I came to my hostel and started browsing through it. Trust me the user experience was pathetic! And as usual I right clicked >> View Page Source. I noticed a strange thing in this website, there were couple of places where they had commented many things. Mostly images & links of sponsors. I felt bit unusual, I browsed more and finally I thought to check its directory listings. I expected it to be *Access Denied to Public* but to my surprise I could see www.ABC_1.com/images to be opened, exclusively for me may be ;-) And I tried hitting some common directory names but my bad, they didn't had any of those.
I again started going through the source code and I found out one director called /manage. And I realized that may be this the one which will be the gateway for the admin panel. And it worked, due to careless directory permissions I could see Admin Panel infront of my eyes! Very unprofessional web designing, by the way did I tell you this website is created by a Web Development company who is having around 10/15 clients. After seeing Admin Panel I thought I will have to use some SQL Injections but before that I thought to use some common ID/Password combinations and to my surprise with one very common combination I got through! *Yaaaayyy*
I got access to Admin section where I could manage photos and contents on the website. I could even see the list of registrations that are done for various competitions in that event. I could even change the passowrd and admin details.
But I have got my basics clear about Information Security, so I stopped myself and informed the respective people regarding this vulnerability. Following is the report that I sent to the B-School.
Website URL
|
Type of Website
|
Vulnerability
|
Risk
|
Counter measures
|
http://ABC_1.com
|
National Level Event Website
|
Improper directory permission (http://ABC_1.com/manage)
Poor authentication for Admin Panel |
Website can be modified all together – loss of
integrity.
If somebody puts up offensive content, it can
degrade ABC's image & in turn University's.
If details of participants is leaked (Contact
Numbers, Email IDs) it may result in loss of personal data.
|
Restrict permission to sub directories (http://ABC_1.com/manage)
Strong password policy to Admin Panel (Most
IMP), even a newbie can get access to the Admin Panel very easily
|
After reporting this incident, the vulnerability got patched. Directory is no more accessible to public, I couldn't check admin panel though!
After this incident, I started looking carefully into other B-School's Event websites. Today when I was browsing through source code of another B-School, again it comes in Top 50 B-School's in India. I could exploit it's Vulnerability. Poor directory permissions and authentication is the reason behind it. I have reported it to the concern people, again!
There's another website that I recently observed, this belongs to investment consultants from Pune. This website was created in ASP.net while earlier two were coded in PHP. The Investment Consultant's website had a pathetic security mechanism when it comes to user authentication.
I tried commonly used UserID/Password combinations but I failed, so I checked forgot password page. Surprisingly it was a worst password retrieval mechanism I have ever seen. You just need to put user-id, it asks you for Hint Question & Answer and if you guess it correct. Dialogue box is prompted with valid passoword, WORST isn't it?
So conclusion out of these three incident is no matter how much you invest in Technology, if your builders/architects are careless when it comes to Security. You are ultimately going to fail, BIG TIME.
If website developers take proper care, such vulnerabilities will never arise!
Do let me know your views/suggestions on my Risk Analysis ;-)
