Powered by Blogger.
Home » » Module 11: Cloud Penetration Testing Methodology - Exercise 1: Causing an XSS Attack on ownCloud

Module 11: Cloud Penetration Testing Methodology - Exercise 1: Causing an XSS Attack on ownCloud

Written By AKADEMY on Wednesday, July 3, 2019 | 11:43 AM

Module 11: Cloud Penetration Testing Methodology

Objective

The objective of this lab is to find the vulnerabilities in a private cloud and pentest them.

Scenario

As clouds offer less expensive and more convenient mode of data storage and hosting, everyone from individuals to businesses are slowly migrating to this concept. This obviously raises the issue of security on clouds. Cloud penetration testing is unlike other penetration testing owing to the shared ownership of cloud and data. While Infrastructure as a Service and Platform as a Service are relatively easier to test; testing Software as a Service is a far complicated as ownership, as well as legal issues need to be sorted out before it. Nevertheless, cloud security remains an important part of security audits and as a cloud penetration tester, you need to be aware of the strategies to employ that helps makes this testing simple and yet thorough.

Exercise 1: Causing an XSS Attack on ownCloud

Scenario

Security of the cloud is designed and implemented with the help of certain security controls and compliance. However, cloud service faces certain other risks, in addition to traditional IT security risks. As a pentester, you should test the target cloud service against the implementation of all security controls, as well as for compliance, for a complete security assessment.
In this lab, you will learn how to identify XSS vulnerability in ownCloud and pentest the vulnerability.
Lab Duration20 Minutes
  1. Click Kali Linux (Internal Network).
    If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
    Screenshot
  2. Type root in the Username field and click Next.
    Screenshot
  3. Type toor in the Password field and click Unlock.
    Screenshot
  4. In this lab, we will test ownCloud application. So, as a part of pentesting, you are given user credentials of admin, which are:
    username: admin
    password: test@123
    Launch a web browser, type the URL http://172.19.19.8/owncloud in the address bar and press Enter.
    ownCloud login page appears as shown in the screenshot below.
    Screenshot
  5. Enter admin in the Username field, test@123 in the Password field and click Log in.
    Screenshot
  6. Once you log in to the application, you need to identify the version of ownCloud. To identify, click admin drop-down menu located in the top right corner of the ownCloud webpage and click Personal.
    Screenshot
  7. ownCloud personal webpage appears, scroll down the page.
    You will observe the version of ownCloud under the Version section as shown in the screenshot below.
    Screenshot
  8. Now, we shall look for the vulnerabilities related to ownCloud 6.0.0a in SearchSploit.
    To search, launch a command line terminal, type searchsploit ownCloud 6.0.0a and press Enter.
    Screenshot
  9. SearchSploit returns a vulnerability associated with ownCloud 6.0.0a as shown in the screenshot below.
    The exploit ID is 31427.
    Screenshot
  10. Since PoC is a text file, we need to view it and find the vulnerability that is exploitable.
    To copy the path of the PoC, type searchsploit -p 31427 and press Enter.
    This copies the path of the file to the clipboard as shown in the screenshot below.
    Screenshot
  11. To read the PoC, type leafpad and paste the copied content next to it.
    Screenshot
  12. Once the content is pasted in the terminal, press Enter.
    Screenshot
  13. Upon examining the PoC, it is observed that there is an XSS vulnerability in the file sharing mechanism of ownCloud.
    We shall try exploiting this vulnerability by creating a text file with the name <img src=x onerror=alert(0);>.
    Screenshot
  14. Switch to the command line terminal and exit leafpad application by pressing Ctrl+C in the terminal.
    Since it is not possible to create a text file with the name <img src=x onerror=alert(0);> using touch command, we shall first create a sample text file using touch command and then, rename it to <img src=x onerror=alert(0);>.txt.
    Type touch sample.txt and press Enter.
    This creates a text file in the Home directory as shown in the screenshot below.
    Screenshot

  15. Navigate to the Home folder, select sample.txt, and press F2 key.
    Now, you will get the option to rename the file.
    Name the file as <img src=x onerror=alert(0);>.txt and click Rename.
    Screenshot
  16. Switch to Firefox browser and click Files icon in the left pane.
    Screenshot
  17. Now, we shall upload the text file to ownCloud.
    Click Upload button (up arrow next to "New")on the webpage.
    Screenshot
  18. File Upload window appears, select the text file (<img src=x onerror=alert(0);>.txt) and click Open.
    Screenshot
  19. The added file appears on the page. Now, hover the mouse cursor on the file, and click Share.
    Screenshot
  20. Type the name of a user with whom you want to share the file (here, jason). As you type the username, search suggestions will appear (you may have to wait for a while for the search suggestions to appear). Now, click the username from the search suggestions list or press Enter.
    Screenshot
  21. The user is selected and additional sharing options appear. Click the cursor outside the additional sharing options pop-up.
    Screenshot
  22. Now, since we shared the file with a user named Jason, we shall log on to a machine, log in to Jason's ownCloud user account and view this shared file.
  23. Click Marketing Dept Subnet D and click Ctrl+Alt+Delete.
    Screenshot
  24. In the password field click Pa$$w0rd and press Enter.
    You can use the Type Password option from the Commands menu to enter the password.
    Screenshot
  25. Launch Firefox web browser, type the URL http://172.19.19.8/owncloud in the address bar and press Enter.
    The login page of ownCloud appears as shown in the screenshot below.
    Screenshot
  26. Enter jason in the Username field, green in the Password field and click Log in.
    Screenshot
  27. Once you log in to the application, you will observe a folder named Shared.
    Open this folder.
    Screenshot
  28. In real-time, when anyone sees this file with such suspicious file name, they attempt to delete it.
    The vulnerability lies at this point where, when someone tries to view the file or delete it, the JavaScript in the filename gets executed and returns an alert pop-up.
    Let us check this out.
    Hover the mouse cursor on the file. A checkbox appears beneath the file name; select it and click Delete.
    Screenshot
  29. As mentioned in the previous task, when we tried to delete the file, it returned an alert pop-up with a value "0".
    Thus, we have successfully executed cross-site scripting attack on the ownCloud Application.
    Screenshot
  30. The version of ownCloud deployed on the server is quite old. To prevent this kind of attack, Update ownCloud to the latest version.
    Screenshot
In this lab, you have learned how to identify XSS vulnerability in ownCloud and pentest the vulnerability.
Share this article :

0 comments:

Post a Comment

 
Trung Tâm Đào Tạo An Toàn Thông Tin Học Hacker Mũ Xám Online | Học An Ninh Mạng Trực Tuyến | CEH VIỆT NAM
Copyright © 2013. HACKER MŨ XÁM - All Rights Reserved
Web Master @ Võ Sĩ Máy Tính
Contact @ Đông Dương ICT