Dustin Greco
20 Jul 2021
•
6 min read
As cybersecurity leaders, we have to create our message of influence because security is a culture and you need the business to take place and be part of that security culture. Britney Hommertzheim
The purpose of this document is to to provide app devs and programmers of any level a primer for discussing the development of an application's registration page; this was also written with the MERN Stack in mind. The viewpoint is one taken from a grey-hat; As such:
If you want to try any or all of the techniques listed below, my recommendation is that you build a test platform on your personally owned (company is not okay) device using whatever Technology Stack you desire; then set up a local environment on your device. From there, build a simple registration page that is linked to a locally hosted back-end database using your own written APIs to manage registration; you also need to build your own front-end. Once you have your application running on an arbitrary port such as 3000, explore the simple application in your browser and use your personally created sandbox to do what sandboxes are meant to do: play.
Side note: I will not provide you with a boiler stack; don't ask. If you can't build your own, you have no business attempting to utilize the techniques listed below. You may still discuss it as an educational exercise.
Duplicate registrations of the same username can result in the original account being overwritten; this can result in data loss. Alternatively, if an account is not overwritten, a duplicate account could expose the same information of the initial user, and essentially allow a hacker to hijack the account. Learn More
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. Learn More
1. Navigate To The Registration Page
* Fill out the form and enter in a long string username || password (50-100 CHAR)
* If the app returns an Internal 500 error, then the server is susceptible to a DoS Attack.
Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. Learn More
1. Navigate To The Registration Page
* Fill out the form and enter in a valid username and password based on requirements
* Submit the form and redirect the request to BURP Intruder [Learn More](https://portswigger.net/burp/documentation/desktop/tools/intruder).
* Once the request has been intercepted
* Append two `§§` chars to the username parameter.
* Change the payload to contain a different username
* Once the payload is ready, send it to the server.
* If the server returns a 200 response then there is there are no rate implementations in place.
Cross-Site Scripting XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Learn More
For ReactJS Specifically, you must handle these attack vectors yourself:
1. Use the following payload for a regular text field: `img src=x onerror=alert('e')"`
2. Use the following payload for an email field: `"svg/onload=confirm('c')"@x.com"
* For an extra challenge, see if it's possible to bypass any filters if any of the previous steps succeed.
Applications with insecure email verification processes can lead to hijacked user accounts. To Learn More About Best Practices For Email Verification Processes See Here
1. Log into the application from the front-end.
2. Change The Email Address And Submit The Request (Build The API If You Don't Already Have It)
3. The appropriate response that should be received would be something similar to:
Verification email sent
We sent you an email to verify that you own "email@example.com".
We'll change your email once you verify that you own it.
* And display a link that can resend the verification email or cancel the change.
4. Copy the resend link, it should look something similar to:
https://<SOMELINK/>.com/email-change/<CTOKEN/>/resend
5. Copy the resend link and navigate to:
https://<SOMELINK/>.com/email-change/<CTOKEN/>/
6. The email should now be verified even though the account user is not the true owner of the email address.
Weak registration implementations can result in pollution of resources, hijacking of email services, or man-in-the-middle attacks. There are two examples provided in this document:
1. Secure a server with an SSL certificate and ensure that the application's communicates over an encrypted connection via HTTPS.
2. Implement email verification processes as needed.
1. Attempt to Navigate to the application using http:// as the protocol.
* If the above step proceeds, attempt to register an account.
* If registration is successful, the application is susceptible to traffic sniffing and man-in-the-middle attacks.
2. Attempt registration with a disposable email address.
* If the above step is successful, then the application is susceptible to attack.
Weak password policies can result in data breaches, loss of data, hijacking of accounts, or worse.
1. Attempt to Register with an easily guessable password like 123456/abcdefg
2. Check if you can use the username as the password.
3. Check if you can use the email address as the password.
* Want an extra challenge? Probe the password-recovery functionality for weaknesses.
Ground Floor, Verse Building, 18 Brunswick Place, London, N1 6DZ
108 E 16th Street, New York, NY 10003
Join over 111,000 others and get access to exclusive content, job opportunities and more!