The Invicti Web Application Advisory program provides vulnerability disclosures for open-source software. Let’s see how the program works and analyze two recent advisories to learn more about finding and fixing common security flaws.
Invicti Web Application Advisories
In the process of developing and testing the vulnerability scanning engine that powers Invicti’s cutting-edge web application security solutions, our security researchers scan a variety of open-source products. To do this, they take the latest version of an open-source web application and deploy it to a local test environment. The application is then scanned using Invicti as part of testing and improving our products.
If vulnerabilities are found, they are reported back to the original developers so they can fix them. After we get confirmation that the security issue has been fixed, we publish an advisory to inform users who might still be using a vulnerable version. That way, we can give back to the open-source community and improve overall security on the web.
Recent Invicti Disclosures
In our most recent advisories, Invicti security researcher Omar Kurt found two high-risk vulnerabilities in version 2.2.1 of Geeklog – a popular open-source content management system:
Both vulnerabilities were reported to Geeklog on March 11th, 2020, fixed on April 20th with the release of Geeklog v2.2.1sr1, and disclosed by Invicti on April 27th.
As you can see from the names, the vulnerabilities were related to cross-site scripting (XSS) and SQL injection – two of the most common web application vulnerabilities. Even though they are widely known and well understood, these types of programming errors still make it into production code, as shown by their continued presence in the OWASP list of Top 10 Web Application Security Risks. Let’s dive deeper into the reported vulnerabilities to see why they were possible and how they could be exploited.
A Real-Life XSS Vulnerability
Looking at the advisory for NS-20-001, we can see that Invicti found a cross-site scripting vector in two GET-type URL parameters for the page
Emulating a real attacker, Invicti replaced valid and expected values for parameters
onmouseover() event listener that calls a test function to check if the attack was successful. Of course, a malicious hacker could use far more dangerous code.
So can we dig a little deeper and find the cause? Notice that the vulnerability report only shows the attack URL, not the vulnerable code itself. This is because Invicti is a DAST (Dynamic Application Security Testing) tool, so it scans a running application and attempts to find vulnerabilities like a real attacker would. Armed with information about the attack point, the developer can find and fix the relevant flaw in the source code. Because Geeklog is an open-source application, we can do just that and see why the XSS attack was possible.
After downloading the source code package for Geeklog 2.2.1 or going to the GitHub repository, it’s just a matter of bringing up the file
/public_html/admin/plugins.php and finding code that handles the
prevorder parameters. Sure enough, here is the vulnerable PHP code:
$ord = trim($_GET['order']); $dir = trim($_GET['direction']); $old = trim($_GET['prevorder']); $sorting = "?order=$ord&direction=$dir&prevorder=$old";
As you see, the
prevorder parameters are taken directly from the GET request with no validation, put into three variables, and inserted into a string. Manual string concatenation using unvalidated user inputs is a typical cause of XSS vulnerabilities, and this is a prime example.
A Real-Life Blind SQL Injection Vulnerability
Looking at advisory NS-20-002, we can see that Invicti found a Blind SQL Injection vulnerability for the POST-type parameter
uid in a comment form on the page
comment.php. This means than an attacker can insert SQL query code into the value of the
uid parameter posted by the browser to the server along with other form data. The injection string used by Invicti was:
Removing URL encoding and commented code, the SQL query used for the test attack is:
SELECT 1 FROM (SELECT SLEEP(25))A
In general, an SQL injection vulnerability means that user inputs to a web application are not validated correctly, allowing the attacker to inject database queries to extract information or modify the database. If the vulnerable application does not return any data, blind SQL injection can be used to indirectly read smaller pieces of information from the database.
In this case, the test attack code successfully injected a query containing the
SLEEP(25) command, causing the application to wait for 25 seconds before responding. This delay informs the attacker that the injected query returned a true result, while no delay in the application response would mean false. This allows the attacker to extract information from the database using a series of yes/no questions. For a detailed explanation of such attacks, see our article on blind SQL injection.
The Security of Open-Source Software
From hobby projects to enterprise deployments, the web relies on open-source software. The Invicti Web Advisory program is our way of giving back to the open-source community and improving the security of software used by billions of people worldwide.
For organizations, the business benefits of using open-source code are obvious – it’s free and someone else has done the work. Security is not always considered, even though it should be a priority. Especially with popular libraries and applications used in millions of deployments, any vulnerabilities in the code can be exploited by cybercriminals in a matter of hours and on a massive scale. This is why it’s vital to check your websites and web applications with a high-quality web vulnerability scanner like Invicti.