This project consists of a black-box vulnerability analysis of a toy web application desingned for this purpose. The vulnerabilities are listed below, and each contains a description and Proof of Concept in the respective link.
Group Image available here
-
Login Vulnerabilities:
-
Profile Vulnerabilities:
-
Post Vulnerabilities
- Vulnerability 6: User controlled parameter allows to read other user's posts (link)
- Vulnerability 7: SQL injection in URL parameter (link)
- Vulnerability 8: SQL injection in update post form allows to change any comment (link)
- Vulnerability 9: SQL injection in update post form allows to edit other users' posts (link)
- Vulnerability 10: User controlled parameter allows to edit other users' posts (link)
- Vulnerability 11: SQL Injection allows to infer any database value(link)
-
Friends Vulnerabilities
- Vulnerability 12: SQL Injection in search friend form allows arbitrary read from database (link)
-
Other Vulnerabilities
- Vulnerability 13: Usage of insecure Protocol (link)
- Vulnerability 14: Cookie contains user information (link)
- Vulnerability 15: SQL equality funcion is case insensitive (link)
- Vulnerability 16: Stored XSS (link)
- Vulnerability 17: Reflected XSS (link)
- Vulnerability 18: Unrestricted File Upload (link)
- Vulnerability 19: Error Handling of the input fields allows to get information from the system (link)