Snake Pro is a simple Golang Web App that contains an example of Sensitive Data Exposure vulnerability, and its main goal is to illustrate how an attacker could explore it.
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
The main goal of this app is to discuss how Sensitive Data Exposure vulnerabilities can be exploited and to encourage developers to send secDevLabs Pull Requests on how they would mitigate these flaws.
To start this intentionally insecure application, you will need Docker and Docker Compose. After forking secDevLabs, you must type the following commands to start:
cd secDevLabs/owasp-top10-2017-apps/a3/snake-pro
make install
Then simply visit localhost:10003 ! 😆
To properly understand how this application works, you can follow these simple steps:
- Try beating our high-score! 😝
- Register yourself as a new user!
Now that you know the purpose of this app, what could go wrong? The following section describes how an attacker could identify and eventually find sensitive information about the app or its users. We encourage you to follow these steps and try to reproduce them on your own to better understand the attack vector! 😜
After reviewing how application stores users' passwords in MongoDB, it was possibile to see that sensitive data is being stored in clear text, as can be seen in Register()
(routes.go) function and in UserData
(types.go) struct:
Additionally, the channel is being used by users to send their sensitive data is unsafe (HTTP), as shown below:
If the database is somehow exposed, all users' passwords will be leaked, as shown on these MongoDB documents. To view them, you can locally install Robo 3T and use default credentials used in config.yml
:
Database: snake_pro
User name: u_snake_pro
Password: svGX8SViufvYYNu6m3Kv
Address: localhost:27017
Also, as login pages use HTTP to transmit users' credentials, an attacker on the same network as the victim (same wifi, for example) can use tcpdump
to perform a man-in-the-middle attack.
To install tcpdump on Mac, use the following command:
brew install tcpdump
To start sniffing for passwords from SnakePro, an attacker can use the following command:
sudo tcpdump -i lo0 -X host localhost | grep -C 2 pass --color
How would you mitigate this vulnerability? After your changes, an attacker should not be able to:
- Capture sensitive information by sniffing on network packages.
- Bonus: What about using HTTPS?
[Spoiler alert 🚨] To understand how this vulnerability can be mitigated, check out these pull requests!
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉