Module 11: Cloud Penetration Testing Methodology - Exercise 1: Causing an XSS Attack on ownCloud

Module 11: Cloud Penetration Testing Methodology

Objective

The objective of this lab is to find the vulnerabilities in a private cloud and pentest them.

Scenario

As clouds offer less expensive and more convenient mode of data storage and hosting, everyone from individuals to businesses are slowly migrating to this concept. This obviously raises the issue of security on clouds. Cloud penetration testing is unlike other penetration testing owing to the shared ownership of cloud and data. While Infrastructure as a Service and Platform as a Service are relatively easier to test; testing Software as a Service is a far complicated as ownership, as well as legal issues need to be sorted out before it. Nevertheless, cloud security remains an important part of security audits and as a cloud penetration tester, you need to be aware of the strategies to employ that helps makes this testing simple and yet thorough.

Exercise 1: Causing an XSS Attack on ownCloud

Scenario

Security of the cloud is designed and implemented with the help of certain security controls and compliance. However, cloud service faces certain other risks, in addition to traditional IT security risks. As a pentester, you should test the target cloud service against the implementation of all security controls, as well as for compliance, for a complete security assessment.
In this lab, you will learn how to identify XSS vulnerability in ownCloud and pentest the vulnerability.

Lab Duration: 20 Minutes

1. Click Kali Linux (Internal Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the Password field and click Unlock.
   
4. In this lab, we will test ownCloud application. So, as a part of pentesting, you are given user credentials of admin, which are:
   username: admin
   password: test@123
   Launch a web browser, type the URL http://172.19.19.8/owncloud in the address bar and press Enter.
   ownCloud login page appears as shown in the screenshot below.
   
5. Enter admin in the Username field, test@123 in the Password field and click Log in.
   
6. Once you log in to the application, you need to identify the version of ownCloud. To identify, click admin drop-down menu located in the top right corner of the ownCloud webpage and click Personal.
   
7. ownCloud personal webpage appears, scroll down the page.
   You will observe the version of ownCloud under the Version section as shown in the screenshot below.
   
8. Now, we shall look for the vulnerabilities related to ownCloud 6.0.0a in SearchSploit.
   To search, launch a command line terminal, type searchsploit ownCloud 6.0.0a and press Enter.
   
9. SearchSploit returns a vulnerability associated with ownCloud 6.0.0a as shown in the screenshot below.
   The exploit ID is 31427.
   
10. Since PoC is a text file, we need to view it and find the vulnerability that is exploitable.
    To copy the path of the PoC, type searchsploit -p 31427 and press Enter.
    This copies the path of the file to the clipboard as shown in the screenshot below.
    
11. To read the PoC, type leafpad and paste the copied content next to it.
    
12. Once the content is pasted in the terminal, press Enter.
    
13. Upon examining the PoC, it is observed that there is an XSS vulnerability in the file sharing mechanism of ownCloud.
    We shall try exploiting this vulnerability by creating a text file with the name <img src=x onerror=alert(0);>.
    
14. Switch to the command line terminal and exit leafpad application by pressing Ctrl+C in the terminal.
    Since it is not possible to create a text file with the name <img src=x onerror=alert(0);> using touch command, we shall first create a sample text file using touch command and then, rename it to <img src=x onerror=alert(0);>.txt.
    Type touch sample.txt and press Enter.
    This creates a text file in the Home directory as shown in the screenshot below.
    
15. 
    Navigate to the Home folder, select sample.txt, and press F2 key.
    Now, you will get the option to rename the file.
    Name the file as <img src=x onerror=alert(0);>.txt and click Rename.
    
16. Switch to Firefox browser and click Files icon in the left pane.
    
17. Now, we shall upload the text file to ownCloud.
    Click Upload button (up arrow next to "New")on the webpage.
    
18. File Upload window appears, select the text file (<img src=x onerror=alert(0);>.txt) and click Open.
    
19. The added file appears on the page. Now, hover the mouse cursor on the file, and click Share.
    
20. Type the name of a user with whom you want to share the file (here, jason). As you type the username, search suggestions will appear (you may have to wait for a while for the search suggestions to appear). Now, click the username from the search suggestions list or press Enter.
    
21. The user is selected and additional sharing options appear. Click the cursor outside the additional sharing options pop-up.
    
22. Now, since we shared the file with a user named Jason, we shall log on to a machine, log in to Jason's ownCloud user account and view this shared file.
23. Click Marketing Dept Subnet D and click Ctrl+Alt+Delete.
    
24. In the password field click Pa$$w0rd and press Enter.
    

    You can use the Type Password option from the Commands menu to enter the password.

    
25. Launch Firefox web browser, type the URL http://172.19.19.8/owncloud in the address bar and press Enter.
    The login page of ownCloud appears as shown in the screenshot below.
    
26. Enter jason in the Username field, green in the Password field and click Log in.
    
27. Once you log in to the application, you will observe a folder named Shared.
    Open this folder.
    
28. In real-time, when anyone sees this file with such suspicious file name, they attempt to delete it.
    The vulnerability lies at this point where, when someone tries to view the file or delete it, the JavaScript in the filename gets executed and returns an alert pop-up.
    Let us check this out.
    Hover the mouse cursor on the file. A checkbox appears beneath the file name; select it and click Delete.
    
29. As mentioned in the previous task, when we tried to delete the file, it returned an alert pop-up with a value "0".
    Thus, we have successfully executed cross-site scripting attack on the ownCloud Application.
    
30. The version of ownCloud deployed on the server is quite old. To prevent this kind of attack, Update ownCloud to the latest version.
    

In this lab, you have learned how to identify XSS vulnerability in ownCloud and pentest the vulnerability.